What You Need To Know About The Data (Use And Access) Act

Finally, as of 19 June 2025, the UK's data reform Bill received Royal Assent and the long awaited Data (Use and Access) Act (theAct) has come into being.

When will all of the changes come into force?

While a handful of provisions came into force on Royal Assent (19 June 2025), such as the need for SAR searches to be reasonable and proportionate (which is in fact back dated to 1 January 2024), and some will come into force shortly thereafter (19 August 2025), such as changes to the ICO's ability to send notices and request documentation, the majority of the Act will be brought into force by secondary legislation being laid before Parliament.

It is worth reading section 142 to see exactly what is in force, and when.

According to the ICO's recent announcement, the provisions will be brought in over 2, 6 or 12 months, although their guess is as good as any.

What is not changing?

With all the different proposals floating around in three previous Bills, some may be confused by what is in and what is out. Before we explain what is in, it is worth noting the following:

• DPOs, ROPAs, DPIAs and UK representatives are here to stay;
• there is no change to the definition of "personal data" (meaning major aspects of the UK GDPR remain aligned with the EU GDPR in this regard); and
• the proposal to change the threshold allowing data controllers to refuse to respond to "vexatious or excessive" data rights requests has gone.

What is going to change?

Click on each topic below to find out what is changing and how it will impact your organisation.

Automated decision making

Automated decision making (ADM) (Section 80)

What is the change?

• This is probably the biggest change in the Act, and in essence in the UK, unless special category data is involved, ADM will now move from a regime based onprohibition with exceptions(i.e. currently only limited lawful bases can be relied upon for ADM), to one that is based onpermission but with safeguards(i.e. broadly all and any lawful bases can be used for ADM). Further the safeguards are those which we are all used to i.e. transparency, explainability and contestability.
• As a general further point, the Act also arguably relaxes the definition of what is solely automated and possibly brings a few decisions previously thought of as ADM out of scope.

How will this impact your organisation?

• We suspect this change will be welcome by a number of organisations, particularly those currently using ADM in scenarios where decisions are likely to have a significant or legal effect, such as recruitment.
• The change will mean that certain decisions (particularly those that don't involve the processing of special category data) may no longer be subject to the more severe restrictions on automated decision-making.
• Organisations will still need to ensure the appropriate safeguards are in place for significant decisions, such as: the right to human intervention, the ability to contest the decision, transparency about the logic and criteria used etc.
• We nevertheless consider that this change could be a significant game changer for use of AI decision making tools in the UK (making it easier and possibly therefore more widespread).
• However, given the regulatory attention and guidance on AI decision making (especially currently in the recruitment space), it will be interesting to see how this develops and whether this change will even come into effect.
• The ICO has announced that it will be reviewing its Automated Decision Making (ADM) and Profiling Guidance, in light of these changes, with a public consultation expected later this year and the final guidance due for publication in Winter 2025/2026.
• As these provisions are a departure from the EU position, they may attract attention from privacy campaigners who will likely view this as a lower standard of protection than under the GDPR; it will be interesting to see what impact this will have on the UK's adequacy, which is currently under consideration by the EU Commission.

Data rights

Data rights (Sections 75 – 79 and 103)

What is the change?

• The Act gives legislative footing to certain elements of current ICO guidance in regards to responding to subject access requests (SARs), e.g. it is clear the 'clock is stopped' when a controller needs, and asks for, clarity on the scope of a SAR and that any search only has to be "reasonable and proportionate" (which is a relatively pragmatic approach in comparison to the EDPB's position in its Rights of Access guidance).
• A new privacy right has also been introduced - the "right to complain" to controllers regarding general UK GDPR compliance. Further, the right for data subjects to complain directly to the ICO has been restricted which means in practice more complaints will need to be filtered through the controller before they are escalated to the ICO.
• Where a controller receives a complaint, it must acknowledge such a complaint within 30 days (unlike the usual SAR calendar month) and respond to them "without undue delay" setting out the action taken.

How will this impact your organisation?

• Practically, we think changes to the existing SAR regime are unlikely to significantly change the way that controllers approach SARs from a UK perspective since the Act essentially just codifies the position already taken in the ICO guidance.
• However, we do consider that the right to complain will require some further thinking from organisations. The change effectively attempts to shift the burden of dealing with complaints from the ICO to controllers in the first instance so processes will need to be put in place to effectively deal with these complaints within the specified time frames.
• Updates to organisation's privacy notices will also be required to reflect this change.

