ARTICLE
26 June 2025

UK Data (Use And Access) Act 2025 Takes Effect: Key Changes Explained

GW
Gowling WLG

Contributor

Gowling WLG logo
Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Explore Firm Details
Lexpert Firm Profile
After an extended journey of refinement, the Data (Use and Access) Bill (the Bill) is now enacted, modernising UK data law.
United Kingdom Privacy
Loretta Pugh,Jocelyn S. Paulley, and Louise Macdonald
Your Author LinkedIn Connections

After an extended journey of refinement, the Data (Use and Access) Bill (the Bill) is now enacted, modernising UK data law.

In this insight, we explore the main features of the Data (Use and Access) Act 2025, why it matters, and what steps organisations may need to consider as its provisions come into effect.

The Bill received Royal Assent on 19 June 2025 and passed into law as the Data (Use and Access) Act 2025 (the Act).

The Act is not confined to reform of data protection law: it introduces a breadth of changes consolidating, updating, or introducing new frameworks relating to, UK data affairs across various domains. There are three core objectives: to grow the economy, improve UK public services and make peoples' lives easier.

Reforms include:

  1. introduction of smart data sharing schemes, enabling efficient access to customer and business data
  2. introduction of a national framework for digital ID verification of individuals
  3. establishment of a national underground asset register
  4. overhaul of the public registers of births and deaths, moving to electronic systems
  5. changes to the UK's data protection regime
  6. reform of the Information Commissioner's Office (ICO), transferring functions of the Information Commissioner to the newly named Information Commission
  7. further provisions about data use and access in health and social care, smart meter communication services, public service delivery, and online safety

Data protection law reform

The Act amends and updates the existing UK data protection regime, that is the UK General Data Protection Regulation (GDPR) (retained EU law), the Data Protection Act 2018 (which complements the UK GDPR) and the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PECR). Whilst geared towards promoting growth and supporting innovation in the UK, the changes to data protection law strive to simultaneously balance privacy rights of individuals.

Evolution of the Bill

The Bill's predecessor was the Data Protection and Digital Information Bill (DPDI Bill).

The DPDI Bill was plugged as a progressive framework aiming to reduce costs and paperwork for businesses, diverging from EU law post-Brexit. Critics argued that the creation of a new UK data protection regime which diverged further from EU law would have the opposite effect for UK businesses operating internationally. The DPDI Bill was not completed before the dissolution of parliament on 24 May 2024 ahead of the general election on 4 July 2024, so fell in the 'wash-up'.

The Bill was introduced on 23 October 2024, replacing the DPDI Bill. It was differently structured to the abandoned DPDI Bill, with changes of emphasis. It progressed through parliament reaching its final stages in May 2025 where there was strong debate (putting the Bill into so-called 'ping-pong' state) between the House of Commons and the House of Lords on proposals in relation to copyright and materials used to train AI models. The House of Lords pushed for transparency and copyright protection measures. The House of Commons repeatedly rejected those amendments, arguing that the Act was not the right vehicle to address the issues and that they should be handled separately. Instead, the Act obliges the government to report, consult and propose future measures. The Bill finally received Royal Assent on 19 June 2025.

Overview of key areas of change which may affect organisations:

Key changes under the new Act are set out below.

Data sharing / data portability

Smart data schemes

The Act facilitates increased data portability in the UK, which means secure sharing of customer and business data with authorised third-party providers on the customer's request, through "smart data schemes" and "data intermediaries".

These powers will be used to develop the UK's approach to open banking and to establish an open finance regime in the UK (and similar regimes in other sectors and industries).

Digital ID verification services

The Act introduces a legislative framework for digital verification services: Enabling the use of digital identities in the UK - GOV.UK.

Data Protection Regulator

Structure and function

The functions and duties of the Information Commissioner will be replaced with a body: The Information Commission. It will adopt a new structure with a board of non-executive and executive members.

Powers

The regulator will have strengthened powers including in relation to enforcement of PECR, more closely aligning its penalty regime with penalties under the UK GDPR. The regulator will be able to:

  • require organisations to produce reports on specified matters, especially when an assessment notice is issued;
  • serve legal notices electronically to data controllers, including those overseas, without needing their prior consent; and
  • establish stakeholder panels to inform codes of practice and develop impact assessments for key regulatory actions.

