Data (Use and Access) Act 2025: Reform to UK Data Protection Law

After a lengthy period of parliamentary ‘ping pong’, the Data (Use and Access) Act 2025 (“DUAA”) finally received Royal Assent on 19^th June 2025.

Introduced with the core aim of “promoting growth, improving public services and making people’s lives easier” the Act brings about some notable reforms to the UK GDPR, the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR).

Summary of Key Changes:

• The Information Commissioners Office (ICO) will be re-established as the Information Commission (IC) with corporate restructuring to create an Executive and a Board of Directors.
• The IC will have new powers including the ability to compel witnesses to attend interviews, and to request technical reports.
• The Act will make some changes to UK GDPR such as the refining of the definition of scientific research to include any research that "can reasonably be described as scientific" irrespective of the source of research funding, and whether or not it is commercial.
• Direct marketing (as well as IT security and internal administration transfers) will be included in the main text of UK GDPR as an example of a ‘recognised legitimate interest’ providing for greater certainty when using legitimate interests as a lawful basis.
• The Act proposes to limit the right for an individual to obtain copies of their personal data under UK GDPR so that they are entitled only to the data that would be found in a "reasonable and proportionate" search.
• Charities will be able to avail of the ‘soft opt in’ i.e. Charities will be able to send electronic mail marketing to people whose personal information they collect when they support, or express an interest in, the Charity’s work, unless they object.
• The Bill will introduce changes to rules on data exports including the ability of the Secretary of State to approve third countries, and the introduction of a data protection test to assess whether the third country or international organisation has a standard of data protection not materially lower than that in the UK.
• The Act will reframe Automated Decision Making (ADM) to allow processing with no limitation on which lawful basis an organisation can use, subject to putting specific safeguards in place.
• Maximum fines for breaches of the Privacy and Electronic Communications Regulations will be increased from £500k to £17.5 million or 4% of annual global turnover.

What Next?

Although the Act has received Royal Assent, most of the provisions in the legislation require a Commencement Order before they can take effect. The first of these Commencement Orders is expected in October 2025, although it is possible that some provisions such as the amendments to the UK GDPR and PECR could be brought into effect ahead of schedule. In the interim, organisations should continue to monitor future developments whilst also ensuring that any DSAR, ADM, Direct Marketing and Cookie policies are reviewed and updated as required.

If you would like any further information or advice on these issues, please contact Laura Cunningham, Head of Data Protection and Information Law.

*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.