The Data (Use and Access) Bill has now completed its journey through Parliament and has received Royal Assent as the Data (Use and Access) Act 2025. The Act introduces some of the most significant updates to UK data protection law since the UK GDPR came into effect.
Rather than replacing the UK GDPR or the Data Protection Act 2018, the new legislation will amend and build upon them, creating a more tailored framework in the UK. Businesses handling personal data should start reviewing their policies and procedures now, as the changes will impact how you manage compliance in several critical areas.
Key changes at a glance
- Simplifying legitimate interest assessments by "recognised legitimate interests," to ease compliance for specific public interest purposes like ensuring network and information security, preventing fraud or financial crime and for business administrative purposes (limited scope).
- International data transfers will be assessed against a new, less stringent test of “not materially lower” protection, potentially expanding global data sharing options.
- Data subject access requests (DSARs) will be subject to new “reasonable and proportionate” search standards, reducing the administrative burden.
- Cookie and marketing rules are being updated – some cookies may be exempt from consent, but enforcement powers and fines are increasing.
- Automated decision-making and AI rules will be relaxed, except for special category data, promoting innovation but requiring new risk controls.
- New frameworks for smart data and digital ID will enable more secure and efficient data sharing, opening doors to innovation and new services.
- Regulatory reform, with the Information Commission replacing the ICO and gaining broader enforcement powers.
What does this mean for you?
The changes will be rolled out over time, with further details to follow in secondary legislation. But businesses should not wait. Early action will reduce compliance risk, avoid disruption to data flows – especially internationally – and help build customer trust through proactive governance.
Our Senior Commercial Technology & Data Protection Solicitor, David Sant, comments:
Businesses should start to think about the potential changes and risks the Data (Use and Access) Act introduces, e.g., the potential introduction of new special categories of data and the regulator’s increased powers. Whilst some elements of data protection laws might be more relaxed, businesses should pay particular attention to the significant shifts such as increased penalties under PECR (whose rules on cookies and direct marketing catch many businesses). Preparing early can mitigate risk by helping your business plan ahead to adapt effectively, but we are still early in the process and could still see further changes to the proposed law – so keep a close eye and watch this space while we await further developments.
Our data protection solicitors are already supporting clients in preparing for the transition, including reviewing privacy notices, reassessing the legal bases for processing, updating international data strategies, and strengthening marketing compliance.
To explore the full legal implications and practical steps your business should take, read our in-depth guide to the Data (Use and Access) Act 2025.
Related articles
How can we help?
To access legal support from just £149 per hour arrange your no-obligation consultation today. We aim to respond to all messages received within 24 hours.
Call 0800 689 1700 or email
enquiries@harperjames.co.uk.
