What you need to know about the Data (Use and Access) Act

Finally, as of 19 June 2025, the UK’s data reform Bill received Royal Assent and the long awaited Data (Use and Access) Act (the Act) has come into being.

When will all of the changes come into force?

While a handful of provisions came into force on Royal Assent (19 June 2025), such as the need for SAR searches to be reasonable and proportionate (which is in fact back dated to 1 January 2024), and some will come into force shortly thereafter (19 August 2025), such as changes to the ICO’s ability to send notices and request documentation, the majority of the Act will be brought into force by secondary legislation being laid before Parliament.

It is worth reading section 142 to see exactly what is in force, and when.

According to the ICO’s recent announcement, the provisions will be brought in over 2, 6 or 12 months, although their guess is as good as any.

What is not changing?

With all the different proposals floating around in three previous Bills, some may be confused by what is in and what is out. Before we explain what is in, it is worth noting the following:

DPOs, ROPAs, DPIAs and UK representatives are here to stay;
there is no change to the definition of “personal data” (meaning major aspects of the UK GDPR remain aligned with the EU GDPR in this regard); and
the proposal to change the threshold allowing data controllers to refuse to respond to “vexatious or excessive” data rights requests has gone.

What is going to change?

Click on each topic below to find out what is changing and how it will impact your organisation.

Automated decision making

add

Automated decision making (ADM) (Section 80)

What is the change?

This is probably the biggest change in the Act, and in essence in the UK, unless special category data is involved, ADM will now move from a regime based on prohibition with exceptions (i.e. currently only limited lawful bases can be relied upon for ADM), to one that is based on permission but with safeguards (i.e. broadly all and any lawful bases can be used for ADM). Further the safeguards are those which we are all used to i.e. transparency, explainability and contestability.
As a general further point, the Act also arguably relaxes the definition of what is solely automated and possibly brings a few decisions previously thought of as ADM out of scope.

How will this impact your organisation?

We suspect this change will be welcome by a number of organisations, particularly those currently using ADM in scenarios where decisions are likely to have a significant or legal effect, such as recruitment.
The change will mean that certain decisions (particularly those that don’t involve the processing of special category data) may no longer be subject to the more severe restrictions on automated decision-making.
Organisations will still need to ensure the appropriate safeguards are in place for significant decisions, such as: the right to human intervention, the ability to contest the decision, transparency about the logic and criteria used etc.
We nevertheless consider that this change could be a significant game changer for use of AI decision making tools in the UK (making it easier and possibly therefore more widespread).
However, given the regulatory attention and guidance on AI decision making (especially currently in the recruitment space), it will be interesting to see how this develops and whether this change will even come into effect.
The ICO has announced that it will be reviewing its Automated Decision Making (ADM) and Profiling Guidance, in light of these changes, with a public consultation expected later this year and the final guidance due for publication in Winter 2025/2026.
As these provisions are a departure from the EU position, they may attract attention from privacy campaigners who will likely view this as a lower standard of protection than under the GDPR; it will be interesting to see what impact this will have on the UK’s adequacy, which is currently under consideration by the EU Commission.

Data rights

add

Data transfers

add

Digital verification services (DVS)

add

e-Privacy

add

e-Privacy (Sections 109 – 116 and Schedule 12)

What is the change?

How will this impact your organisation?

It is fair to say that the ICO has a relatively low tolerance for PECR breaches and this is where we see the most active enforcement from the ICO. Fines to date under PECR have not been eyewatering given the current cap under PECR of £500k but this is of course set to change. Organisations who therefore take a risked based view on PECR requirements particularly in respect of their marketing campaigns should be reconsidering their risk profile given the stakes are becoming significantly higher for non compliance!
While the changes to the cookie regime will be likely welcomed in some respects, greater obligations will be placed on instigators of tracking technologies which is likely to cause some confusion as well as require changes to terms and conditions.
The current changes do not provide the much longed get out for ad measurement tracking technologies so we suspect we will see some pressure on the Secretary of State to update the list.
Further, while use of basic analytics tracking technologies will no longer require opt in consent, users will still need to be provided with an opt out which means organisations will not be given a carte blanche to use analytics. It will also mean organisations will need to make it easier for users to opt out of cookies more generally.
Charities will no doubt welcome the changes to the soft opt in although we suspect requiring an opt out in every message might limit its practical impact.

IC’s new powers

add

Information Commission (IC)

add

Legitimate interests

add

Purpose limitation

add

Smart data schemes

add

Smart data schemes (Part 1)

What is the change?

A new framework will be established to allow for the sharing of customer data at the customer’s request with authorised third-party providers, so that the authorised third-party can use data to provide services to the customer.
It has been suggested that this change is an attempt to reinvigorate data portability. However, the provisions relating to smart data schemes are much broader and more ambitious in scope than the existing portability provisions, as they are not limited to personal data and also cover data relating to goods, services or content provided by a trader to a customer (such as information relating to pricing, usage, performance and quality). Furthermore, the UK Government has suggested that the existing portability provisions do not go far enough to enable the real time provision of customer data from data holders to third parties that is necessary for functioning smart data schemes (based on comments made by the UK Government in its Explanatory Notes to the Bill when it was first proposed).
There are also provisions for the sharing of business data (defined as information relating to goods, services and/or content provided by a trader) to help drive innovation and competition, e.g. by allowing smaller or new businesses to access data previously held by large incumbents.

How will this impact your organisation?

The driver behind these schemes is to encourage the development of new and innovative data-driven services in order to increase competition and innovation, reduce costs, save time for consumers switching, increase the quality of services, improve the security of data sharing and ultimately increase trust in data sharing mechanisms. The best existing example of what the UK Government is looking to achieve with these proposals is Open Banking, which allows UK consumers and businesses to allow authorised third parties to access their banking data to provide financial services – but the UK Government now hopes to expand this beyond the financial services sector and into other sectors such as energy.
While the UK approach is arguably similar to legislation related to data sharing in the EU, it is wider in scope in that it is not limited to the public sector like the Data Governance Act, nor limited to connected tech, i.e. IoT, like the Data Act.
However, as these provisions set up the framework to allow the Secretary of State and the Treasury to establish the schemes, the details around specific schemes are yet to be set out in secondary legislation. Therefore for now, it is a question of wait and see.

Special category data

add

How can we help?

We will be writing some more in depth articles in due course on areas such as the Article 22 ADM changes and the practical changes you may wish to implement in your SAR processes. We also are running a number of tailored training sessions for clients and as always will be on hand if clients have any specific questions.

Therefore, if you have any special questions on any of the above, would be interested in us running a training session, or would like help to become DUA Act ready, please feel free to reach your LS contact.

Additionally, we will be hosting a webinar in September to explore the changes and how they will impact your business. Register here.

When will all of the changes come into force?

What is not changing?

What is going to change?

Automated decision making

Automated decision making (ADM) (Section 80)

Data rights

Data rights (Sections 75 – 79 and 103)

Data transfers

Data transfers (Section 85 and Schedule 7)

Digital verification services (DVS)

Digital verification services (DVS) (Part 2)

e-Privacy

e-Privacy (Sections 109 – 116 and Schedule 12)

IC’s new powers

IC’s new powers (Sections 97 – 105)

Information Commission (IC)

The IC – formerly known as the ICO (Part 6 and Schedule 14)

Legitimate interests

Legitimate interests (Section 70)

Purpose limitation

Purpose limitation (Section 71)

Smart data schemes

Smart data schemes (Part 1)

Special category data

Special category data (Section 74)

How can we help?

Authors