Understanding the Data (Use and Access) Act 2025: Key Changes and What UK Businesses Need to Know

The Data (Use and Access) Act 2025 (“DUAA”) marks a significant reform in the UK’s data protection laws. After receiving Royal Assent in June 2025, the Act introduces vital changes that will affect how businesses handle personal data. The updates aim to streamline compliance processes, reduce administrative burdens, and foster innovation, while still upholding individuals’ data privacy rights.

In this article, we break down the essential provisions of the Data (Use and Access) Act 2025, including changes to Data Subject Access Requests (DSARs), the introduction of new lawful grounds for processing, and the broader impact on data processing practices. We will also highlight what businesses need to do to stay compliant and ready for these changes.

What is the Data (Use and Access) Act 2025?

The Data (Use and Access) Act 2025 is designed to modernise the UK's approach to data protection, aligning it more closely with emerging technologies and the digital economy. While the Act introduces several changes, its core provisions include:

• Streamlined requirements for Data Subject Access Requests (DSARs).

• New lawful grounds for Automated Decision-Making (ADM).

• Expanded definitions for Legitimate Interests.

• Broader scope for scientific research.

• Simplified rules for international data transfers.

Key Changes Under the Data (Use and Access) Act 2025

1. Reasonable and Proportionate DSAR Searches

One of the most significant changes under the DUAA is the shift to "reasonable and proportionate" searches when responding to Data Subject Access Requests (DSARs). This change, effective from 1 January 2025, aims to ease the burden on businesses that previously had to conduct extensive searches across all systems to retrieve personal data.

Instead of searching every database or file system, organisations now only need to focus on areas most likely to contain the requested information. This change reflects the Information Commissioner’s Office (ICO) guidance, which already encouraged businesses to be reasonable and proportional in their search for information.

For businesses, this means:

• Updating DSAR processes to ensure a balance between fulfilling the request and managing resources efficiently.

• Implementing systems that can more easily identify and retrieve personal data.

• Training staff* to recognise what constitutes a “reasonable and proportionate” search.

It’s worth noting that while the 'stop the clock' rule for extending the deadline for DSAR responses is expected to come into force later, businesses should continue to follow current best practices in responding to requests promptly.

*Contact us for our training packages.

2. Automated Decision-Making (ADM)

The DUAA introduces a new lawful ground for processing personal data in the context of Automated Decision-Making (ADM). Previously, businesses had to rely on explicit consent for processing personal data through ADM. Now, the Act allows for additional grounds such as fraud prevention and public safety.

This new provision significantly impacts sectors like finance, insurance, healthcare, and retail, where automated systems are used for profiling, credit scoring, or other decision-making activities. The key takeaway is that businesses can process personal data for these purposes without explicit consent, provided it’s necessary for the intended purpose and complies with data protection principles.

Key actions for businesses include:

• Reviewing ADM processes to ensure transparency in how data is used to make decisions.

• Ensuring individuals can challenge automated decisions and explaining the logic behind automated processing.

• Aligning automated systems with data protection principles, especially fairness, transparency, and accountability.

3. Recognised Legitimate Interests for Data Processing

The legitimate interests ground for processing personal data has been expanded under the DUAA. Previously, legitimate interests were applicable to a limited range of processing activities, but the Act now recognises activities such as fraud detection, public health initiatives, and public safety as valid justifications for processing data.

This is a game-changer for businesses that rely on processing personal data for these purposes, as they no longer need to seek explicit consent or meet the stricter conditions for processing sensitive data. However, organisations still need to demonstrate that their legitimate interest outweighs the rights and freedoms of individuals.

For businesses, this means:

• Reviewing existing processing activities to assess whether legitimate interests can be used as the lawful basis for processing.

• Documenting the legitimate interest and performing a legitimate interest assessment (LIA) to demonstrate why the processing is necessary.

• Balancing business objectives with data protection rights to ensure compliance.

4. Scientific Research Provisions

The DUAA broadens the scope of what qualifies as scientific research for data processing purposes. Previously, scientific research was more narrowly defined, but under the new legislation, the definition has been expanded to include both public and private sector activities that involve the processing of personal data for research purposes.

This change will benefit academic institutions, healthcare organisations, and companies involved in market research, as it provides more flexibility in how data is used for research and innovation. Notably, businesses engaged in research will have more leeway to use personal data without obtaining explicit consent, as long as the research meets ethical and regulatory standards.

For businesses involved in research, the following steps are recommended:

• Update consent mechanisms to reflect the new definitions and provisions under the Act.

• Ensure that research activities are conducted in compliance with data protection principles, particularly when personal data is used in research.

• Implement safeguards to protect sensitive data in line with the ethical standards required by the Act.

5. International Data Transfers

Post-Brexit, the rules for transferring personal data outside the UK have been complex, but the DUAA simplifies the regulatory framework for international data transfers. The new provisions align with the UK’s broader data strategy and are designed to ensure that data continues to flow smoothly between the UK and other countries, while safeguarding individuals' privacy rights.

Organisations engaged in cross-border data transfers will now find it easier to navigate the compliance landscape, provided they meet the updated requirements.

Key actions for businesses include:

• Reviewing international data transfer agreements to ensure they comply with the updated rules.

• Staying informed about any future adequacy decisions or additional regulatory requirements concerning data transfers.

• Updating data protection clauses in contracts with third parties involved in international data transfers.

Implementation Timeline

While many provisions of the DUAA came into force immediately following Royal Assent in June 2025, several provisions will be implemented over the next year:

• 1 January 2025: The requirement for reasonable and proportionate DSAR searches takes effect. Businesses must ensure that their DSAR processes comply with these new standards.

• Autumn 2025: The ICO will publish new Codes of Conduct that will guide organisations in applying the new provisions related to DSARs, ADM, and legitimate interests.

• Winter 2025/2026: Further guidance on international data transfers, automated decision-making, and scientific research will be released.

• 19 June 2026: All provisions of the DUAA are expected to be fully implemented, with final updates to ICO guidance and regulations.

What Action Should Your Business Take?

To prepare for the changes introduced by the DUAA, businesses should:

1. Review DSAR Procedures: Update your processes to ensure compliance with the "reasonable and proportionate" search requirements.

2. Audit Automated Decision-Making: Ensure that your automated systems meet the new standards and provide individuals with the ability to challenge decisions.

3. Document Legitimate Interests: If you're relying on legitimate interests for processing, conduct a legitimate interest assessment and document your justification for processing personal data.

4. Adapt Research Protocols: Revise your research protocols to reflect the broader definition of scientific research and ensure compliance with ethical and data protection standards.

5. Prepare for International Transfers: Review and update contracts and policies for international data transfers to align with the new rules.

Conclusion

The Data (Use and Access) Act 2025 is a game-changing development for UK businesses, providing both opportunities and challenges. By understanding the key changes in data protection and taking proactive steps to comply, businesses can ensure they maintain customer trust, reduce risk, and stay ahead of regulatory developments.

If your business needs guidance on implementing these changes or ensuring compliance, our team of experts is here to help. Contact us today to learn more about how we can support you through this transition.