Data (Use and Access) Act Compliance — What’s Changed in UK Data Protection (2025 Update)

Introduction: A new era for UK data compliance

The UK has entered a new phase of data protection reform with the Data (Use and Access) Act 2025 (DUAA). Building on the foundation of the UK GDPR and the Data Protection Act 2018, this legislation aims to make data use simpler, safer, and more innovation-friendly.

For businesses, this means more flexibility in how data can be processed and shared — but also new compliance duties and governance expectations.

In this post, we break down what’s changed, what it means for your organisation, and the practical steps you need to take to stay compliant.

1. Purpose of the Data (Use and Access) Act 2025

The DUAA is designed to encourage responsible data use that fuels innovation, research, and better public services, while still protecting individual privacy.

It aims to:

• Simplify data access and sharing across sectors (especially through “Smart Data” initiatives).
• Clarify rules around lawful processing and data reuse.
• Modernise data subject rights procedures such as DSARs (Data Subject Access Requests).
• Strengthen governance around AI, research, and automated decision-making.

In essence, the Act shifts the UK’s privacy landscape from “data protection by restriction” to “data protection by design and enablement.”

2. Key changes in UK data protection law

a) Smarter and safer data sharing

The DUAA creates a clearer framework for cross-sector data sharing under government-approved schemes such as Smart Data and public registers.
This change helps organisations collaborate and innovate — for example, in fintech, healthtech, and transport — provided they implement robust safeguards and oversight.

What you need to do:
✅ Review all existing and planned data-sharing agreements.
✅ Ensure that each arrangement includes clear access controls, audit processes, and data minimisation measures.

b) Updated lawful bases for processing

The Act gives businesses more clarity and flexibility when relying on lawful bases such as “legitimate interests” — particularly for innovation, research, and product improvement purposes.

However, this flexibility comes with a condition: you must document your reasoning and justify the necessity and proportionality of each data use.

Action points:
✅ Re-evaluate your lawful bases and update your Records of Processing Activities (RoPA).
✅ Include additional examples of legitimate interest uses in your privacy notices.

c) Streamlined data subject access requests (DSARs)

The DUAA simplifies how organisations handle DSARs, allowing more practical timeframes, improved redaction guidance, and clarification on exemptions.

This aims to reduce administrative burden while ensuring transparency for individuals.

Action points:
✅ Update DSAR handling procedures and staff training.
✅ Implement efficient redaction and case-tracking tools.

d) Research, innovation, and AI processing rules

New provisions support the use of personal data for approved research and AI development, provided ethical and technical safeguards are in place.

Organisations can process data under these expanded exemptions — but they must follow strict impact assessments and maintain documentation proving compliance.

Action points:
✅ Review AI governance frameworks and DPIAs (Data Protection Impact Assessments).
✅ Ensure transparency and explainability in automated decision systems.

e) International data transfers and adequacy

The Act maintains the UK’s commitment to international data flow continuity, with updated mechanisms for transfers outside the UK. The goal is to protect UK adequacy decisions while providing businesses with clearer transfer pathways.

Action points:
✅ Re-validate your transfer tools (SCCs, IDTA, or adequacy reliance).
✅ Monitor ICO updates on international data transfer guidance.

3. Compliance checklist for UK organisations

4. Industries most affected

• Healthcare & Life Sciences: expanded data use for approved research and public health projects.
• Financial Services: new Smart Data initiatives enabling consumer data portability.
• Technology & AI: broader permission for automated decision-making with safeguards.
• Public Sector: stronger data access for policy and service improvement.

5. Steps to achieve DUAA compliance

1. Conduct a data audit – Map out what personal data you hold, where it’s stored, and who accesses it.
2. Review privacy notices – Update to reflect new lawful bases and transparency obligations.
3. Update your RoPA and DPIAs – Record justifications for all processing activities under new rules.
4. Review data-sharing agreements – Include DUAA-compliant clauses and access controls.
5. Train staff and partners – Ensure all departments understand new rights and procedures.
6. Engage with the ICO – Stay informed through regular guidance and compliance resources.

6. Key risks and challenges

While the DUAA reduces red tape for some organisations, it also raises:

• The need for stronger internal governance.
• Increased scrutiny over AI ethics and automated decision-making.
• Potential divergence from EU GDPR, affecting multinational compliance strategies.

Organisations that adapt early will not only remain compliant but also gain a competitive edge by leveraging data responsibly and confidently.

Conclusion: A proactive approach to data compliance

The Data (Use and Access) Act 2025 marks a significant evolution in UK data protection — one that balances privacy with innovation.

To stay compliant:

• Understand the new frameworks for data sharing and lawful use.
• Update your records, contracts, and policies.
• Train your teams to manage data under this more dynamic regime.

By embedding compliance into your business culture, you’ll be ready for the next generation of digital innovation in the UK.

For full legislative details, visit the official UK Government guidance on the Data (Use and Access) Act 2025.

You can also explore the Information Commissioner’s Office (ICO) resources for compliance updates.