Latest GDPR and DPA Changes Under the UK’s Data Use and Access Act

Introduction

The UK’s Data Use and Access Act 2025 represents one of the most significant reforms to the UK data protection framework since the implementation of the UK GDPR and the Data Protection Act 2018. This legislation is designed to strike a careful balance between data protection, innovation, and regulatory pragmatism, reflecting the UK government’s ambition to modernize its approach while safeguarding individuals’ rights.

The Access Act 2025 introduces substantial updates to data protection laws, particularly around data subject rights, automated decision-making, and international data transfers. It also addresses new and evolving areas of concern, such as digital verification services, smart data schemes, and the national underground asset register. For UK businesses, these changes mean adapting existing policies and practices to ensure compliance while also leveraging the new flexibilities provided under the Act.

Overview of the Data Protection Act

The Data Protection Act 2018 (DPA 2018) continues to serve as a cornerstone of the UK’s data protection regime. Together with the UK GDPR, it establishes the rights of data subjects, the duties of data controllers, and the enforcement powers of the Information Commissioner’s Office (ICO). The Data Use and Access Act 2025 does not replace these laws but adds a new layer of rules and clarifications to address gaps that have emerged in recent years.

The Access Act 2025 introduces key innovations such as recognised legitimate interests as a lawful basis for processing, reforms to subject access requests, and new standards for international transfers of personal data. Importantly, the Act also makes room for scientific research purposes, commercial research, and public interest initiatives by broadening the scope of lawful processing under specific circumstances.

For UK businesses, this means the regulatory landscape is becoming more bespoke and diverging further from the EU GDPR. While existing guidance remains relevant, secondary legislation and new regulatory guidance will provide the clarity needed to implement these changes effectively.

Understanding Data Protection Laws

The UK’s data protection laws now consist of three main pillars:

• The UK GDPR, setting the baseline for personal data protection.
• The Data Protection Act 2018, covering areas such as law enforcement processing and special category personal data.
• The Data Use and Access Act 2025, which refines and expands the framework.

The digital information bill originally proposed many of the reforms that are now enshrined in the Access Act 2025. As a result, the UK law has moved toward a more flexible approach that aims to reduce administrative burdens while preserving essential rights.

However, businesses face challenges in navigating overlapping obligations. They must respect the purpose limitation principle, ensure compliance with electronic communications regulations on direct marketing, and adapt to new rules around the use and access of personal data. To do this effectively, organisations will rely heavily on updated ICO guidance, legitimate interest assessments, and sector-specific research provisions.

Data Subject Access Requests and Automated Decision Making

One of the most practical changes introduced by the Act relates to data subject access requests (DSARs). While the right of access remains, the Act now requires reasonable and proportionate searches rather than exhaustive retrieval of all records. This is intended to reduce administrative burdens on organisations, particularly where large datasets are concerned, while ensuring that data subjects can still exercise their rights meaningfully.

Equally important are the reforms around automated decision making (ADM). The Act permits solely automated decision-making in limited circumstances, provided that there is meaningful human involvement and human intervention mechanisms available. For special category data or special category personal data, processing is restricted to situations with clear appropriate safeguards, explicit consent, or another lawful basis.

Businesses must now provide transparency regarding such processing by explaining when automated decision-making occurs, the logic involved, and the consequences for individuals. Crucially, data subjects retain the right to request human intervention, reinforcing the commitment to safeguard against unfair or harmful outcomes.

Role of Data Controllers and Data Protection

Data controllers remain central to the functioning of the UK’s data protection framework. Under the Access Act 2025, their responsibilities expand to include:

• Ensuring timely responses to subject access requests.
• Implementing appropriate safeguards for international transfers.
• Documenting legitimate interest assessments when relying on recognised legitimate interests.
• Maintaining up-to-date training for staff handling personal data.

The Act emphasizes accountability, requiring organisations to demonstrate compliance with existing obligations and new requirements. For instance, in cases of further processing of personal data, controllers must prove compatibility with the original purpose under the purpose limitation principle.

