The Data (Use and Access) Act: What Impact Will It Have On Organisations?
The Data (Use and Access) Act 2025, first introduced in the House of Lords as the Data (Use and Access) Bill, has finally been granted royal ascent.
This Act aims to introduce amendments to UK data protection law, meaning that it isn’t a replacement for existing regulations, such as UK GDPR, The Data Protection Act 2018 and The Privacy and Electronic Communication Regulation 2003, rather it just makes them look a little different.
What are the aims of The Data (Use and Access) Act 2025?
The UK government has described EU’s GDPR as “highly complex”, and that businesses have been held back from using data effectively due to “red tape and pointless paperwork”. With this in mind, the main aims of the Data (Use and Access) Act 2025 are to:
Grow the economy: The government estimates that the Data (Use and Access) Bill will bring an estimated £10 billion boost to the UK economy over the next 10 years. This will be partly due to the use of new Smart Data powers and the National Underground Asset Register, which will drive growth by improving the way consumers and businesses can safely share data to help better make informed decisions.
Improve public services: This will be achieved in 2 main ways. First, subject access procedures will be simplified, meaning more time for sectors such as law enforcement will be freed up – an estimated 1.5 million hours per year. Second, by the standardisation of information protocols in the NHS and adult social care sectors. This will result in an overall lower administrative burden and, in turn, improved patient care. It is estimated that this alone will save an additional 140,000 hours per year.
Timeline of events
An overhaul to data protection legislation was initially proposed by the previous Conservative Government, which aimed for a complete overhaul of data protection legislation. This version was far more radical, with much more significant changes, such as potentially abolishing the requirement for Data Protection Officers (DPOs).
Later on, in October 2024, the current Labour Government introduced the first version of what would become The Data (Use and Access) Act 2025, with far fewer, yet still impactful changes.
This proposal is similar to what we eventually got with The Data (Use and Access) Act 2025, and it is likely that it would have been passed sooner if it wasn’t for a series of attempts by the House of Lords to introduce new transparency obligations by AI developers regarding holders of copyright in training data. These clauses were rejected by the Commons, and while they are not in the final version of the law, there is already separate consultation around AI copyright, meaning it’s likely that changes specifically for this are coming in the future.
What changes are coming?
Below, key information about the Data (Use and Access) Act 2025 can be found. These will be implemented in a phased approach between June 2025 and June 2026.
The Information Commissioner’s Office (ICO): Currently, people have a right to complain directly to the ICO regarding the processing of their personal data, regardless irrespective of the severity of the complaint.
Under the Data (Use and Access) Act 2025, individuals will first be required to complain to the organisation, and then if they feel the organisation is not taking this complaint seriously, then it can be escalated to the ICO. The aim is to reduce the number of complaints to the ICO. This new process will require business owners to establish new processes to ensure they can respond to any complaints within 30 days.
Additionally, there are also plans for the ICO to be replaced by an Information Commission, which will be run in a similar fashion to other regulatory bodies such as the FCA and OFCOM.
Data subject rights: Two of the data subject rights are getting changes:
First, under the right to portability, direct sharing of data between certain organisations or regulated third parties will be permitted, without you having to consider the risks. This will allow for the sharing of data for investigations and where there is concern for an individual, or regulatory (but not legal) investigation.
Next, under the right to be informed, Article 13 requires full details of the data controller to be provided to the data subject whenever personal data is being collected – most typically in the form of a privacy notice that is readily available. Many privacy notices contain general processing information, but not necessarily relevant to the specific activity.
Additionally, Article 14 requires details on the data controller to be provided to the data subject without undue delay where data is collected by a third party. This has always been challenging, especially where large volumes of data are collected for marketing purposes. If either of these involves “disproportionate effort”, the organisation will not be obliged to do provide this.
Automated decision making: One of the more significant divergence from the EU laws, automated decision making only applies where the decision is based entirely, or partly on special category data. The safeguards of human review and transparency will continue to be required for all solely automated decisions.
Privacy Notices: You can re-use people’s personal data for scientific research without giving them a privacy notice, as long as the efforts can be considered as disproportionate. As long as you protect their data throughout and publish a privacy notice on your main website, the privacy notice does not have to be served directly.
Children and online services: If you provide an online service that is likely to be used by children, you’ll now be required to take their needs into account when you decide how to use their personal data. Much of this should already be addressed if you conform to the ICO’s Age-Appropriate Design Code (AADC).
Special category data: New categories have been introduced, such as Neurodata which is information gathered from devices or technologies that interact with the human brain or nervous system, such as smartwatches.
Recognised legitimate interests: If you rely on legitimate interest for one of the “recognised, pre-approved” reasons, then there is no need to complete a legitimate interest assessment (LIA) to demonstrate you’ve considered the rights of all parties. These “recognised, pre-approved” legitimate interests are:
- Disclosures to public bodies, where asserted personal data is required to fill a public function
- Disclosures for national or public security
- Disclosures for detection and prevention of a crime
Legitimate interests as a lawful basis: Legitimate Interest will be accepted as a lawful basis for direct marketing purposes. The direct marketing laws under PECR (Privacy and Communication Regulation 2003) will still apply, so this doesn’t mean this lawful basis can be used as default.
Assumption of compatibility: Similar to the changes to legitimate interest, in certain cases, personal data can be re-used without the controller having to complete an assessment. This includes disclosing personal information for the purposes of archiving in the public interest, even if you only got consent for a different purpose.
Marketing for charities: One of the more significant changes, if you’re a registered charity, you’ll be permitted to send electronic marketing messages as long as they support or directly express interest in your work (unless they specifically object). If you have obtained a contact from a 3rd party, you’ll still need to rely on consent. If you’re a charity and want more information on the specifics of this, we have a blog post on this with even more detail.
Spam emails and text messages: Historically, PECR investigations for spamming have been based on the number of DELIVERED messages. Any investigation will now be based on the number SENT messages. This’ll likely increase the level of regulatory action an organisation that conducts non-compliant marketing activities can expect.
Privacy and Electronic Communications Act 2003 fines: The Information Commission’s fining powers have increased significantly from a cap of £500,000 to in line with GDPR. This means, any failures involving marketing, cookie use, email, SMS broadcasting, telemarketing, etc could lead to fines of up to £17.5m or 4% of global turnover. The ICO are very active in PECR fines, so any organisations undertaking mass direct marketing should carefully review their activities. We have a whole page dedicated to Marketing Legislation (PECR) support.
Cookies: It’ll be permissible to drop cookies and similar technologies on websites for the purposes of analytics and optimising content, but an opt-out must be provided. This will allow owners of websites to track users and their activity to improve the experience and success of the site, without the need for consent.
How can I ensure that my organisation benefits from the Data (Use and Access) Act 2025?
As with any significant changes in legislation, we understand there will be uncertainty on how these changes impact companies, and how to implement them effectively. That’s where the Privacy Helper Team come in. We have tracked the journey of this Bill carefully since October and can explain the changes in real terms to your organisation.
To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data protection compliance within your business.
Follow us on LinkedIn.