Data transfers

Data transfers (Section 85 and Schedule 7)

What is the change?

• Ex-UK data transfers will be brought into a more "common law" model and rather than both exporters and the UK Government having to address if an importer country has "adequate" data laws, the new test will be whether the standards of protection will be "materially lower" than those applicable in the UK.

How will this impact your organisation?

• This should make it easier for both data exporters and the UK Government to decide if transfers are valid or not.
• However, as above, questions are being raised about how this might impact the UK's adequacy but as discussions between the EU Commission and the UK Government have been ongoing for a number of years, the UK Government is confident this will not be an issue.

Digital verification services (DVS)

Digital verification services (DVS) (Part 2)

What is the change?

• Provisions have been included in the Act to set up a new national framework for digital identities in the UK, with a view to ensuring secure, standardised identity and data verification across sectors. The ambition is that this trusted and certified digital identity could serve as an alternative to presenting a passport or driving licence when proof of identity is required, helping to reduce fraud, streamline onboarding and improve customers' experience.
• Services like this already exist in some areas, such as digital verification services for onboarding employees, property rentals and criminal records checks. However, the UK Government now hopes to expand DVS to other activities, such as buying age restricted goods or accessing essential online services.

How will this impact your organisation?

• Again, the details are currently awaited as while the Act establishes a framework for DVS, these are dependent on the introduction of secondary legislation. However, at present there is no indication as to when such secondary legislation might be laid before Parliament, or about the detail it will contain. Therefore, while a framework around use of DVS is likely to be welcomed given the potential for enhanced trust and greater certainty around digital verification, the practical impact of such provisions remains to be seen pending the introduction of secondary legislation.

e-Privacy

e-Privacy (Sections 109 – 116 and Schedule 12)

What is the change?

• Fines under the Privacy and Electronic Communications Regulations 2003 (PECR) will be brought into line with the UK GDPR, i.e. maximum £17.5 million or 4% of global annual turnover, whichever is higher.
• Further, the ICO's enforcement powers for e-Privacy breaches will be more aligned with the enforcement regime under the UK GDPR and Data Protection Act 2018. For example, all notices available to the ICO, such as information notices, assessment notices and enforcement notices, will become available for e-Privacy breaches.
• As for cookie consent rules, these have been extended to anyone who "instigates" the storage or access to stored data. This means the regulator could potentially enforce actions against both the ad tech vendors and also the website publishers themselves.
• On the flip side, there is a relaxation in the exemptions for cookie consent where the deployment and use of such cookies pose a low risk to user privacy (e.g. certain analytics usage). That said, the user must still have the right of opt out even for such low risk analytics, so they are not the same as strictly necessary cookies (for which an opt out is not needed). This position seems somewhat at odds with the ICO's consultation on storage and access (cookie) guidance, let alone the EDPB's position so it will be interesting to see how this all works out.
• Again, the Secretary of State is given the power to update the list of cookie exemptions by secondary legislation, following consultation with the ICO. While the ICO has indicated it is mindful to relax the consent requirements for privacy-preserving advertising activities, including basic ad measurement, where the privacy impact is minimal, an opt-out model would potentially limit the practical use of this proposal. A statement from the ICO is expected in Autumn 2025 so it really is a case of watch this space!
• The soft opt-in for email communications for charities is back, where the sole purpose of the email is to further the charity's charitable purposes, the recipient has provided their details when expressing interest or providing support and the recipient is given an opt-out.
• Finally, the ICO is tasked with encouraging industry to produce codes of conduct which we suspect will be welcome by business particularly given the ICO's current, very collaborative approach when issuing guidance.

How will this impact your organisation?

