After months of debate, the UK’s Data (Use and Access) Bill received Royal Assent. Now known as the Data (Use and Access) Act 2025 (the Act), it marks a significant milestone in the UK’s evolving approach to data protection post-Brexit. It aims to strike a balance between protecting individual privacy and enabling data-driven innovation, particularly in sectors such as health, research, and public services.
Whilst a significant piece of legislation, the changes introduced by the Act are, on the whole, modest and organisations which currently comply with the UK GDPR and the Privacy & Electronic Communications Regulations (PECR) will not require a big overhaul of their data protection compliance programmes.
This article summarises the key changes being introduced by the Act and makes recommendations to ensure continued compliance.
Data Subject Access Requests (DSARs)
The Act introduces new requirements and clarifications regarding DSARs. The key changes include:
- Clarified grounds for refusal or limitation: The Act confirms that the data controller’s obligation, when responding to a DSAR, is to provide such personal data as it can after conducting a “reasonable and proportionate” search. This aligns with existing ICO guidance but its inclusion in the legislation is welcome and could help when dealing with aggressive data subjects.
- Timeframes and extensions: While the standard timeframe for responding to DSARs remains one month, the Act clarifies the circumstances under which this period can be extended by a further two months, for example, in cases of complex or multiple requests. The Act also allows data controllers to “stop the clock” when waiting for further information to help them identify the processing covered by request.
- Fee charging: The Act allows organisations to charge a reasonable fee for responding to manifestly unfounded or excessive requests, or for additional copies of data.
Legitimate interests as a lawful basis
The Act refines the use of “legitimate interests” as a lawful basis for processing personal data, which is particularly relevant for organisations seeking to balance business needs with individual rights. The key changes include:
- Expanded list of recognised legitimate interests: The Act introduces a non-exhaustive list of processing activities that are presumed to be in the legitimate interests of the data controller, such as fraud prevention, network security, and certain internal administrative purposes. This provides greater certainty for organisations, reducing the need for detailed balancing tests in these scenarios.
- Balancing test requirements: For processing activities not on the recognised list, organisations must continue to conduct a balancing test to ensure that their interests do not override the rights and freedoms of data subjects. The Act provides more structured guidance on how to conduct and document this assessment.
- Transparency obligations: Organisations must clearly communicate to individuals when they are relying on legitimate interests, including the nature of those interests and the outcome of any balancing test.
Data sharing and access mechanisms
The Act introduces new mechanisms to facilitate data sharing, particularly in sectors where data access is critical for public benefit, such as health and research. The key provisions include:
- Data access schemes: The Act enables the creation of sector-specific data access schemes, setting out the conditions under which data can be shared between organisations, including public bodies and private entities. These schemes are designed to streamline data sharing while maintaining appropriate safeguards.
- Safeguards for sensitive data: Enhanced protections are required when sharing sensitive categories of data, such as health or genetic information. The Act mandates additional technical and organisational measures to prevent misuse or unauthorised disclosure.
Regulatory powers and enforcement
The Act strengthens the powers of the Information Commissioner’s Office (ICO) and other regulators, including:
- Increased fines and penalties: The Act raises the maximum fines under PECR for certain breaches, particularly those involving large-scale or systematic non-compliance.
- Audit and inspection powers: Regulators are granted enhanced powers to conduct audits and inspections, including the ability to require organisations to provide evidence of compliance with DSARs, legitimate interests assessments, and data sharing protocols.
New complaints procedure
Under the Act, individuals are now empowered with a statutory mechanism to challenge how their personal data is managed. The Act obliges organisations to establish straightforward and accessible complaints processes, including the introduction of a specific complaints form and a clear requirement to respond within 30 days.
Additionally, some organisations, particularly those in regulated sectors, may be required to report the volume of privacy complaints they receive to the ICO within set reporting periods. To ensure transparency, privacy notices must be revised to outline these new rights and procedures, providing individuals with greater clarity on how to voice their concerns.
PECR: electronic communications and marketing
PECR continues to play a crucial role in regulating electronic marketing, the use of cookies and similar technologies, and the security of public electronic communications services. The Act interacts with PECR in several ways:
- Marketing communications: Organisations must ensure that any data-driven marketing activities comply with both the Act and PECR, particularly regarding consent requirements for direct marketing by electronic means (such as email, SMS, and automated calls).
- Cookies and tracking technologies: The Act reinforces the need for transparency and consent when deploying cookies or similar technologies, in line with PECR requirements. Organisations should review their cookie policies and consent mechanisms to ensure they are robust and up to date.
- Security of communications: The Act complements PECR’s requirements for the security of public electronic communications services, emphasising the need for appropriate technical and organisational measures to protect personal data.
Automated decision-making
The Act eases restrictions on automated decision-making, limiting the strictest controls to cases involving special category data. For other personal data, organisations have more flexibility but must implement safeguards.
- Right to human review: Individuals can challenge decisions based solely on automated processing if special category data is involved. For other personal data, organisations must allow individuals to contest decisions, request human intervention, and express their views.
- Transparency: Organisations must clearly inform individuals about the use of automated decision-making, including the logic, significance, and consequences of such processing.
- Safeguards: Organisations are required to have measures in place to protect individuals’ rights, including the right to human intervention and to contest decisions.
International data transfers
The Act will be closely scrutinised by the European Commission during its review of the UK’s data adequacy status, expected in December 2025. While the Act does not introduce radical changes and aims to uphold core data protection principles, there is some uncertainty until the review is complete.
Any change to the UK’s adequacy status could impact the free flow of personal data between the UK and the EEA, so organisations should monitor developments closely.
Next steps
Whilst the passing of the Act into law does not herald a radical shake up of UK data protection law, organisations should now start to review their current policies and practices to ensure they remain compliant and that they leverage the relaxation in some of the old rules. Key steps likely to be required include:
- Reviewing existing privacy and cookie notices.
- Ensuring training materials and internal policy documents are updated to reflect the new rules.
- Ensuring advertising and marketing programmes comply with the new rules.
- Reviewing and updating data sharing agreements and protocols, particularly for participation in new data access schemes.
- Updating records of processing activities and legitimate interests’ assessments in line with the Act’s new requirements.
- Reviewing and enhancing technical and organisational measures for safeguarding sensitive data and supporting international data transfers.
For more information in relation to any of the issues raised in this article, please contact Ciaran O’Shiel, Partner, Carrie McMeel, Senior Associate, Keith Dunn, Senior Associate or a member of our Data Protection and Commercial & Technology team.
Date published: 20 June 2025
