Legislation Enacted: Data (Use and Access) Act, Marking the Initial Modification to the UK's General Data Protection Regulation (GDPR)

The Data (Use and Access) Act 2025, passed on 19th June 2025, marks a significant shift in data protection laws in the UK. This legislation aims to modernise and streamline data governance, fostering innovation, enhancing security, and maintaining public trust in data usage.

One of the key changes brought about by the Act is the increased data portability and secure data sharing. Businesses can now participate in more efficient and innovative data sharing ecosystems across sectors like energy, telecoms, finance, and health, thanks to "smart data schemes" and "data intermediaries" that facilitate secure customer data sharing on request.

The Act also relaxes restrictions on Automated Decision-Making (ADM), broadening the scope for businesses to deploy AI and automated systems. While significant conditions and safeguards remain to ensure responsible use, the prohibitions on ADM are now limited to special category data and cases where there is no meaningful human involvement.

The Act simplifies compliance for legitimate interests, introducing the concept of "recognised legitimate interests." This eases compliance burdens in specific scenarios such as preventing fraud, ensuring network security, and business administrative tasks.

International data transfers are now assessed against a new, less stringent test of “not materially lower” protection. This potentially expands global data sharing options for UK businesses, facilitating international operations and innovation.

Data subject access requests will be subject to a new standard of "reasonable and proportionate" searches, reducing the administrative burden on businesses while maintaining data subject rights. Some cookies may be exempt from consent requirements, though enforcement powers and fines have been increased, impacting how businesses manage online marketing compliance.

The Act creates new frameworks for digital identity and smart data schemes, promoting innovation and more secure data exchanges. The Information Commissioner's Office is replaced by a new Information Commission with broader enforcement powers.

The Act paves the way for social media companies to provide information for third-party researchers into online safety measures. It also creates exceptions to the current cookie and tracking regulations for certain online services.

Organisations will need to understand the impact of the changes on their businesses, beginning with familiarising themselves with the provisions and then considering whether updates are needed to processes, policies, and notices for affected areas such as ADM, legitimate interests processing, subject access requests and complaints, and cookie consents. They can also look at whether any contracts and training materials need to be updated, not forgetting to keep an eye out for promised guidance from the ICO.

In assessing international transfers, the government can now decide if the transferee country's data protection standard is "not materially lower" than the UK's. Definitions of certain types of research are added to the GDPR, potentially widening the concept of "scientific research."

The Act creates a framework which will allow the introduction, via secondary legislation, of separate smart data schemes to address specific sector needs, such as in finance, utilities, and telecoms. During the parliamentary process, many amendments were made to the original draft bill, including changes regarding copyright and AI, children's data, charities marketing, and more.

The Act introduces a new lawful basis for processing, that of processing necessary in connection with a list of "recognized legitimate interests." The Office for Digital Identities and Attributes will oversee a standards framework for online digital verification services. Compliance with the standards framework will not be mandatory, but organisations successfully applying for certification will be awarded certification and be included on a publicly accessible register and entitled to display a "trust mark" to show they meet the standards.

Maximum fines for breaches of PECR will increase to GDPR levels, up from the current £500,000 limit. A government can bring in standards to enable interoperability and sharing of health-related data in the health and care sectors. IT suppliers will need to ensure that their systems meet common standards to enable data sharing across platforms. The Act clarifies that individuals can consent to their data being used for more than one type of scientific research.

This legislation represents the most significant update to UK data protection law in years, emphasising better data use aligned with innovation and security needs. Businesses handling personal data in the UK should review their compliance strategies to adapt to these significant regulatory shifts.

The Data (Use and Access) Act 2025, with its focus on technology, has introduced smart data schemes and data intermediaries to facilitate secure customer data sharing, thereby fostering innovation across various sectors such as energy, telecoms, finance, and health.
Regarding data privacy, the Act has relaxed restrictions on Automated Decision-Making (ADM) and expanded global data sharing options for UK businesses, ultimately promoting innovation and streamlining processes in line with modern technology.