Data (Use and Access) Act 2025: data protection and privacy changes
A summary of changes to the UK’s data protection and privacy legislation in the Data (Use and Access) Act.
Overview
The Data (Use and Access) Act 2025 (“DUAA”, “the Act”) received Royal Assent on 19 June 2025. This is a wide-ranging Act which includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register. It also includes some important changes to the UK’s data protection and privacy legislation, which are the subject of this page.
The DUAA will not replace the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 or the Privacy and Electronic Communications (EC Directive) Regulations 2003, but it will make some changes to them to make the rules simpler for organisations, encourage innovation, help law enforcement agencies to tackle crime and allow responsible data-sharing while maintaining high data protection standards.
This page covers the key changes. It is not a comprehensive list of all the data protection measures in the Act and is not regulatory guidance or legal advice. The Information Commissioner’s Office (“ICO”) is responsible for publishing regulatory guidance on its website - www.ico.org.uk.
Key changes
1. Automated decision-making (ADM)
The DUAA creates a more permissive framework under the UK GDPR for organisations to make decisions based solely on automated processing that have legal or similarily significant effects on individuals. Organisations will be able to make such decisions in wider circumstances but must implement certain safeguards. These include:
- providing people with information about significant decisions made about them
- enabling them to make representations about and to challenge such decisions
- and enabling them to obtain human intervention in respect of such decisions
The Act broadly mirrors these provisions and safeguards across the law enforcement regime in the Data Protection Act 2018. However, for those processing under the law enforcement regime, the Act provides for an exemption to the safeguards for certain, limited, reasons, such as to safeguard national security, or to avoid the obstruction of an inquiry. This is as long as the decision is reconsidered, as soon as reasonably practicable after it is taken and the reconsideration involves meaningful human involvement.
2. Subject Access
The DUAA clarifies the time limits for organisations to respond to subject access requests (requests by individuals to access and receive a copy of their personal data). It includes a “stop the clock” rule, allowing organisations to pause the response time if they need more information from the requester. Once they get the information they need, the response time continues. Organisations need to make reasonable and proportionate searches when responding to requests.
3. Children’s Data Protection
New rules require certain online services likely to be accessed by children to consider how to protect and support them when designing these services.
4. Scientific Research
The DUAA clarifies that scientific research may include commercial research. It allows researchers to seek consent for broad areas of related research and clearly outlines the safeguards required for using personal data in research.
5. Recognised Legitimate Interests
The Act introduces a new lawful ground for processing personal data, giving businesses more confidence to use data for crime prevention, safeguarding, responding to emergencies, and other specified legitimate interests.
6. International Data Transfers
The Act simplifies the rules and provides necessary clarification for transferring personal data internationally.
7. Responding to Complaints
The DUAA requires organisations to handle complaints from individuals who are concerned that the way their information is used breaches the data protection legislation, for example by providing an electronic complaint form, and informing the individual about the outcome of a complaint.
8. Storage and Access Technologies (such as cookies)
The Act allows the use of storage and access technologies without explicit consent in certain, low-risk situations.
9. Changes to Parts 3 and 4 of the Data Protection Act 2018
The DUAA amends Parts 3 and 4 of the 2018 Act which regulate law enforcement processing and processing by the intelligence services. Some of these amendments mirror key changes being made to the UK GDPR, ensuring consistency across the data protection regimes. Others simplify the legislation, enabling those processing under the law enforcement regime to operate more efficiently and supporting closer working with the UK intelligence agencies to safeguard national security.
When to expect these changes to take place
The changes to data protection law will be commenced in stages, 2 – 12 months after Royal Assent. Exact dates for each measure will be set in commencement regulations. Information about the commencement regulations will be provided on GOV.UK when it is available.
Data (Use and Access) Act factsheets: what has changed
Useful websites
Parliamentary information and supporting documents about the Data (Use and Access) Act can be found at: https://bills.parliament.uk/bills/3825
Legislation
Data (Use and Access) Act 2025
Links to commencement regulations will be provided on GOV.UK.
The DUAA will amend (update) the below legislation. The updated legislation will be available within approximately 2 months of Royal Assent of the DUAA.
The DUAA will amend (update) the below legislation. The updated legislation will be available within approximately 2 months of Royal Assent of the DUAA.
UK General Data Protection Regulation
The Privacy and Electronic Communications (EC Directive) Regulations 2003