On 19 June 2025, following a lengthy back-and-forth between both Houses, the Data (Use and Access) Bill received Royal Assent and will now be known as the Data (Use and Access) Act 2025 (the “Act”). This article builds on our earlier summary of the draft Bill published at the beginning of the year. With the legislation now in force, we set out our top ten key takeaways from the Act.
Ten key takeaways
The UK GDPR is here to stay
The Act does not replace the UK GDPR, Data Protection Act 2018 or Privacy and Electronic Communications Regulations 2003 (PECR), which all remain in force. Instead, the Act changes certain aspects of these laws in particular areas. The reforms overall appear reasonably modest albeit there are certain changes which businesses should be aware of.
Expansion of permitted automated decision-making
The Act creates a more permissive framework under UK GDPR for businesses to make decisions based solely on automated processing (i.e. without any human intervention) that have legal or similarly significant effects on individuals. Currently, the UK GDPR restricts such automated decision-making (ADM) to a limited set of lawful conditions. Going forward, such restrictions will only apply to special category data. This relaxes the ADM requirements in future but arguably only to a degree. This is because the new law still requires the need to incorporate certain safeguard measures for sole ADM, including allowing individuals to challenge decisions made by sole ADM and ask for human intervention.
Nonetheless, the widening of the permitted use of ADM demonstrates the government’s attempts to foster AI use and innovation in the UK. This could potentially increase cases where businesses become more reliant on AI to make key decisions about individuals.
Legitimate interests
The Act introduces the new ‘recognised legitimate interests’ lawful basis which allows for processing necessary for certain defined purposes such as national security, crime prevention, emergency response and safeguarding vulnerable individuals. The Act also defines different types of processing that automatically qualify as ‘legitimate interest’, such as processing for ‘direct marketing’ (broadly defined), data transfers intra-group (as needed for administrative purposes) and for network and information systems security. The list of recognised legitimate interests can be expanded in future.
Changes to DSAR rules
The Act, to some extent, codifies ICO guidance and previous court rulings in what has previously been seen as best practice for dealing with DSARs, in particular:
- the ability for the controller to ‘stop the clock’ on the timeframe to respond where requesting further information from the data subject (say, to clarify the scope of the request); and
- the controller will only need to conduct searches that are ‘reasonable and proportionate’. This particular change is already in effect.
Key PECR changes
The Act also makes key changes to PECR in relation to cookies and direct marketing. Going forward, the types of cookies (deemed ‘low-risk’) which websites and apps can use without consent will alter (but will unlikely completely remove the need for) business’ cookie consent mechanisms.
The Act will also bring fines for breaches of PECR in line with the levels that can be awarded under the GDPR (up to 4% of global turnover), meaning we may start to see much larger fines for businesses engaged in unlawful nuisance calling and email spamming (hot areas of enforcement) and potentially also breaches of the cookie requirement.
Complaints mechanism
The Act will require organisations to handle data protection complaints from individuals. In practice, this likely means implementing a formal complaints mechanism such as providing an online complaints form. Complaints must be acknowledged within 30 days of receipt and responded to without undue delay.
No more ICO
The Information Commissioner’s Office (ICO) will be replaced by a new Information Commission, which will have a more corporate structure, consisting of a chair, board and CEO. How the new structure will impact how data protection will be enforced going forward, and how exactly this will impact businesses, is yet to be determined.
Good enough for EU? A potential post-Christmas twist
The EU’s adequacy decision for the UK is set to be reviewed at the end of this year. While the UK government has not made substantial changes to the UK data protection regime, certain provisions, such as the relaxation of the UK’s international transfer adequacy standards (which in future potentially increases the list of ‘adequate’ countries to which the UK can send personal data without the need for additional safeguards such as standard contractual clauses), may raise some eyebrows in Brussels and makes the UK’s future as an adequate transfer destination from the EU more uncertain.
The changes will arrive in stages over the next 12 months
The majority of the Act is not yet in force. Instead, the changes to data protection law will come into force in stages (over the period of 2 – 12 months from June according to government guidance). Future regulations are required to bring these changes into effect.
The Act is wide-ranging, going beyond just data protection reform
Finally, it is worth noting that the Act is very lengthy. This is because it goes beyond just changes to data protection laws and includes provisions which the government hopes to enable technological growth, efficiency and modernisation in a range of areas, both public and private, including digital verification services, new smart data schemes which support open banking and remove frictions in other sectors (like utilities), law enforcement, the NHS and the national underground infrastructure.
Final Comment
Organisations with already well-established data protection compliance frameworks are unlikely to face significant challenges in adapting to the upcoming changes. Nevertheless, this presents an ideal opportunity to revisit and strengthen existing practices, ensuring a smooth transition once the changes come into force. Also, organisations subject to the EU GDPR as well will need to make a strategic decision on whether to localise data privacy compliance for the UK or maintaining the EU standard across the board.
Authors
Related legal expertise
Connect with us
