The Data (Use and Access) Act 2025: What Lawyers Need to Know Now

On 19 June 2025, the Data (Access and Use) Bill received Royal Assent, becoming the Data (Access and Use) Act 2025 - a major development in the UK’s evolving data regulation landscape. For anyone who works with data, this Act is far more than just a technical update; it is a set of clarifications and extensions to the law and a reshaping of responsibilities and business practices concerning data. Businesses will welcome some parts but not others.

The Act redefines legal obligations and operational realities for organisations handling personal data. For lawyers, mastering this Act is not optional - it’s critical to delivering informed, effective counsel in the digital economy. But this knowledge is not just for lawyers, understanding its provisions is essential for all those who use or possess personal data.

What is the Data (Access and Use) Act 2025?

The Act’s primary objective is to unlock the value of data for economic growth and innovation, while modernising how data is accessed, shared and protected. But its significance goes further - it amends core data protection laws, including:

  • The UK GDPR
  • The Data Protection Act 2018
  • The Privacy and Electronic Communications Regulations (PECR)

This makes the Act one of the most important legal reforms in UK data law in recent years.

Key features and reforms

Here’s what makes this legislation essential reading:

Amendments to UK GDPR, DPA 2018, and PECR:

  • Allowable processing reasons: Clearer lawful bases for processing, including an expanded scope for legitimate interests.
  • Purpose limitation: Different criteria for re-purposing data.
  • Automated decision-making: New boundaries and safeguards for automated profiling and decisions, including those driven by AI.
  • Cookies and tracking: Updates to consent and transparency requirements, impacting marketing, analytics, and online services.
  • Web scraping and deepfakes: New provisions addressing data collection from public sources and synthetic content risks.

New data access and digitisation measures:

  • Smart data schemes: Legal frameworks for giving consumers easier, safer access to their data across sectors (e.g. finance, utilities).
  • Digitisation of the Births and Deaths Register: A shift to fully electronic records.
  • Electronic National Asset Register: Enhanced tracking of government-owned assets.

Oversight and enforcement:

  • Enhances the ICOs existing powers and gives it new duties and reporting requirements.

Why you need to engage with this Act

The Act presents sweeping changes that require legal and business professionals to:

1.     Interpret and apply amended laws

Those using or possessing personal data must understand how the Act modifies UK GDPR, DPA 2018, and PECR - including:

  • New statutory grounds for data processing
  • Adjusted rules on consent, cookies, and tracking
  • Revised conditions for legitimate interests
  • Enhanced scrutiny of automated decisions and AI applications.

2.     Prepare for potential EU implications

The Act’s divergence from EU data law raises questions about the UK’s adequacy status under EU GDPR. It’s important to consider:

  • Whether changes risk undermining the UK's adequacy finding.
  • What this means for cross-border data flows.

3.     Advise on compliance and governance

Organisations should consider:

  • Updating privacy notices, data sharing agreements and policies.
  • Implementing revised consent mechanisms and data access controls.
  • Engaging confidently with regulators under the new framework.

4.     Navigate commercial and operational impacts

M&A, outsourcing, data commercialisation and technology contracts must now consider:

  • The expanded lawful uses of data.
  • The value (and limitations) of data assets under the new regime.
  • Smart data and national registers as potential data sources or compliance requirements.

Practical steps for legal teams and business professionals

  • Review the Act’s clauses and their effect on your sector.
  • Assess how amended UK GDPR, DPA 2018, and PECR provisions affect existing operations.
  • Monitor EU adequacy discussions to pre-empt cross-border challenges.
  • Prepare revised documentation, including consent forms, contracts and governance policies.

Learn more: In-depth training opportunity

Join our expert trainer, Mark Weston, to be guided through:

  • The clauses of the Act and their legal consequences.
  • How each clause amends the UK GDPR, Data Protection Act 2018, and PECR.
  • The implications for the UK’s adequacy status with the EU.
  • The key changes introduced and the current legal position.

Find out more about The New Data (Use and Access) Act training course here.

 

Published on Jul 10, 2025 by Angela Spall