The UK’s Data (Use and Access) Act 2025 (the Act) officially came into law on June 19.
The Act seeks to modernize the UK’s data protection and e-privacy regimes. It aims to help support the economy, improve public services, and make everyday life and business compliance easier by encouraging secure data sharing between consumers and third parties.
Updates to Current Legislation
The Act introduces amendments to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, impacting areas such as legitimate interests, direct marketing, data subject access requests (DSARs), and automated decision-making, notably:
- A new lawful basis for data processing in the form of “recognized legitimate interests.” These are specific types of processing activities that are automatically considered lawful, for example, fraud detection and prevention, information security, crime prevention, and public health and safety.
- Relaxed rules around automated decision-making and cookie consent. Notably, explicit consent will no longer be required for certain types of cookies, including analytics, site optimization, and website functionality. With respect to automated decision-making, prior rules regarding individual rights not to be subject to decisions based solely on automated processing have now been relaxed to apply only when the decision involves special category data such as health, race, region, or biometric data.
- Provides broader flexibility in connection with data subject access requests. In practice, these changes only reflect the existing guidance of the Information Commissioner’s Office (ICO), which many controllers have followed in recent years. This includes codifying the requirement for the controller’s search for personal data concerning the data subject to be (no more than) a “reasonable and proportionate search.”
Impact on Organizations
For financial services organizations, the Act may streamline their ability to process data without always needing a legitimate interests assessment (LIA), for example in connection with fraud prevention, IT security, intra-group administration, and direct marketing.
The Act may reduce several administrative burdens that prior UK privacy laws placed on all organizations by removing opt in consent requirements for functional and analytics cookies used on websites, potentially offering greater flexibility for data subject access requests, and reducing the requirement for legitimate interest assessments in certain cases.
The Act also lays the foundation for data initiatives that would enable data portability in certain key sectors, including transport, finance (outside of retail banking), healthcare, and energy. These purpose of these initiatives is to encourage greater innovation in these sectors, similar to Open Banking, which already exists for retail banking. Linked to this, there are also provisions for digital IDs, which might simplify know your customer (KYC) processes and remote ID verification. These changes may, in part, enable customers to switch more easily between suppliers, the aim of which is to drive more innovation through increased competition.
Although these changes may benefit UK organizations, they do not change requirements under the broader GDPR. UK organizations should carefully assess their compliance programs to ensure that any changes made to UK operations do not result in compliance gaps under GDPR and other EU member state laws.
Considerations for Companies
UK organizations should assess their compliance programs and, more generally, their data strategy to determine whether or not these remain “fit for purpose” in light of the changes the Act introduces. For example, companies should consider:
- Reviewing data processing activities to identify where the new “recognized legitimate interests” basis for processing may be relied upon;
- Updating DSAR processes;
- Reassessing cookie and marketing compliance to take advantage of opt out for low-risk cookies;
- Preparing for smart data schemes where relevant; and
- Preparing for digital ID and verification frameworks.