What the Data (Use and Access) Act 2025 Means for UK Businesses: Key Changes and Immediate Compliance Steps
Introduction to the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 marks a significant milestone in the UK’s data protection landscape. Receiving Royal Assent on June 19, 2025, this new legislation introduces pivotal updates that UK organizations and data protection professionals must understand and implement. As data continues to drive business innovation and operations, staying compliant with evolving regulations is crucial.
Key Changes Introduced
New Legal Bases for Processing
One of the most notable changes is the introduction of “recognized legitimate interests” as a legal basis for common processing activities. This provides businesses with more flexibility while ensuring that data protection remains a priority.
Adjustments to Automated Decision-Making Rules
The Act expands the use of automated decision-making under legitimate interest, yet maintains robust protections for sensitive data. This balance aims to foster innovation while safeguarding individual rights.
Changes to International Data Transfers and Cookies Regime
Significant adjustments have been made to international data transfers and the cookies regime. Notably, there is a relaxation of consent requirements in specific cases, streamlining operations for businesses engaged in international activities.
Streamlined Data Subject Notification Requirements
Organizations can now benefit from streamlined data subject notification requirements, especially when providing notice would be a disproportionate effort. However, equivalent safeguards must be in place to ensure data protection.
Limits on Data Subject Access Requests
The Act introduces limits on data subject access requests, focusing on those deemed reasonable and proportionate. This change aims to reduce the administrative burden on organizations while maintaining transparency.
Implications for UK-EU Data Flows
These legislative changes could impact the UK’s adequacy status with the EU. Organizations should closely monitor developments and prepare for potential adjustments in data flow agreements and practices.
Practical Steps for Compliance
Immediate Actions
Organizations should take immediate steps to align with the new requirements. This includes reviewing and updating privacy notices, internal policies, and staff training programs.
Preparing for Upcoming Consultations
With the Act not including mandatory AI training data transparency, businesses should prepare for upcoming consultations on AI and copyright to stay ahead of future regulatory changes.
Conclusion
Staying proactive and informed is essential in navigating the evolving data protection landscape. By understanding and implementing the changes introduced by the Data (Use and Access) Act 2025, UK businesses can ensure compliance and maintain their competitive edge.