Implications of the Data (Use and Access) Act 2025

Date: 6th December 2025

Key Issue
The Data (Use and Access) Act 2025 (DUAA 2025) introduces significant reforms to the UK data regime. What are the implications of these changes for organisations, individuals and the data protection landscape?

Short Answer
The Act amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). It introduces a new lawful basis for data processing (“recognised legitimate interests”), clarifying provisions on: cookies, international transfers, research uses and child-facing services. It also imposes new duties for complaints and oversight by the Information Commissioner’s Office (ICO). The net effect is greater flexibility for data use and sharing, but increased regulatory complexity and potential risks for data flows and compliance. 

Facts / Development of the Bill
The DUAA 2025 received Royal Assent on 19 June 2025. It is being enforced in phases, with full implementation by June 2026. The Bill was introduced to modernise the UK’s data regulatory framework, recognising that innovation, non-personal data and changing international transfers require updated rules. 

Key features include:

• A new lawful basis for processing personal data for certain legitimate interests without the need for a full balancing test in each case. Examples include: crime prevention, safeguarding and emergency response.
• Clarification that scientific research may include commercial research and that broader consent may be used for related research purposes.
• Changes to international data-transfer rules to simplify certain transfers and provide clarity.
• New expectations for services likely to be used by children, namely that design and organisational safeguards must take account of children’s needs.
• Alterations to the rules around storage and access technologies (such as cookies) in PECR: more nuanced exemptions in low-risk contexts.
• The Act does not replace the UK GDPR or DPA 2018 but amends them.
• The ICO has issued preliminary guidance and is developing full guidance on the new regime. 

Analysis
From my perspective, the DUAA 2025 represents a landmark evolution in UK data law, balancing innovation and protection, however it brings both opportunity and risk.

Opportunities:
Organisations gain a clearer basis to process personal data under the “recognised legitimate interests” regime, reducing the administrative burden of conducting a balancing test in cases flagged by the legislation. This may encourage more productive data use for public good, innovation and business analytics. The clarification around research and non-personal data sharing can support growth in R&D, data-driven business models and cross-sector collaboration. The more flexible cookie/PECR rules reduce friction in digital operations.

Risks and challenges:
However, the flexibility comes with stipulations. Although the new lawful basis reduces one hurdle, organisations must still ensure robust governance, documentation and safeguarding of data subjects’ rights. There is concern about divergence from EU standards: some commentators note that the UK’s more permissive approach may jeopardise the UK’s adequacy status with the EU. For example, in legitimate interests, automated decisions, and weaker thresholds for non-intrusive cookies. If adequacy is revoked, cross-border data flows from the EU to the UK would incur substantial cost and complexity.

For sectors such as financial services, which rely heavily on data analytics and cross-border flows, the Act demands urgent review of existing frameworks. Companies must revisit their privacy notices, cookie practices, transfer agreements and governance around data sharing. The transitional nature of the rules, phased implementation through mid-2026, adds a layer of uncertainty: organisations will need to monitor guidance, implement in stages and manage regulatory reporting.

Finally, from a mental-health consultancy or student-support service perspective, the Act underscores the need to be cautious when handling sensitive data. Even with clearer grounds for processing, ethical protections remain. Ensuring transparency, a legitimate purpose, data minimisation, and rights-respect remain critical.

Conclusion
In summary, the Data (Use and Access) Act 2025 ushers in a new era for UK data regulation: one that offers businesses and public-sector actors more flexibility to use data, while retaining key protections for individuals. For organisations, the message is clear: update internal policies, refresh governance, review cross-border flows and prepare for guidance from the ICO. 

For individuals, the changes potentially create secondary value from data sharing, but safeguards must be established. In the longer term, the most significant effect may be how the UK positions itself as a data-driven economy post-Brexit. Maintaining EU adequacy and public trust will be pivotal. The Act is not a wholesale overhaul of data protection, but a strategic update. Its success will depend on how well organisations implement its provisions, how the regulator enforces them, and how international partners respond.