Data (Use and Access) Act becomes law, with first ever changes to UK GDPR

The Data (Use and Access) Bill finally passed both Houses of Parliament, after a contentious ping pong process. It entered into law as the Data (Use and Access) Act 2025 on 19 June 2025.

The Act ushers in the first ever changes to the UK's General Data Protection Regulation (GDPR), but it is about much more than data protection. It is, fundamentally, about making better use of data across many sectors of the economy; be that energy, telecoms, infrastructure, health and social care or financial services.

It is long and detailed, a combination of new provisions and amendments to existing laws. What are some of the more interesting changes?

Automated decision making 

There is a softening of the current restrictions on automated decision making (ADM), for example in making explicit that the (partial) prohibition on ADM would apply only for special category data, and where there is "no meaningful human involvement". 

In theory this gives organisations broader scope to use ADM, which may facilitate deploying artificial intelligence (AI) systems for additional use cases. However, the changes are subtle, and several conditions and restrictions still apply, so that organisations will need to consider very carefully whether and how they may be able to increase their use of ADM systems. 

Research use of data 

Definitions of certain types of research are added to the GDPR to refine the scope of those concepts.

In particular, the definition of "scientific research" arguably makes the concept wider, in that it is deemed to include any research that "can reasonably be described as scientific" irrespective of the source of research funding, and whether or not it is commercial.

The definition of "statistical purposes" potentially slightly narrows the concept, in that it applies only where the data is used for statistical surveys or to produce statistical results. 

There is a broader concept regarding the purposes for which people can consent to the use of their data. The bill clarifies that, in appropriate cases, a person will be able to give consent to their data potentially being used for more than one type of scientific research, even if not all those research purposes are identifiable at the time they give that consent.

Overall, the changes are intended to benefit organisations that conduct research or use research results. While the broadening of the scope of "scientific research" will be welcome, this is still tempered by safeguards and limitations. 

The Act paves the way for secondary legislation to be introduced which will oblige social media companies (and other online services providers within scope of the Online Safety Act 2023) to provide information for use by third party researchers into online safety measures. It includes the ability to bring in criminal offences, fines and other sanctions for non-compliance.

International transfers

In assessing adequacy, the government will be able to carry out a new data protection test to decide whether the transferee country's standard of data protection is "not materially lower" than the standard in the UK. This is a slight easing of the existing criteria, which is that the country in question must offer "essentially equivalent" protections.

Subject access requests 

The Act makes clear that right for an individual to obtain copies of their personal data under the GDPR is limited, so that they are entitled only to the data that would be found in a "reasonable and proportionate" search.  

While this clarification is welcome, in reality it does little more than codify the existing case law and guidance from the Information Commissioner's Office (ICO). 

Legitimate interests processing 

The Act introduces a new lawful basis, that of processing necessary in connection with a list of "recognised legitimate interests". The list includes responding to requests from public bodies, and processing for certain purposes relating to security, defence, emergencies, crime and safeguarding. No balancing test is required.

It also makes explicit that certain types of processing purposes will be more likely to count as "legitimate interests", including processing for the purposes of: 

• Direct marketing.
• Intra-group transfers for internal administration (including transfers between affiliate institutions, not just between groups of parent and subsidiary businesses).
• Network and IT system security. 

In theory, this makes it easier for organisations to use the legitimate interest ground as the basis for their processing in these areas. However, its impact is reduced in practice, because the changes mean only that those types of processing are more likely to be considered legitimate interests (they are not deemed to be); the recitals of the GDPR already referred to the processing of personal data for direct marketing purposes potentially being regarded as carried out for a legitimate interest; and many organisations will have already concluded that they were covered by the legitimate interest ground.

Data protection complaints

The Act requires controller organisations to put in place a complaints process to facilitate data privacy complaints from individuals, for example by providing an electronic complaint form. Controllers are obliged to acknowledge complaints within 30 days and must, without undue delay, take appropriate steps in responding to the complaint (including making any appropriate enquiries and updating on progress) and inform the individual of the outcome.

Cookies and tracking 

The Act creates some useful exceptions to the current regime under the Privacy and Electronic Communications Regulations (PECR). For example, user consent will not be required for use of cookies/other tracking technologies in some online services where they are used solely to collect statistical data in order to make improvements to services, or to improve the appearance or performance of a website, or adapt it to a user's preferences.

The exceptions are subject to various conditions, including around transparency, the right to object, and not using the collected data for purposes beyond the scope of the exceptions. 

These are practical improvements which will be welcomed by providers of online services. However, organisations need to bear in mind the conditions and consider whether compliance will entail technical operational changes (for example, to consents obtained using consent management platforms), or updates to transparency information (such as cookies policies). 

PECR fines

Maximum fines for breaches of PECR will increase to GDPR levels (the higher of £17.5 million or 4% of global annual turnover), up from the current £500,000 limit.

Information Commission 

The ICO will become the Information Commission and have a different structure and powers. It will, for example, it will be able to demand production of documents and conduct mandatory interviews. However, most users are unlikely to see significant differences in day-to-day practice.