Data Protection

Special category data

There is potential for more classes of special category data to be introduced under a particular mechanism in the Act, via secondary legislation. If used, this could bring quite significant changes, e.g. all children's data.

Data Subject Access Requests (DSARs)

  1. The Act introduces a new "applicable time period" and procedure for responding to DSARs, with clarification that data subjects are entitled only to findings from reasonable and proportionate searches. This codifies existing guidance, and may be helpful support in statute for controllers when faced with vexatious data subjects.
  2. Under the Act, if a court is required to determine whether a data subject is entitled to information under their rights of access or portability, the court can require the controller to make available this information for the court's inspection. The court may not require it to be disclosed to the data subject or their representatives until after the decision.

Privacy Notices - New right to complain for data subject

Data subjects have a new right to complain to controllers. Controllers will need to facilitate the making of complaints, for example an electronic complaint form, and to include information about this right in privacy notices.

Automated decision making

Under the Act, restrictions on solely automated decision making will be substantially relaxed, with safeguards. There is more statutory clarity on what "solely" means. The same restrictions against automated decision making as in the UK GDPR remain for special category data.

Data transfers

The former regime (which restricted international transfer of personal data under Chapter V of the UK GDPR) is re-formulated. This should streamline transfer risk processes for low-risk data transfers.The Act introduces a "data protection test" to be applied by the Secretary of State when deciding whether to approve an international transfer, including by way of recognising a third country's data protection regime as adequate.

Legitimate Interests as lawful basis for processing

  1. There are new "recognised legitimate interests". The 'balancing test' requirement for these is effectively removed (though these interests do not commonly tend to arise in standard commercial contexts). They are: (a) disclosure to public bodies who assert they need personal data to fulfil a public interest task; (b) disclosure for national, public security or defence purposes; (c) emergency response purposes; (d) detection, investigation or prevention of crime; and (e) safeguarding vulnerable individuals.
  2. The Act clarifies that processing: (a) necessary for direct marketing, (b) intra-group transmission of personal data for administrative purposes; and (c) necessary for ensuring the security of networks and IT systems, can be based on legitimate interests lawful basis. (These are lifted from GDPR recitals, so are not new, but now moved into the body of UK statute).

E-Privacy

Cookie consent

  1. Cookie consent rules are expanded so that they also apply to a person who "instigates" the storage or access to stored data. The intention is to capture "cookie like" technologies such as tracking pixels and browser fingerprinting.
  2. The Bill expands exceptions to the requirement for consent to use of cookies in situations which pose a low risk to user privacy. No user consent will therefore be required for analytics cookies or website appearance cookies. But clear information must be given about the cookies and there must be an ability to opt-out. No consent will be required where cookies are used for security purposes, to prevent or detect fraud or technical faults in connection with the requested service or to facilitate automatic authentication or maintaining a record of the selections made on a service by the subscriber or user.

Enforcement under PECR (Privacy and Electronic Communication (EC Directive) Regulations 2003)

The Information Commissioner's power to impose penalties under PECR – for cookie and electronic direct marketing related breaches – is currently capped at £500,000. This cap is removed and enforcement powers under UK GDPR and the DPA 2018 apply to ePrivacy breaches. There is a higher maximum penalty cap of £17,5000,00 or 4% of worldwide turnover.

Breach reporting under PECR

Communications service providers are subject to a parallel personal data breach reporting regime under PECR. Under the Act this is aligned with the 72 hour deadline under the UK GDPR.

Research

Scientific research

The Act defines the term "scientific research" to bring it in line with existing GDPR recitals and regulatory guidance to encourage a broad interpretation, so that the UK GDPR's purpose limitation principle, and restrictions on processing special category data, are less likely to stand in the way of processing for what might be considered scientific research purposes. Similar clarifications are proposed for "historical" and "statistical" research.

Commencement

Not all provisions in the Act become law straight away. Most of the provisions will only apply once Government has enacted enabling secondary legislation. It is expected that provisions will be introduced in a phased manner, with some taking upwards of 12 months to apply.

Further insight

Focused insights on certain areas of change, such as automated decision-making, scientific research and digital verification services will follow in additional articles.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Loretta Pugh
Loretta Pugh
Photo of Jocelyn S. Paulley
Jocelyn S. Paulley
Photo of Louise Macdonald
Louise Macdonald
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More