A Brief Guide to the UK Data (Use and Access) Act 2025
by Carl Spencer-Spear, July 2025
The UK has updated its data protection laws for the first time since Brexit. On 19 June 2025, the Data (Use and Access) Act 2025 received Royal Assent and became law, marking the UK’s first step away from the data protection laws and principles established by the European Union, most recently under the General Data Protection Regulation (GDPR).
Download this latest article from Carl Spencer-Spear to find out more about what's changing, or read on below:
A Brief Guide to the UK Data (Use and Access) Act 2025
The new Act reshapes the UK’s data landscape with a more flexible, innovation-friendly framework, while keeping privacy front and centre. In some areas, the GDPR requirements are softened, to reduce the imposition on the time and resources of businesses. However, in others, the rights of the individual have been strengthened and there will be new requirements for businesses to comply with.
In this guide, we highlight the biggest changes and the impact they could have on your data protection practices.
One important caveat: this applies to UK data processing activities only. If you do business in the EU and/or process personal data pertaining to EU residents, the EU GDPR will continue to apply to that data.
What laws have already come into effect?
A few provisions of the new Act came into force immediately, including reforms to data subject access requests.
The subject access request changes reduce the time and effort required for businesses to comply with data subject access requests. Moving forward, organisations only need to conduct “reasonable and proportionate” searches when handling DSARs. There's also a new “stop-the-clock” mechanism, giving companies a pause to the one-month deadline for responding, while they wait for request clarification from the individual regarding their request. This aims to reduce the administrative burden on businesses while preserving transparency for individuals.
You should consider reviewing your policy around dealing with subject access requests to reflect the new law, particularly if you receive a large number of requests. If you would like help with this, please contact us.
What other changes are on the way?
Most of the changes introduced by the Act, especially those that will require positive action by businesses, will be introduced in phases. Expect updates around:
Automated Decisions: Loosened Restrictions
The Act refines the rules on automated decision-making. Fully automated decisions using special-category data (e.g., health, race) remain restricted. But in most everyday scenarios, automated tools can now be used with fewer regulatory hurdles—as long as there’s some level of human oversight.
There is an element of overlap here with the growth of artificial intelligence, to allow automated processes to be deployed more easily, though we expect separate legislation regulating the use of AI to be implemented by the Government in the next year or two.
Again, this change reduces the burden on businesses but may require you to assess your policy regarding the use of automated decision-making and update it to reflect the new requirements, so you are not ruling out automated decision-making or going through detailed assessments unnecessarily.
Legitimate Interests: Now Recognised by Default
The Act introduces a new list of “recognised legitimate interests”, such as fraud prevention or safeguarding public health. For these purposes, businesses won’t need to perform a balancing test, simplifying compliance.
If the purpose for which you are processing personal data is listed in the “recognised legitimate interests” Annex, you can rely on that legitimate interest without needing to perform a legitimate interests assessment. At the moment, the list is short and relates primarily to ‘public’ functions like preventing crime and safeguarding vulnerable individuals, though the list could be expanded in future.
Dealing with Complaints: Requirement for a Complaint Procedure
One of the key new requirements, rather than the softening or hardening of existing requirements, is that businesses that process personal data will need to provide individuals with the means to make a complaint, such as a complaints form that can be completed electronically and by other means.
Businesses will need to acknowledge any complaint within 30 days and must without undue delay (a) take appropriate steps to respond to the complaint, and (b)inform the complainant of the outcome of the complaint. Appropriate steps include making enquiries regarding the complaint and keeping the complainant informed about progress on the complaint.
The Act leaves the door open for the addition of a requirement to report the number of complaints to the supervisory authority, though this will not become law without further action being taken by the Government.
It isn’t known yet when this requirement will come into force. When the time comes, we will be happy to assist in updating policies to reference the right to complain.
Cookies & Direct Marketing: Slightly Easier Rules
Some consent requirements for cookies (especially for analytics or essential functionality) will be relaxed. Likewise, direct marketing rules will be simplified, but businesses should expect stronger enforcement when things go wrong.
In theory, the softening of the cookie requirements means that detailed cookie notices and consent boxes could be a thing of the past but, in practice, most website operators that comply with the detailed notice requirements are likely to be operating in the EU as well, meaning the full requirements will still apply (unless the website is localised for other regions and the UK version is geo-fenced).
International Data Transfers: A New Standard
The UK is moving away from the EU’s “essentially equivalent” approach. Under the new Act, data transfers to third countries only need to meet a “not materially lower” threshold. This change could unlock faster deals with international partners and processors, while making sure that individual privacy and rights are protected.
Final thoughts and action points
The Data (Use and Access) Act 2025 represents a finessing of the data protection regime rather than a complete rewrite, with a few softened edges to reduce the burden of compliance, and changes to reflect the fast-moving IT and data landscape.
Other than the changes to subject access requests, which came into effect immediately, the implementation dates for the new laws are not yet known, making it difficult to recommend making changes right now. However, here are some things to think about and prepare for over the coming months.
Review your data protection policies and procedures regarding how you deal with subject access requests and update it if necessary. Also, make sure your team knows about the new “reasonable and proportionate” standard and how to pause the clock on the time for responding to a request while awaiting clarification.
Consider revisiting how you’re using legitimate interests, cookies, and automated tools, and if your privacy policy and internal policies need updating. Also, be prepared to update your privacy policy and internal procedure to comply with new right to complain.
As most of the changes still need to be "switched on" via further regulations, keep an eye out for updates from us and other sources (including the Information Commissioner) for further guidance and commencement orders, which can be expected starting this summer through to early 2026.
Have questions or need help preparing? Let’s chat. This is a great moment to get your house in order before the full implementation hits.