On June 19, 2025, the United Kingdom enacted the Data (Use and Access) Act 2025, marking a pivotal moment in the country’s approach to data regulation. This comprehensive legislation amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), aiming to foster innovation, streamline compliance, and maintain robust privacy protections in a rapidly evolving digital landscape.
Why the Act Matters: Balancing Innovation and Privacy
The Data (Use and Access) Act 2025, often referred to as the DUAA, is designed to modernize the UK’s data protection regime. It seeks to:
-
Reduce compliance burdens for organizations
-
Enable responsible data sharing and digital innovation
-
Strengthen individual privacy rights, especially for children
-
Align the UK’s data regulation with post-Brexit economic and policy goals
Key Legislative Changes:
Amendments to UK GDPR, DPA 2018, and PECR
The Act introduces targeted amendments while keeping the core principles of the UK GDPR intact but making several important updates:
-
Recognized Legitimate Interests: Certain processing activities—such as fraud detection, crime prevention, and public health—are now automatically considered lawful, removing the need for a balancing test in these cases.
-
Direct Marketing and Research: Clarifies that direct marketing can be a legitimate interest and expands the definition of scientific research to include commercial research, with new safeguards for broad consent.
-
International Data Transfers: Updates the rules and tests for transferring personal data outside the UK, aiming for greater clarity and flexibility.
Relaxed Cookie Consent Rules
Consent requirements for low-risk cookies—such as those used for analytics, site optimization, and basic website functionality—have been relaxed. Explicit consent is no longer mandatory for these cookies, reducing friction for both users and organizations while maintaining transparency and opt-out rights. For more, see the ICO’s guidance on cookies.
Enhanced Safeguards for Children’s Data
The Act imposes stricter requirements on online services accessed by children. Providers must consider children’s privacy and safety during the design phase, building on the Age Appropriate Design Code and ensuring robust protections for minors.
Automated Decision-Making: A More Permissive but Guarded Approach
The framework for automated decision-making has been overhauled:
-
Automated decisions are permitted with necessary safeguards, such as providing information to individuals, enabling challenges, and allowing human intervention.
-
Stricter rules apply when decisions involve special category data (such as health, race, biometrics).
-
For law enforcement, exemptions exist for national security, but meaningful human review must follow significant automated decisions.
Data Subject Access Requests (DSARs): Proportionality and Practicality
Organizations are now only required to conduct “reasonable and proportionate” searches when responding to data subject access requests. The Act introduces a “stop the clock” provision if further information is needed from the requester, codifying recent best practices and reducing the burden on data controllers.
New Lawful Grounds and Flexibility
-
Assumption of Compatibility: Certain re-uses of personal data (such as archiving in the public interest) are presumed compatible with the original purpose, simplifying secondary use for research and public benefit.
-
Soft Opt-In for Charities: Charities can send electronic marketing to individuals who have shown interest or supported their work, unless the person objects.
Digital Verification Services and Smart Data Schemes
– Digital Verification Services Framework
The Act establishes a statutory framework for digital verification services (DVS), moving from voluntary schemes to a regulated, certified model:
-
Certification and Trustmark: Providers must be certified under a new trust framework managed by the Office for Digital Identities and Attributes (OfDIA), under the Department for Science, Innovation and Technology. Certified providers display a Trustmark, signaling compliance with security, privacy, and interoperability standards.
-
Oversight and Flexibility: The Secretary of State can update certification criteria, ensuring alignment with international standards and adaptability to new technologies.
– Smart Data Schemes
The Act enables secure, consent-based data sharing through smart data schemes, facilitating innovation in:
-
Open Banking: Expanding secure data portability and interoperability between financial institutions and third-party providers.
-
Public Services: Enabling seamless, secure data sharing across government and regulated sectors, improving service delivery and efficiency.
The New Information Commission: Enforcement and Oversight
The Information Commissioner’s Office (ICO) will transition to the Information Commission, gaining:
-
Stronger Enforcement Powers: The Commission can issue higher fines (up to £17.5 million or 4% of global turnover), conduct audits, and issue binding orders for non-compliance.
-
Alignment with Other Regulators: The Commission’s powers are now more closely aligned with other UK regulators, enhancing consistency and oversight across the digital economy.
Compliance Best Practices for Organizations
– Review and Update Data Policies
Organizations should:
-
Audit and revise privacy notices, consent mechanisms, and data processing policies to reflect the new legal bases and relaxed consent requirements.
-
Ensure all data uses, especially those involving children or automated decision-making, are appropriately documented and safeguarded.
– Streamline Complaint Handling
-
Implement clear, accessible procedures for handling complaints and data subject requests.
-
Train staff on the new proportionality standard for DSARs and update workflows to ensure compliance.
– Prepare for Digital Verification and Smart Data
-
Assess readiness to participate in digital verification schemes, including certification requirements and interoperability needs.
-
Explore opportunities to leverage smart data schemes for innovation in financial services, public sector, and beyond.
– Monitor Regulatory Guidance
-
Stay up to date with guidance from the Information Commission, which will issue detailed rules and best practices as the Act is implemented.
At a Glance: Key Changes Under the Data (Use and Access) Act 2025
| Area | What’s Changed |
|---|---|
| Cookie Consent | Relaxed for low-risk cookies; explicit consent no longer required for analytics and functionality |
| Children’s Data | Enhanced design and privacy requirements for online services accessed by children |
| Automated Decision-Making | More permissive framework with necessary safeguards and human oversight |
| DSARs | Only reasonable and proportionate searches required; “stop the clock” rule introduced |
| Digital Verification Services | New statutory trust framework, certification, and trustmark for providers |
| Smart Data Schemes | Secure, consent-based data sharing enabled for open banking and public services |
| Enforcement | Information Commission gains stronger powers and higher fines |
| International Transfers | Clarified and more flexible rules for data transfers outside the UK |
| Research and Marketing | Broader definitions and lawful grounds for scientific research and direct marketing |
The Data (Use and Access) Act 2025 represents a major evolution in UK data protection law. By balancing innovation with privacy, streamlining compliance, and empowering both individuals and organizations, the Act positions the UK as a leader in digital regulation for the post-Brexit era. Organizations should act now to review their policies, train their teams, and engage with the new frameworks to ensure compliance and seize new opportunities in the evolving data landscape.
