From legislation to implementation: The Data (Use and Access) Act 2025

Show Notes

On June 19, 2025, the highly anticipated Data (Use and Access) Act received Royal Assent, marking a significant milestone in data protection legislation.

Join us as we delve into the key changes introduced by this Act. In this episode, our data protection experts, Melanie Pimenta and Harry Berryman, will explain what the Act means for your organisation and how to ensure compliance with the new regulations.

In this episode, we’ll cover: 

• Key changes in data protection legislation
• Best practices for compliance
• Practical steps for organisations to adapt

Whether you're a business leader, HR professional, or simply interested in data protection, this podcast is essential listening.

If you have questions or need support reviewing your privacy notices, data protection policies, or guidance on data-sharing agreements, particularly for international transfers, please contact our data protection team.

Transcript

Melanie Pimenta 00:06

On 19 June 2025, the long-awaited Data (Use and Access) Act, received Royal Assent. It is deemed to be a refinement of existing data protection legislation, however there are still a few new elements and some changes organisations should consider when reviewing their data protection practices. 

In this podcast, we will be discussing changes implemented by the Data (Use and Access) Act, which we will refer to as the Act, and what organisations should do to ensure they remain compliant and by way of best practices. 

My name is Melanie Pimenta, I am an Associate in the data protection team at Clarkslegal and this is Harry Berryman who is a solicitor with me in the data protection team. 

Harry Berryman 00:48

Thanks Melanie.

So, let’s start with data subject access requests, commonly known as “DSARs”. DSARs are the mechanism by which individuals can request their personal data, ask for it to be corrected or deleted, along with other rights. Most commonly, we see individuals requesting copies of their personal data, which can be time-consuming for the organisations involved.  

Melanie Pimenta 01:12
 
Yes, definitely! Generally we have previously relied on guidance from the ICO (which will now be renamed the Information Commission under this Act), in regard to how DSARs should be responded to. The Act now introduces two helpful clarifications. Firstly, it provides a statutory basis for “pausing the clock” while awaiting further information from the requester. Secondly, it confirms that searches need only be “reasonable and proportionate”, which sets out boundaries for organisations to find the requested data. 

Harry Berryman 01:45

Yes. It is good to have this clarified in the law. It is also interesting that the recent ruling in Ashley v HMRC has also highlighted the risks of taking “too narrow an approach” to searches for personal data and it may be that wider searches are required on a case-by-case basis.

Melanie Pimenta 02:01
 
Yes. In addition to this, the Act has clarified that responses to requests must be made within one month, which can be extended by two months for complex requests (provided this is confirmed within the original one month timeframe). 

Harry Berryman 02:17

Yes, and the Act also clarifies that the timeline for responding does not start until the controller receives any clarification information they require or when the fee (if any) charged in connection with the request is paid. For example, a controller may reasonably require further clarification where it processes a large amount of information concerning that data subject.

Melanie Pimenta 02:40
 
Yes, it is currently unclear how this will be applied in practice, for example, will this now be a general right to “stop the clock” and ask for information where a large amount of data is processed or is the Information Commission going to say this should only be used if genuinely required.

Harry Berryman 02:59

Yes agree, this will be one to keep an eye on when this is increasingly applied in practice.

So, let’s move on to another new element of the Act which links to DSARs. The Act outlines a new complaints procedure for addressing complaints from data subjects. This says that the data subject can make a complaint to the controller and the controller must enable complaints to be made, for example by providing a complaints form; acknowledge receipt of a complaint within 30 days of receipt; and must, without undue delay, take appropriate steps to respond to the complaint and inform the complainant of the outcome.

Melanie Pimenta 03:35
 
Yes, it also states that appropriate steps including informing the complainant about progress of the complaint is needed too so it will be the case of ensuring that once a complaint comes in, it is acknowledged within the correct timeframe and is worked on accordingly, with updates to the complainant to ensure they are informed of the latest position. 

Harry Berryman 03:57

Indeed and interestingly, the Secretary of State can make regulations requiring controllers to notify the Information Commission of the number of complaints they have received. It just shows that a risk of not dealing with complaints correctly could lead to reputational damage.      

Melanie Pimenta 04:12
 
Yes, I agree, I think the intention behind this change is to ensure that controllers deal with complaints in the first instance, with the Information Commission dealing with matters which are then escalated. We would suggest ensuring that you have an appropriate complaints policy in place to ensure you comply with this element of the Act.

Harry Berryman 04:32

Exactly, the impression you get, both from the legislation and our work with clients, is that the Commission doesn’t quite have the resources to promptly deal with every DSAR-related complaint it receives.  They seem to be hoping that the controllers will more proactively comply with their obligations here, rather than need the Commission to step in after a complaint is made.

So, let’s next move on to a new lawful basis for processing.  

This will be called ‘recognised legitimate interests’.

Currently, there are six lawful bases for processing, where legitimate interests is one of them but what does the new definition of ‘recognised legitimate interests’ entail?

Melanie Pimenta 05:11
 
Well, this is going to relate to particular situations where a Legitimate Interests Assessment is not required. It will apply to disclosures to a person carrying out a public interest task; safeguarding national security, protecting public security or defence purposes, amongst other specific purposes. It should noted that the Secretary of State can add to this list so I would suggest keeping an eye on any more additions to this list, at the moment they seem quite specific. 