• It is fair to say that the ICO has a relatively low tolerance for PECR breaches and this is where we see the most active enforcement from the ICO. Fines to date under PECR have not been eyewatering given the current cap under PECR of £500k but this is of course set to change. Organisations who therefore take a risked based view on PECR requirements particularly in respect of their marketing campaigns should be reconsidering their risk profile given the stakes are becoming significantly higher for non compliance!
• While the changes to the cookie regime will be likely welcomed in some respects, greater obligations will be placed on instigators of tracking technologies which is likely to cause some confusion as well as require changes to terms and conditions.
• The current changes do not provide the much longed get out for ad measurement tracking technologies so we suspect we will see some pressure on the Secretary of State to update the list.
• Further, while use of basic analytics tracking technologies will no longer require opt in consent, users will still need to be provided with an opt out which means organisations will not be given a carte blanche to use analytics. It will also mean organisations will need to make it easier for users to opt out of cookies more generally.
• Charities will no doubt welcome the changes to the soft opt in although we suspect requiring an opt out in every message might limit its practical impact.

IC's new powers

IC's new powers (Sections 97 – 105)

What is the change?

• The IC will have a range of new powers which will bring it in line with other UK regulators. These include the power to issue interview notices and to require the production of documents or the preparation of a report.
• These new powers are wide ranging, e.g. an interview notice may be issued to any individual who is currently, or who was at any time previously, employed by the controller or processor. Do note, there are carve outs for parliamentary privilege and legal privilege, and an interview notice cannot require people to self-incriminate.
• However, it will be a criminal offence to knowingly or recklessly make a false statement in response to an interview notice and the regulator will be able to issue penalty notices.
• It is important to note there is a right of appeal against an interview notice, although how this would work in practice remains to be seen
• While the power to require documents will come into force 2 months after Royal Assent (19 August 2025), other new powers will be brought into force by secondary legislation.

How will this impact your organisation?

• It will be important to familiarise yourself with the new powers the IC has and when they come into force as these will change how the ICO currently conducts its investigations.
• The power to require individuals to attend interviews will no doubt cause some concern and likely will necessitate an update to post-termination provisions of your employment contracts. In addition, there may well be a budgetary and resource implication in order to ensure compliance.
• The power to require production of reports is also likely to raise eyebrows and it will be interesting to see how this impacts privilege to the extent organisations require their lawyers to be involved.

Information Commission (IC)

The IC – formerly known as the ICO (Part 6 and Schedule 14)

What is the change?

• The ICO will be abolished and the Information Commission (IC) will be created. The aim is to bring the ICO into line with other UK regulators, making the IC a full corporation with board members, the majority of which should "in so far as practicable" be Non-Executive Directors.
• John Edwards will become the first Chair of the IC until the end of his original 5 year appointment term (due to end in January 2027) and there will be a distinct role of Chief Executive, separate from the Chair.
• No Chair or Non-Executive Director can be appointed more than once and the maximum term of appointment will be 7 years.
• It is worth noting the controversial proposals allowing the UK Government to set strategic priorities for the IC have been dropped, in order to maintain the IC's independence - a move likely to go down well in Brussels!

How will this impact your organisation?

• We suspect in practice this will mean very little change in the immediate future. With John Edwards remaining at the helm, we would be surprised if we see a material change in the IC's attitude to enforcement but it will be interesting to see how decision making by committee as opposed to being the responsibility of a single commission will impact the ICO enforcement strategy going forwards.

Legitimate interests

Legitimate interests (Section 70)

What is the change?

• The Act attempts to make it easier for data controllers to rely on UK GDPR Article 6(1)(f) (legitimate interest) for data processing, by setting out a list of "recognised legitimate interests".
• This list of recognised legitimate interests can be amended by secondary legislation, so it is possible that the list could change over time. However, this may attract the attention of both the EU and the privacy activists who dislike this approach due to the lack of scrutiny.
• The Act also includes examples of interests that may be legitimate (albeit where a balancing test is still required), explicitly stating that processing for the purpose of direct marketing, intra-group transfers of personal data and ensuring the security of network and information systems may be based on legitimate interest. These were however already mentioned in the UK GDPR recitals so this is not a massive change - so don't tear up your existing LIAs or LIA protocols just yet!

How will this impact your organisation?

• This change is not as useful as many first thought as the new recognised legitimate interest list is narrow in scope, i.e. national security, emergencies, detection, investigation or prevention of a crime and safeguarding vulnerable individuals, and is likely to be of limited relevance for most businesses. If your processing is in scope of a new recognised legitimate interest, there will be no need to undertake a legitimate interest assessment (LIA). However, for all other cases you will still need to do a LIA, so in practice unless you are an organisation whose processing falls within the recognised list, the changes won't make much of a difference.