Common standards for health records 

The government can bring in standards to enable interoperability and sharing of health-related data. IT suppliers for the health and care sectors will need to ensure that their systems meet common standards to enable data sharing across platforms.

In due course, suppliers to the NHS and social care sector will need to ensure that their contracts with both their customers, and their own suppliers and contractors, reflect the new requirements. 

Digital identity 

The Office for Digital Identities and Attributes will oversee a standards framework for online digital verification services. Compliance with the standards framework will not be mandatory, but organisations successfully applying for certification will be awarded certification and be included on a publicly accessible register and entitled to display a "trust mark" to show they meet the standards.  

The standards will include: 

• Not profiling users for third-party marketing purposes.
• Not creating large datasets that could risk revealing sensitive data about users.
• Explicitly confirming that users understand how their data is being shared. 

Organisations hoping to obtain certification will of course need to ensure that their data processing practices meet the requirements, which in some circumstances will go beyond GDPR compliance obligations.  

Smart data 

The Act creates a framework which will allow the introduction, via secondary legislation, of separate smart data schemes to address specific sector needs, such as in finance, utilities and telecoms. 

Smart data schemes will allow individuals to request that their data be shared directly with them, or with authorised and regulated third parties, and establish a supporting framework to ensure secure storage and transfers of this data.  

The government hopes that these schemes can mirror the success of the open banking regime, enhancing consumer confidence in using trusted third-party services to provide, for example, personalised market comparisons and financial advice on costs savings, as well as "one-click" service switching to a new provider. 

National Underground Asset Register

The National Underground Asset Register (NUAR) is an existing government digital service which provides access to a map of the underground pipes and cables for authorised users. It will be put on a statutory footing, rather than the current voluntary arrangement, mandating that owners of underground infrastructure, such as water companies or telecoms operators, register their underground assets.

The idea is that companies will benefit from a more comprehensive and rich view of buried assets. However, it places a burden on organisations to provide accurate, timely data. Failure to comply may constitute a criminal offence, and those in breach may be liable for damages to those suffering loss as a consequence of that failure. 

Affected organisations should consider whether they need to review their contracts to ensure that, for example, contractors are obliged to provide the information needed for owners of these assets to fulfil their obligations, and that asset owners will not breach confidentiality obligations if they provide the relevant data.

What has changed since the original bill?

During the parliamentary process, many amendments were made to the original draft bill, including:

• Copyright and AI: Within nine months of the Act becoming law, the government must produce an economic impact assessment and report on some of the copyright policy options regarding AI training which were set out in the government's AI/copyright consultation, including proposals on technical measures, transparency, licensing, enforcement, and AI developed outside the UK. They must also produce an interim progress report at six months. (See this Insight for details of the consultation.)
• Children's data: Is now to be treated to a higher standard of protection for the purposes of the GDPR provisions on data protection by design.
• Charities marketing: Charities will be able to take advantage of the soft opt-in exception when sending direct marketing emails.

When does it happen?

The provisions of the Act will be brought into effect in stages.

A few took effect as soon as the Act was passed, including changes relating to retention of data for counter-terrorism purposes. The change relating to a subject access request (to make clear that the applicant is only entitled to the data and other information based on a "reasonable and proportionate search") ostensibly also comes into effect on day one, but is back-dated to be treated as having come into force on 1 January 2024.

A few more provisions will take effect two months from the date the Act came into force, including some relating to law enforcement processing, and those giving the ICO the power to require production of documents.

Much of the Act (for instance, the provisions on digital identity, underground assets and smart data) relates to frameworks which are to be fleshed out and implemented via secondary legislation. The powers to make such secondary regulations became effective as soon as the Act became law, but it is not yet known when these powers will actually be exercised.

Most other provisions, including the GDPR changes, will come into effect on a future date (or dates) to be decided by the government, most likely within the next 12 months or so.

Who is affected?

Many of the provisions will affect most businesses, for example those exempting some uses of cookie data from having to be consented, and provisions relaxing some of the rules around legitimate interests processing, and ADM.

Others will have more of an impact on particular sectors. For example:

• Social media companies and other online services companies will be affected by provisions compelling them to provide information to online safety researchers.
• The energy, utilities, mobility and infrastructure sectors will be affected by changes involving the NUAR and may also be impacted by the provisions on smart data schemes.
• The provisions on standardising information sharing across the NHS and softening of the research exception for personal data processing will have an impact on health and social care providers and their IT system suppliers.

What should organisations do?

As well as looking at any sector or business-specific changes needed, organisations will want to understand the impact of the changes on their businesses, beginning with familiarising themselves with the provisions (the Act is quite extensive) and then considering whether updates are needed to processes, policies and notices for affected areas such as ADM, legitimate interests processing, subject access requests and complaints, and cookie consents. They can also look at whether any contracts and training materials need to be updated, not forgetting to keep an eye out for promised guidance from the ICO.