What the UK's New Data (Use and Access) Act Means for Data Protection Compliance: Key Changes and Practical Steps for Organizations

The UK has recently enacted the Data (Use and Access) Act, which came into force on June 19, 2025, marking a significant shift in the landscape of UK data protection law. This blog post will delve into the key changes introduced by the Act, its implications for organizations, and practical steps to ensure compliance.

Key Changes in the Data (Use and Access) Act

The new Act introduces several pivotal changes:

  1. Liberalization of Automated Decision-Making: The Act eases the requirements surrounding automated decision-making processes, allowing organizations more flexibility in utilizing AI and machine learning technologies.

  2. Updated ePrivacy Cookie Rules: Changes to cookie regulations aim to streamline user consent processes, making it easier for businesses to comply while enhancing user experience.

  3. New Data Subject Right to Complain: A significant addition is the introduction of a new right for data subjects to lodge complaints, which necessitates organizations to establish robust mechanisms for handling such complaints efficiently.

Impact on Organizations

The Act presents a mixed bag of opportunities and challenges for organizations:

  • Easier Compliance in Some Areas: With the liberalization of automated decision-making and streamlined cookie rules, organizations may find compliance less burdensome in these areas.

  • New Obligations: However, the Act also imposes new obligations, such as updating privacy notices to reflect the changes and preparing for more stringent enforcement by the reconstituted Information Commissioner’s Office (ICO).

Practical Steps for Compliance

Organizations should take immediate action to align with the new requirements:

  • Review and Amend Privacy Notices: Ensure that privacy notices are updated to comply with the new regulations.

  • Monitor ICO Guidance: Stay informed about updates and guidance from the ICO to ensure ongoing compliance.

  • Prepare for Enhanced Enforcement: Develop strategies to handle the increased scrutiny and potential penalties from the ICO.

Broader Implications

These changes position the UK uniquely in the global data protection landscape, particularly in relation to the EU’s GDPR. While the Act introduces more flexibility in certain areas, it also underscores the UK’s commitment to robust data protection standards.

Conclusion

The Data (Use and Access) Act represents a significant evolution in UK data protection law. By understanding the key changes and taking proactive steps, organizations can navigate the new landscape effectively.