The Data (Use and Access) Act 2025 – what you need to know

If your business uses data, and that will be a virtual certainty in today’s digitally connected world, you will need to know about the Data (Use and Access) Act that is being phased in over the next twelve months.  

The Act is a broad-reaching statute aimed at modernising UK data law, promoting innovation, enabling greater data sharing and simplifying regulatory frameworks. It builds on the existing UK GDPR, the Data Protection Act 2018 and PECR (the Privacy and Electronic Communications Regulations) without replacing them. The changes introduced by the Act will be phased in between June 2025 and June 2026. Some provisions, such as Subject Access Requests reform, came into effect immediately from 20th June 2025. 

What’s in the Act?

Key pillars of the Act include: 

  1. Digital verification & Smart Data
  • A Digital ID Trust Framework, paving the way for official digital identities such as the gov.uk wallet. 
  • New Smart Data Schemes may require sharing customer or usage data – modelled on Open Banking – to increase competition and innovation.  
  1. Subject Access Requests (SARs)
  • Codifies the requirement for reasonable and proportionate search efforts when responding to SARs, including the ability to pause the one month clock while awaiting clarification or extra information.  
  1. Recognised legitimate interests
  • Introduces a simplified lawful basis for processing data for areas deemed inherently legitimate – such as fraud prevention, network security, crime detection, national security and emergencies – without needing a full balancing test. 
  • Businesses can rely more on legitimate interest rather than consent for marketing and cookies – but fines now match GDPR levels (up to 4% of global turnover or £17.5M). 
  1. Automated DecisionMaking (ADM)
  • Use of ADM, including AI, is now more flexible – if no special category data is used. But businesses must: 
  • inform individuals; 
  • offer a way to challenge decisions; and  
  • provide human review. 
  1. Cookies & electronic marketing (PECR)
  • Permits certain low-risk cookies, such as analytics or functional ones, without prior consent – so long as transparency and opt-out options are in place. 
  • As mentioned above, the Act brings PECR fines in line with GDPR – up to £17.5 million or 4% of global turnover. 
  1. Complaints procedure
  • Firms will be required to provide clear, accessible internal complaints processes, with acknowledgements within 30 days and timely responses. In certain regulated sectors, complaint volumes must be reported to the ICO. 
  1. Regulatory powers & ICO reform
  • The Information Commissioner’s Office will become the Information Commission, a corporate body which will handle complaints – businesses must address data concerns first before escalation. It will gain enhanced powers: audits, compelling testimony, demanding reports and issuing significant fines under both GDPR and PECR. 
  • PECR breach reports now have a 72hour window, aligned with GDPR. 
  1. International data transfers
  • The Act clarifies transfer rules; transfers to non-UK countries are allowed if the protection level is “not materially lower” than the UK’s, rather than needing full EU equivalence. Any changes will require secondary legislation. 

Note that the European Commission will reassess the UK’s adequacy status in December 2025. 

  1. Children’s data protections
  • Online services that children might use must consider extra safeguards – especially around profiling, personalised marketing and algorithmic content.  
  • Providers of an online service that is likely to be used by children are explicitly required to take their needs into account when deciding how to use their personal information. This requirement will already be satisfied if service providers conform to the ICO Age Appropriate Design Code (AADC). 

What’s changing for businesses?

Simplified processing

  • New legitimate interest basis reduces administrative burden and may speed up some uses – like direct marketing and fraud prevention.  
  • The DUAA also introduces flexibilities where personal data is reused for scientific or historical research, archiving in the public interest or statistical purposes. 

For example, a medium-sized gym chain analysing previous years of member attendance and cancellation data for statistical research would, under the DUAA, not need to re-issue privacy notices to thousands of ex-members (which would be disproportionate). Instead, they could rely on the new flexibility by updating their privacy policy and applying safeguards such as pseudonymisation. 

  • Further processing is allowed if it’s compatible with the original purpose – removing the need for separate compatibility assessments. 

Privacy with fewer hurdles

  • Automatic compliance relief due to codified SAR practices – firms only need proportional searches. 
  • Cookie and PECR reforms reduce friction in digital operations – and give marketers new flexibility. 

Innovation & new services

  • Smart Data frameworks unlock scalable opportunities for fintech, healthcare, utilities and more. 
  • Digital ID tools simplify compliance with KnowYourCustomer, righttowork checks, identity verification, etc.  

Enhanced compliance requirements

  • Higher fines for PECR and GDPR breaches demand stricter systems. 
  • New complaints procedures become mandatory; failure to respond may risk enforcement. 
  • ADM governance must include transparency, review mechanisms and human oversight. 
  • International transfers must align with adequacy reviews – firms should closely monitor EU negotiation developments. 

What should SMEs do now?

Although, as we mentioned above, the provisions of the Act are being phased in over the next year, businesses should be preparing now for what they will need to do.  

  1. Update policies & notices
  • Revise privacy notices to include the new legitimate interest types and explain Automated Decision-Making (ADM) usage. 
  • Revise cookie banners and services to reflect the new low-risk cookie categories and opt-out options. 
  1. Audit SAR procedures
  • Ensure SAR workflows only require reasonable and proportionate searches. 
  • Build in “pause the clock” functionality when awaiting clarification. 
  1. Introduce complaints handling
  • Set up a clear internal complaints process: acknowledgement within 30 days, responses without unreasonable delay. 
  • Create an online complaint form and track complaint volumes. 
  1. Review legitimate interests usage
  • Map any processes relying on legitimate interest or direct marketing, and assess whether they fall into the new recognised category. 
  • If so, simplify documentation; if not, ensure proper balancing tests are in place. 
  1. Govern ADM
  • Identify all ADM systems. 
  • Confirm safeguards: transparency, human review and contestability, especially for special category data or recognised legitimate interest cases. 
  1. Prepare for Smart Data & Digital ID
  • Explore potential for joining Smart Data schemes or building on Digital ID frameworks. 
  • For sectors like finance, healthcare or energy: assess technical integration and regulatory compliance. 
  1. Strengthen PECR & cookie compliance
  • Ensure cookie banners are transparent, easy to reject and exclude lowrisk cookies from consent when appropriate. 
  • Check email/SMS marketing uses proper lawful bases. 
  • Monitor for unauthorised PECR activity to avoid hefty fines. 
  1. Check cross-border data transfers
  • Trace all international data flows; confirm adequacy or implement standard contractual clauses. 
  • Stay alert to any changes that might follow the December 2025 European Commission adequacy review. 
  1. Prepare for ICO powers
  • Be ready for potential ICO audits, demands for data or formal interviews. 
  • Conduct internal mock audits to prepare. 
  1. Train staff

Update training materials to reflect: 

  • New SAR rules 
  • Complaints handling 
  • ADM processes 
  • Cookie/Marketing reforms 
  • Recognised legitimate interests 
  • Digital ID/Smart Data awareness