The Data (Use and Access) Act 2025

The Data (Use and Access) Bill has now reached Royal Assent and will soon be officially enacted as The Data (Use and Access) Act 2025. This new legislation marks a significant milestone in the UK’s data protection law, modernising how data is accessed, used and governed in a post-Brexit digital economy.

A Long Road to Reform

This Act is the result of years of political and regulatory debate. Originally introduced as the Data Protection and Digital Information (DPDI) Bill back in 2022, the Bill stalled and ultimately failed to pass before the 2024 general election.

Later that year, the new Labour government revived and revised the Bill, reintroducing it as the Data (Use and Access) Bill. While many of the original provisions remained intact, some of the more contentious elements were removed to encourage broader support across Parliament.

However, its progress was anything but smooth. The Bill faced prolonged debate between the House of Commons and the House of Lords, especially around issues like AI transparency and the use of copyrighted material in AI training. After considerable back and forth, the government agreed to publish detailed reports on these topics within nine months of the Act becoming law.

Evolution, Not Revolution

The Data (Use and Access) Act 2025 is not a radical rewrite of data protection law. Instead, it builds upon the Data Protection Act 2018 and UK GDPR, updating and refining specific areas to meet the evolving needs of UK organisations and regulators.

Key features of the Act include:

• Clearer guidance on Legitimate Interests for data processing, particularly in areas such as direct marketing, fraud prevention and security operations

• An expanded definition of scientific research, offering greater clarity for academic and commercial researchers

• Revisions to the Data Subject Access Request (DSAR) process, designed to simplify and streamline requests for both individuals and organisations

• Changes to the structure of the Information Commissioner’s Office (ICO), supporting a more strategic and agile approach to regulation

• New powers for the Secretary of State to decide which countries offer adequate data protection, using a standard of “not materially lower” than the UK’s

These updates offer more flexibility for data controllers but also introduce new uncertainties. For example, altering how adequacy decisions are made may raise questions with the European Commission, which is scheduled to review the UK’s adequacy status later this year.

What This Means for Your Business

With the Act now confirmed, businesses must begin to prepare for the changes. However, the implementation date has not yet been set, and detailed regulatory guidance is still pending.

So, what should you do now?

Here are some recommended next steps:

• Talk to your Data Protection Officer (DPO): Understand how the Act may impact your organisation’s data handling practices.

• Hold off on major changes: Avoid rushing into policy updates until official guidance is published by the ICO.

• Review your current compliance position: Pay special attention to areas like legitimate interest assessments, research practices and your DSAR handling procedures.

• Strengthen your data governance framework: Use this to identify improvements, reduce risk and ensure your systems are fit for the future.

At Data Protection People, we help organisations navigate change with clarity and confidence. As the UK’s data protection framework evolves, our goal remains the same, to make data protection simple, practical and effective.

Stay tuned for further updates as  provide actionable insights tailored to your sector.