Understanding the Data Use and Access Act: What Practitioners Need to Know
Introduction: What is the Data Use and Access Act?
The Data Use and Access Act represents the most significant developments in UK data legislation in recent years. Passed into law 19 June 2025, the Act is part of the UK Government’s wider ambition to promote innovation and economic growth through more efficient data use, while maintaining public trust . The jury is out on whether this has been achieved, with many vocal critics.
The aim of the law was to update and simplify the UK’s data protection landscape following Brexit, and adjusting the balance the needs of businesses and public sector bodies with individual data rights. It introduces key regulatory changes that data protection professionals, and organisational leaders must understand in order to remain compliant and competitive. It amends the UK GDPR, DPA 2018 and PECR 2003.
Whilst only a single feature went into operation upon its passing, commencement regulations are bringing ichanges in stages through 2026.
Key Changes Introduced by the Act
The Act brings a range of changes to data governance, data protection, and digital rights in the UK. While the overarching goal is to reduce unnecessary red tape and increase clarity, the impact on compliance strategies could be substantial. Key changes include:
1. Redefining Lawful Grounds for Processing
The Act expands the list of recognised legitimate interests for which personal data can be processed without the need for Legitimate interests assessments. This includes purposes like national security, safeguarding, and certain business operations.
2. Automated Decision-Making
There is a more nuanced framework around automated decision-making (ADM) and profiling. While the general right to human intervention remains for special category data, the Act provides easier uses of ADM in practice, especially in high-risk contexts.
3. Subject Access Requests (SARs)
The rules for responding to Subject Access Requests have been clarified to allow organisations greater flexibility in managing requests.
4. Reform of the UK Regulator
The Information Commissioner’s Office (ICO) will be replaced by the newly formed Information Commission (IC), with a revised governance structure aimed at greater accountability to parliament.
5. Scientific Research & Secondary Use
The Act introduces clearer pathways for using personal data in scientific research and compatible secondary processing, such as re-using data collected for one purpose for another legitimate goal, provided suitable safeguards are in place.
6. International Data Transfers
Clarifications and adjustments have been made to facilitate cross-border data flows, including changes to adequacy regulations and risk assessments, aiming to make it easier for UK businesses to operate globally.
7. PECR changes
The enforcement scheme for PECR brought into line with UK GDPR, and create minor changes to the placement of cookies with new categorisations and consent adjustments.
Why Practitioners Need to Understand These Changes
For data protection officers, compliance managers, IT leads, and legal teams, understanding the implications of the Data Use and Access Act is not optional — it’s essential.
-
Operational Impact: Changes in exemptions able to be claimed, profiling, SARs, and data sharing will likely affect policies, training, contracts, and day-to-day decision-making.
-
Strategic Opportunity: For organisations that wish to embrace the changes, there is the potential to claim exemptions to frustrate the rights process.
-
Cultural Shift: Practitioners must guide their organisations through this shift while ensuring ethical and responsible use of personal data.
Next Steps for Organisations
To prepare for the Act’s implementation, organisations should:
-
Review and update privacy policies and data governance frameworks.
-
Train staff on relevant changes, especially those involved in data processing and complaints process.
-
Conduct impact assessments to understand how changes affect internal processes.
-
Engage with legal and data protection experts to ensure full alignment with the new regulatory environment.
Conclusion
The Data Use and Access Act is more than a legislative update —its an inflection point for organisations to choose whether to follow the EU an global approach or adopt the exceptions granted in the UK.
Join us on the 15th August for a half day practitioner workshop to learn more: Data (Use and Access) Act 2025 – Specialist Skills