Purpose limitation

Purpose limitation< a href="https://www.legislation.gov.uk/ukpga/2025/18/section/71/enacted" target="_blank">(Section 71)

What is the change?

• The Act clarifies that the purpose against which compatibility should be measured is the purpose for which the controller making the assessment received the data, not the purpose for which the data was collected by the original controller that first received the data directly from the data subject.
• By way of example, the type of scenario in which this could be relevant would be if Controller A, a record label, collects personal data from fans to send updates and exclusive content related to a new artist, and Controller A then shares this data with a third-party music licensing platform (Controller B), which aggregates audience insights to help independent filmmakers and advertisers choose music that resonates with specific demographics. The wording now clarifies that should Controller B wish to assess compatibility, it should do so against the purpose for which it received the data (i.e. the generation of insights), and not the original purpose of Controller A. While this might be obvious to some, we suspect the clarification will be welcomed.
• The changes also provide a clear mechanism on how to assess compatibility as well as draw out examples of where the compatibility requirement would be met.

How will this impact your organisation?

• Again in practice, we don't anticipate this change will have a huge impact on organisations, although we do consider it to provide welcome clarity on how to ascertain compatibility particularly when data has been shared between organisations.

Smart data schemes

Smart data schemes (Part 1)

What is the change?

• A new framework will be established to allow for the sharing of customer data at the customer's request with authorised third-party providers, so that the authorised third-party can use data to provide services to the customer.
• It has been suggested that this change is an attempt to reinvigorate data portability. However, the provisions relating to smart data schemes are much broader and more ambitious in scope than the existing portability provisions, as they are not limited to personal data and also cover data relating to goods, services or content provided by a trader to a customer (such as information relating to pricing, usage, performance and quality). Furthermore, the UK Government has suggested that the existing portability provisions do not go far enough to enable the real time provision of customer data from data holders to third parties that is necessary for functioning smart data schemes (based on comments made by the UK Government in its Explanatory Notes to the Bill when it was first proposed).
• There are also provisions for the sharing of business data (defined as information relating to goods, services and/or content provided by a trader) to help drive innovation and competition, e.g. by allowing smaller or new businesses to access data previously held by large incumbents.

How will this impact your organisation?

• The driver behind these schemes is to encourage the development of new and innovative data-driven services in order to increase competition and innovation, reduce costs, save time for consumers switching, increase the quality of services, improve the security of data sharing and ultimately increase trust in data sharing mechanisms. The best existing example of what the UK Government is looking to achieve with these proposals is Open Banking, which allows UK consumers and businesses to allow authorised third parties to access their banking data to provide financial services – but the UK Government now hopes to expand this beyond the financial services sector and into other sectors such as energy.
• While the UK approach is arguably similar to legislation related to data sharing in the EU, it is wider in scope in that it is not limited to the public sector like the Data Governance Act, nor limited to connected tech, i.e. IoT, like the Data Act.
• However, as these provisions set up the framework to allow the Secretary of State and the Treasury to establish the schemes, the details around specific schemes are yet to be set out in secondary legislation. Therefore for now, it is a question of wait and see.

Special category data

Special category data (Section 74)

What is the change?

• The Secretary of State is given the power to add new types of processing or data types to the special categories list in the UK GDPR by secondary legislation.
• It is worth noting that while the Secretary of State can remove any new additions that they make to the list of special categories, they cannot remove the special categories already listed explicitly in the UK GDPR (e.g. health, ethnicity or religious beliefs). So the "foundational" special protections in the UK GDPR will remain the same as the EU GDPR.

How will this impact your organisation?

• It is of course difficult to say until the Secretary of State has exercised such powers. However, the effect of this power will mean less scrutiny around what is considered special category data (which in our view is surprising given what an impact a recategorisation of standard data suddenly as special data could have!). However, in light of the technological advances we are seeing, e.g. in the biometric and neural tech sectors, we can understand why a more agile solution is seen as important.
• Data relating to gender transition for example may be added to the list for clarity given the current debate as to whether such data falls within existing definitions of special category data. We also suspect that certain children's data or data relating to vulnerable individuals will be added to the list. Watch this space.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.