Controllers must also be prepared for data protection complaints via the new electronic complaints form, which streamlines the way data subjects raise issues. This development underscores the importance of internal complaint-handling procedures to prevent escalation to the Information Commissioner’s Office.

International Data Transfers and Data Use

A headline change under the Act is the introduction of a new data protection test for international data transfers. Rather than requiring “essential equivalence” as under the EU GDPR, the UK test demands that protections in the recipient country are “not materially lower” than those under the UK data protection regime.

This adjustment provides greater flexibility for UK businesses engaging in data transfers to countries of concern, provided they implement appropriate safeguards. However, organisations must still carry out transfer risk assessments, ensure transparency, and justify their decisions if challenged.

In addition to transfer rules, the Act expands permissions for scientific research purposes and commercial scientific research. Broad consent is now permitted for the time personal data collected for research provisions, reducing administrative hurdles while maintaining ethical standards. The law explicitly recognises the economic and societal value of commercial research and public interest research, provided that safeguarding vulnerable people remains a priority.

Rights of the Data Subject

The Access Act 2025 strengthens data subject rights in several ways. Data subjects retain core rights such as:

• Access to their personal data.
• Rectification of inaccurate data.
• Erasure of personal data under specific conditions.
• The right to object to certain types of processing, including direct marketing.

New provisions include the right to submit complaints through an electronic complaints form and the ability to escalate unresolved concerns to the ICO. The Act also introduces measures to enhance protections for children, aligning with existing ICO guidance on safeguarding minors in online services and information society services.

Furthermore, the law clarifies how data subject rights apply to solely automated decision-making. Individuals now have an explicit right to human intervention, ensuring that such processing does not undermine fairness or accountability.

Enforcement Powers and the Access Act 2025

The Access Act 2025 equips the ICO with expanded enforcement powers. The regulator can now impose fines of up to £17.5 million or 4% of global turnover, consistent with the penalties under the UK GDPR. Additionally, the ICO has broader authority to:

• Conduct on-site inspections and investigations.
• Issue binding instructions to data controllers.
• Compel production of documents or testimony.

The Act also introduces new criminal offences, including the non-consensual creation or distribution of AI-generated intimate images. This reflects the growing concern around the misuse of emerging technologies in ways that impact data protection and public security.

For businesses, compliance is not just about avoiding penalties—it is also about protecting brand reputation. Data protection complaints, if poorly managed, can quickly escalate into enforcement action, legal liability, and reputational damage.

Compliance with the Access Act and Data Transfers

To comply with the Access Act 2025, businesses should take immediate steps to review and update their data protection policies. This includes:

• Conducting updated data protection impact assessments.
• Reviewing all international transfers under the new data protection test.
• Updating privacy notices to reflect new subject access request rules.
• Implementing internal training programs focused on automated decision-making and human intervention.

Organisations must also account for the interplay between the Access Act, the UK GDPR, and the Data Protection Act 2018. While the Act introduces flexibility, it also creates areas where businesses must carefully interpret overlapping obligations. Relying on existing ICO guidance, future secondary legislation, and industry-specific regulatory guidance will be essential.

Ultimately, the goal is to maintain a high standard of data protection while reducing administrative burdens and fostering innovation. Businesses that adapt early will benefit from both regulatory compliance and competitive advantage.

Conclusion

The Data Use and Access Act 2025 marks a pivotal evolution in the UK’s data protection framework. By introducing concepts like recognised legitimate interests, refining rules around automated decision-making, and reshaping the standards for international data transfers, the Act reflects a modern and pragmatic approach to data regulation.

For UK businesses, the message is clear: compliance requires proactive adaptation. From managing subject access requests with reasonable and proportionate searches to conducting legitimate interest assessments, organisations must integrate these changes into daily practice. At the same time, enhanced data subject rights and expanded ICO enforcement powers underline the continuing importance of accountability and transparency.

As the UK builds a distinct data protection regime, the Access Act 2025 ensures that personal data is safeguarded while enabling responsible use and access for innovation, research, and public interest. Businesses that embrace these reforms will not only meet their existing obligations but also strengthen trust with customers, regulators, and the wider public.