Harry Berryman 05:43

Yes, and it would be worth considering if any data protection policies and privacy notices need to be updated to account for this additional lawful basis of processing. 

Melanie Pimenta 05:53
 
Yes I agree. So, on the same topic – legitimate interests – the Act has set out a non-exhaustive list of examples of processing activities that can constitute a legitimate interest of the controller in which these will be subject to the usual Legitimate Interests Assessments. 

Harry Berryman 06:12

Yes, these are to include processing that is necessary for the purposes of direct marketing; intra-group transmission of data; and processing that is necessary for the purposes of ensuring the security of network and information systems.  

Melanie Pimenta 06:25
 
It seems like a very specific change but is still worth checking policies and privacy notices if these legitimate interests are being relied upon to make this clear. 

Harry Berryman 06:35
 
Thanks. So, let’s turn now to the purpose limitation principle. This principle has required organisations to ensure that further processing is always compatible with the original purpose. But what does ‘compatible’ really mean in this context?

Melanie Pimenta 06:50
 
So the Act has introduced a new article 8A which sets out clear circumstances where further processing will be deemed compatible with the original purpose. These include situations where: the data subject gives fresh consent; where processing is for research or archiving; where it serves the public interest or relates to crime prevention or safeguarding.

Harry Berryman 07:14

Ok, so this clarity is significant as it offers organisations a stronger legal foundation when reusing data particularly where there is a public benefit.

Melanie Pimenta 07:24
 
That’s true, but I would say that organisations should still be mindful of the transparency obligations they are subject to and document decisions carefully to demonstrate compliance.

Harry Berryman 07:35

That’s true.

So as we have seen, AI has increasingly been used in organisations and is really kicking off at a fast rate, quicker than can be regulated. But where the UK GDPR has said that individuals have the right not to be subject to solely automated decisions that have legal or similarly significant effects, with only limited exceptions, the new Act proposes to replace this with a more flexible regime. 

Melanie Pimenta 08:01
 
Yes, the Act will allow for broader use of ADM in low-risk scenarios, provided that appropriate safeguards are in place. This does signify the UK trying to strike a balance of creating a framework which is AI-friendly whilst upholding fundamental rights.

Harry Berryman 08:20

Indeed, and with the quick uptake of AI, particularly where organisations may use AI for recruitment, credit assessments or customer profiling, this change brings new opportunities but also suggests that organisations will need to be transparent on this.

Melanie Pimenta 08:36
 
Yes, I agree, and it will very likely be the case that organisations will need to invest in transparent decision-making systems and ensuring robust governance with humans overseeing decisions made by ADM to manage risks.

Harry Berryman 08:53

Exactly. So we’re just going to move our attention to international transfers before considering a couple of final changes. International transfers has been a tricky area for organisations to navigate, particularly since Brexit and the abolition of the Privacy Shield. There has also been the consideration of adequacy decisions.

Melanie Pimenta 09:13
 
Yes, adequacy decisions have required a high degree of equivalence between the UK’s data protection regime and that of the recipient country. The Act is moving towards a risk-based approach by introducing a new “data protection test” whereby the Secretary of State will assess whether a third country’s data protection is “not materially lower” than UK standards. 

Harry Berryman 09:37

Yes, so there will be a shift in considering whether differences in legal frameworks actually present meaningful risks to individuals’ data rights.

Melanie Pimenta 09:45
 
I anticipate for businesses, this could simplify lower-risk international transfers and encourage cross-border trade.  

Harry Berryman 09:54

Yes, and we would still recommend that organisation with a high quantity of international transfers undertake a risk assessment, particularly where countries are not deemed to have ‘adequate’ safeguards.

Melanie Pimenta 10:06
 
In similar vein, on special categories of data which includes medical or health data, the Secretary of State will have the ability to add categories to this list to.

Harry Berryman 10:17

Yes, we are not aware of any specific changes to the list but it is worth keeping an eye on any updates on this to consider if your privacy notice or policies will need to be updated.

Melanie Pimenta 10:29
 
Yes definitely. A final point to mention, is in relation to PECR – the privacy and electronic communications regulations.   

This is one of the most striking changes in which the alignment of penalties under PECR is with those of the UK GDPR, raising the maximum fine from £500,000 to £17.5 million or 4% of global turnover (whichever is higher). 

This is a substantial increase which exemplifies the government’s intent to enforce compliance with marketing rules, particularly around direct marketing.

Harry Berryman 11:08

Yes, absolutely.  As before we would recommend that organisations review their practices and ensure robust consent mechanisms are in place. Where the Information Commission is already deploying automated scanning technology to detect cookie breaches, enforcement action is likely to become more proactive, in which organisations should be alive to the potential financial and reputational repercussions.

 Melanie Pimenta 11:31

Yes I agree, thank you Harry. We can help you by reviewing your privacy notices and data protection policies as well as drafting a complaints policy to ensure they are compliant with the new Act. We can also advise on any specific data sharing agreements where international transfers of personal data are involved.
 
Harry Berryman 11:52

If you have any queries or require our support, please do not hesitate to contact us via Clarkslegal’s website. 

Melanie Pimenta 12:00
 
Thanks. So that brings us to the end of this podcast, thank you for listening.