Privacy, Cyber & Data Strategy Advisory | UK’s Data (Use and Access) Act 2025 – What Does It Change?

The UK Data (Use and Access) Act 2025 makes major changes to UK data protection law, including the UK General Data Protection Regulation (UK GDPR). Whilst the Act introduces some additional rules which companies will need to integrate into their compliance programmes, in many other respects the Act increases regulatory clarity, codifies existing guidance, and reduces red tape. The provisions of the Act will continue to be brought into force over the course of 2026 by Commencement Orders.

Updates to Data Subject Rights

Data subjects have a new ‘right to complain’ directly to controllers, which they can exercise if they believe that the controller has infringed UK data protection rules. This is in addition to a data subject’s existing right to complain to the Information Commission – the new name for the data protection regulator which replaces the UK Information Commissioner’s Office under the Act.

Other changes introduced under the Act relate to data subject access requests (DSARs). For example, the Act codifies existing regulatory guidance by confirming that controllers need only carry out ‘reasonable and proportionate’ searches for personal data in response to a DSAR.

Deregulation of Some Automated Decision-Making

The Act introduces changes to the UK GDPR’s provisions on automated decision-making (ADM), including by broadening the circumstances in which controllers can carry out ADM that do not involve processing of special category personal data. The Act enables controllers to rely on ‘legitimate interests’ as a lawful basis for ADM processing activities that do not involve processing special category personal data.

In such cases, controllers are no longer limited to certain legal bases for processing – but appropriate safeguards must still be implemented to protect data subjects, including:

• Providing data subjects with information about decisions.
• Enabling data subjects to make representations about the decisions.
• Enabling data subjects to obtain human intervention and contest the decisions.

Additions to Legal Bases for Processing

The Act introduces a new legal basis for processing: ‘recognised legitimate interests’. This legal basis allows controllers to process personal data for certain purposes without carrying out a so-called ‘balancing test’ – as required under the ‘standard’ legitimate interests legal basis. The purposes are listed in a new Annex 1 to the UK GDPR and address activities such as disclosing personal data to public bodies that need it for their tasks, preventing crime, and safeguarding vulnerable individuals.

The Act also codifies the recitals of the UK GDPR by setting out examples of processing activities that may be covered by a controller’s legitimate interest:

• Direct marketing.
• Intra-group sharing of personal data for internal administrative purposes.
• Ensuring the security of network and information systems (as defined under the Network and Information Systems Regulations 2018).

Amended Framework for Purpose Limitation and Further Processing Rules

The Act has restated and added to the provisions governing controllers’ ability to evaluate whether further processing is compatible with the original purpose of processing. In some cases, the changes clarify – but they also adjust the UK GDPR’s approach in some respects.

According to provisions added by the Act, processing personal data for a new purpose will be treated as processing compatible with the original purpose, where, for example:

• A data subject has consented to personal data being processed for the new purpose (so long as the new purpose is specific and legitimate).
• Processing is for scientific or historical research, for archiving in the public interest, or for statistical purposes (and some additional conditions have been met).
• A controller is seeking to ensure that processing personal data complies with the overarching principles contained in Article 5(1) UK GDPR.
• The processing is to pursue a purpose listed in a new Annex 2 to the UK GDPR, such as detecting crime and meeting legal obligations.

A more restrictive set of rules for further processing applies when the controller initially collects personal data based on a data subject’s consent.

Adjustments for Scientific Research

When a controller collects personal data directly from a data subject and further processes it for scientific research, the Act introduces a new exemption to the requirement under Article 13 UK GDPR to inform the data subject. Similar to the existing exemption under Article 14 GDPR, the exemption applies if providing the information would be impossible or would involve disproportionate effort. If a controller relies on this exemption, it must make the transparency information available publicly instead. Whether a controller can rely on this exemption will depend on (amongst other things) the number of data subjects, the age of the personal data, and any safeguards applied to the processing.

Further, the Act introduces provisions clarifying that data subjects can give broader consent to processing for scientific research purposes. Under the provisions, and subject to specific conditions, data subjects can give their consent to an ‘area’ of scientific research if it is not possible to fully identify the purposes of processing at the time consent is sought.

Flexibility for International Data Transfers

The Act introduces the concept of a ‘data protection test’ to be applied in some cases to determine whether transfers of personal data outside the UK can take place.

For example, if an exporter relies on a transfer safeguard such as the UK International Data Transfer Agreement (or the UK Addendum to the EU SCCs), it must consider whether the data protection test has been met, acting reasonably and proportionately. That test involves assessing whether the standard of protection provided to data subjects in the third country would be ‘materially lower’ than the standard under UK data protection laws. This is a departure from the more stringent tests typically applied under the EU GDPR, which provide that equivalent or higher protections should be in place in the recipient jurisdiction.

Explicit Statutory Protections for Children’s Data

The Act introduces explicit requirements aimed at controllers processing personal data in connection with ‘internet society services’ (i.e. most commercial online services) likely to be accessed by children. When implementing their data protection by design obligations, these controllers must take into account ‘children’s higher protection matters’ set out in the UK GDPR. The matters to be considered include: (1) how children can be protected and supported when using the services; (2) understanding that children merit specific protection because they may be less aware of the risks of processing; and (3) children have different needs at different ages and stages of development. These changes buttress the existing Age Appropriate Design Code.

Next Steps for Companies

Companies operating in the UK market stand to benefit from the clarifications and easing of certain regulatory burdens under the Act. In particular, changes to ADM rules mean that legal teams may be able to green-light AI-enabled tools which could not previously be used in the UK.

Steps that companies may need to take to adapt to the changes include:

• Updating data subject-rights policies, including by:
• Ensuring they cover the new right to complain directly to controllers.
• Making clear that only ‘reasonable and proportionate’ searches for personal data are required when responding to DSARs (if not already stated).
• Reviewing AI and ADM policies and procedures where necessary to ensure they accurately capture the additional circumstances under which ADM can be carried out, and to ensure that appropriate safeguards are implemented as necessary.
• Amending privacy notices, including by:
• Ensuring they cover the new right to complain directly to controllers.
• Updating legal basis transparency disclosures as appropriate to account for the new ‘recognised legitimate interest’ legal bases. It would also be appropriate to adjust legal basis assessments in internal documentation.
• Adjusting disclosures in relation to processing for scientific research (and updating any consent-related materials in line with the Act’s clarifications).
• Updating documentation, and adjusting templates and processes, in particular for transfer risk assessments, legitimate interests assessments, and compatibility tests.
• Identifying online services that children are likely to use and assessing whether they appropriately take into account children’s higher protection matters.

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.