The impact of the Data Use and Access Act on UK data protection law

On 19 June 2025, the Data Use and Access Act (the “Act”) received royal assent, making a number of significant changes to UK data protection law. The amendments do not replace current data protection legislation but rather make targeted changes aimed at simplifying existing rules, supporting innovation, assisting law enforcement and encouraging responsible data sharing. The below article sets out the key changes and the likely effects of these in practice.

The key changes

New lawful basis

One of the headline changes made by the Act relates to the addition of a new lawful basis. This takes the form of recognised legitimate interests. This new form of legitimate interest differs from the original basis in that it does not require controllers to carry out the balancing test. The necessity test is, however, still required.

On the topic of the necessity test, the original legitimate interest lawful basis, found under Article 6(1)(f) of the UK GDPR, has been amended to add three examples of processing that may be considered necessary when relying on this lawful basis. The examples were already found in the recitals to the UK GDPR but now benefit from being legally binding.

Automated decision making

The Act softens the current approach of Article 22 of the UK GDPR by relaxing the prohibition on automated decision making.  Under the Act organisations will have more opportunities to use personal data to make automated decisions about data subjects, provided they have appropriate safeguards in place. One example of how the Act achieves this is by allowing organisations to rely on the legitimate interest lawful basis  to carry out automated decision making, meaning that automated decision making could be used much more frequently than it is at present.  The prohibitions found in Article 22 UK GDPR will remain in place  for significant decisions involving special categories of personal data, such as health data.

With regard to safeguards, organisations will need to be transparent about the use of automated decision-making, providing individuals with detailed information about what automated systems they are using, how the system makes decisions and what data it uses to do so.  Data subjects must also be allowed to request human intervention and contest the outcome of automated decisions.

Changes for charities

Charities will now be able to rely on the soft opt-in rule for sending email direct marketing communications to individuals. This marks a departure from the current regime which requires charities to obtain   explicit consent from data subjects. This means that individuals who provide their email address in the course of offering support to, or expressing an interest in, the relevant charitable purpose, can be sent direct marketing via email. This could have a significant impact on fundraising initiatives. Enabling charities to communicate with a broader range of prospective supporters. Charities do need to be aware however, that they will need to give these individuals the opportunity to opt out of the charity using their details when they were first collected and the same opportunity  in each subsequent marketing message.

PECR fines

Prior to the Act, the maximum fine that could be levied for a breach of PECR was £500,000. However, this has now been aligned with the upper limit under the UK GDPR, namely, up to the greater of £17.5 million or 4% of global annual turnover.

Complaints

Organisations are required to assist individuals who want to complain about the organisation’s use of their personal data, for example through the provision of an electronic complaints form. Complaints must be acknowledged within 30 days and must provide an outcome without undue delay.  This new process must be implemented by June 2026 and must be clear, easy to find and available to all individuals. Complaints must also be recorded and their progress tracked.

International data transfers  

The standard required for transferring data to a third country (a country outside of the EEA or which does not benefit from an adequacy decision), has been amended. Prior to the Act, it was required that the protection guaranteed under the UK GDPR would not be undermined, however, under the Act, the standard of protection must be “not materially lower”. This requirement is now referred to as the data protection test and formalises the requirement for a transfer risk assessment to be carried out.

Subject Access Requests

The Act both amends and clarifies the existing rules on subject access Requests (“SAR”). This includes a new provision that allows controllers to “stop the clock” when seeking clarification on the scope of a SAR, with it resuming when the additional information is received. This is subject to the controller being able to demonstrate that the requested clarification is reasonably required to provide a response.

Additionally, the act confirms that the scope of a search need only be “reasonable and proportionate” reflecting the ICO’s guidance on this front.

Conclusion

The Act represents a subtle yet significant amendment to the UK data protection regime, providing a greater degree of flexibility for a number of organisations whilst increasing potential penalties for PECR non-compliance and maintaining the level of protection data subjects have come to expect. Whilst it is envisaged that the Act will not be fully in force until June 2026, early compliance will provide reassurance amongst data subjects and enhance the reputation of your business.

How we can help

For further advice on data protection and how the Data Use and Access Act may affect your organisation, please contact our commercial & tech team.