Understanding the UK Data (Use and Access) Act 2025

Quick Hits

• The UK Data (Use and Access) Act 2025 introduces several important amendments to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations (PECR), which directly impact how employers process personal data.
• Among the changes are new measures for international data transfers, automated decision-making, legitimate interest, cookies, and the creation of a complaints procedure.
• The UK data supervisory authority, the Information Commissioner’s Office (ICO), has announced that it intends to issue further guidance on the changes in late 2025 or early 2026.

Whilst the act does not completely overhaul the current UK data protection framework, it introduces several significant changes which will be discussed in this article.

International Data Transfers

The act introduces a “data protection test,” offering more flexibility than the previous “essentially equivalent” standard for third-country data transfers. Under the changes, international transfers would be permitted if the third country’s protections are “not materially lower” than those in the UK. In addition to the data protection test, the secretary of state may create laws authorising international transfers, taking into account the larger context of data flows between the UK and other countries, as well as the potential benefits of the transfers. Due to these modifications, the UK’s guidance on international transfers may differ from that of the European Union. The Information Commissioner’s Office (ICO) is due to publish updated guidance on international transfers in early 2026.

Data Subject Access Requests (DSARs)

Employers may benefit from clarified and streamlined requirements for responding to DSARs. The act clarifies that only “reasonable and proportionate” searches are required, and the response deadline is paused if additional information is needed from the requester, such as verifying the requester’s identity or defining the scope of the request. This only applies when the recipient of the DSAR cannot reasonably proceed with responding without this information, and the requester should be notified of the extension.

Legitimate Interests

The act provides a list of “recognised legitimate interests” that do not require a balancing test or a legitimate interests assessment (LIA), provided the processing can be considered necessary. The activities in scope include crime prevention and national security. Also included in the list of “recognised legitimate interests” are direct marketing and intra-group data sharing for internal administration, although these processing activities will require a LIA. Organisations may want to consider whether the lawful basis amendments apply to their processing activities and ensure that privacy documentation, such as privacy notices, continues to accurately describe the relevant lawful bases relied upon.

Automated Decision-Making

The act eases restrictions on automated decision-making, allowing it to be used in a wider range of circumstances, provided that easing of restrictions ensures transparency, provides meaningful human intervention, and creates an accessible mechanism for data subjects to challenge outcomes. However, automated decisions involving special category data, such as health information, are only permitted with explicit consent or where required under substantial public interest, as defined by UK law.

Cookies

The act aligns fines under the UK Privacy and Electronic Communications Regulations (PECR) with those under the UK General Data Protection Regulation (UK GDPR), raising the maximum penalty to £17.5 million or 4 percent of global turnover. For organisations, this means that breaches related to electronic communications, such as direct marketing, carry significant financial risk.

The act also permits the use of certain “low-risk” cookies (e.g., for security or analytics) without explicit consent, provided users can opt out of such processing.

Complaints Procedure

In addition to strengthening the enforcement powers of the ICO, the act has created a statutory right for individuals to raise data privacy-related complaints directly with organisations. Organisations will be required to facilitate the creation of a formal complaints mechanism, such as an online form, acknowledge receipt of complaints within thirty days, and take appropriate steps to investigate each complaint without undue delay. Once the investigation is completed, the relevant data subject should be notified of the outcome, and any actions taken should be recorded.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and provide updates on the Cybersecurity and Privacy blog as additional information becomes available.

Simon J. McMenemy is the managing partner of Ogletree Deakins’ London office and co-chair of the firm’s Cybersecurity and Privacy Practice Group.

Lorraine Matthews, a cybersecurity and data privacy practice assistant in the London office of Ogletree Deakins, contributed to this article.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts