If you’re responsible for data protection compliance, you’ve probably heard about the Data (Use and Access) Act 2025. The question is: do you need to drop everything and prepare for major changes?
The answer is nuanced. This isn’t a radical overhaul of UK GDPR. But it does introduce specific requirements that need action, particularly around complaints handling and how you justify certain types of processing. Some provisions are already in force; others roll out through June 2026.
This article explains what’s changed, what it means for your organisation, and what you need to do about it.
The Data (Use and Access) Act 2025
The Data (Use and Access) Act received Royal Assent on 19 June 2025. The government’s stated goals are innovation, growth, and easier compliance—all while maintaining high data protection standards.
How it works
The Act doesn’t replace UK GDPR. It amends UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Your existing framework stays in place; specific rules have changed.
Implementation timeline
Changes are rolling out in phases through June 2026:
- August 2025: First provisions come into force (recognized legitimate interests)
- October 2025: ICO consultation deadlines on key guidance
- December 2025: EU adequacy review
- June 2026: Complaints process deadline
- Early 2026: Updated ICO guidance expected
This phased approach means you have time to prepare, but you need to know what applies when.
Understanding What’s Changed
The Act introduces several modifications to existing data protection rules. Not all changes require immediate action, but all require awareness.
Key areas of change
The main changes affect:
- Lawful basis for processing (recognized legitimate interests)
- How you handle data protection complaints
- Subject access request procedures
- Automated decision-making rules
- Cookie consent requirements
Each of these has practical implications for how you operate day-to-day.
Recognised Legitimate Interests (From August 2025)
The most significant change is the introduction of “recognised legitimate interests”—a new pathway within the legitimate interests lawful basis.
What’s different
Previously, using legitimate interests required a balancing test: weighing your interests against the rights and freedoms of the data subject. The Act creates specific categories of processing where this balancing test is no longer required.
Activities covered
You can now rely on recognised legitimate interests without a balancing test for:
- Crime prevention: Processing necessary to prevent, investigate, detect or prosecute criminal offences
- Fraud prevention: Detecting and preventing fraud
- Network security: Protecting your IT systems and networks
- Safeguarding: Protecting children and vulnerable adults from harm
- Emergency response: Processing necessary for emergency situations
What still requires a balancing test
Two important activities still require the full balancing test:
- Direct marketing: The easier route doesn’t apply to promotional communications
- Intra-group data sharing: Sharing personal data between companies in the same corporate group
What this means in practice
You can streamline your documentation for qualifying activities. Instead of conducting and recording a detailed balancing test, you can rely on the recognized category—provided your processing genuinely fits within it.
Action required:
- Review your current legitimate interests assessments
- Identify which activities qualify as recognized legitimate interests
- Update your documentation and privacy notices
- Ensure you still meet other UK GDPR requirements (transparency, data minimisation, etc.)
Data Protection Complaints (Required by June 2026)
The Act introduces a formal requirement to handle data protection complaints in a specific way.
New obligations
By June 2026, you must:
- Provide a formal complaints process for data protection issues
- Offer an electronic complaint form (email submission at minimum)
- Acknowledge complaints within 30 days
- Respond to complaints without undue delay
What counts as a complaint
A data protection complaint is any expression of dissatisfaction about how you’ve handled personal data. This includes complaints about:
- Privacy rights violations
- Security concerns
- Transparency issues
- Any aspect of your data processing
How this differs from subject access requests
Don’t confuse complaints with subject access requests (SARs). A SAR is a specific right to access personal data. A complaint is broader—it’s about how you’ve handled data protection generally.
You already had to respond to SARs within one month. The complaints requirement is separate and additional.
Setting up your process
What you need:
- A documented complaints procedure explaining how people can complain and what happens next
- An electronic mechanism for receiving complaints (a form, dedicated email address, or online portal)
- Internal workflows to route complaints to the right person and track responses
- Template responses for acknowledgment and resolution
Practical steps:
- Add a complaints section to your privacy policy
- Create a simple online form or dedicated email address
- Train staff to recognise and escalate data protection complaints
- Set up tracking to ensure 30-day acknowledgment
- Document the process for investigating and responding
Subject Access Requests
The Act clarifies and modifies how you handle subject access requests.
“Reasonable and proportionate” searches
The Act clarifies that you only need to conduct “reasonable and proportionate” searches for personal data when responding to SARs. You’re not expected to search every possible location if it’s unreasonable to do so.
This doesn’t mean you can ignore likely locations for data. It means you can apply judgment about what’s proportionate given the nature of the request.
The “stop the clock” rule
When you need additional information to locate or verify identity for a SAR, you can now “stop the clock” on the one-month response deadline until you receive what you need.
How it works:
- Request the additional information clearly and promptly
- Explain why you need it
- The clock restarts once you receive the information
Charging fees for excessive requests
The Act confirms you can charge a reasonable fee for manifestly excessive or repetitive requests. This was already possible under UK GDPR, but the Act reinforces it.
When you can charge:
- The request is clearly excessive in nature
- The individual has made repeated requests for the same information
- Responding would impose an unreasonable administrative burden
You must still respond—you can’t simply refuse. The fee must reflect the actual administrative cost.
Automated Decision-Making
Rules around automated decision-making have been relaxed to enable wider use, with appropriate safeguards.
Expanded permitted uses
The Act allows automated decision-making in more contexts, particularly for:
- Fraud detection and prevention
- Credit risk assessment
- Service improvement and personalisation
Required safeguards
Where you use automated decision-making, you must implement:
- Transparency: Clear information about the logic involved and consequences
- Human intervention rights: Ability for individuals to request human review
- Challenge mechanisms: Processes for people to contest decisions
What this means for your organisation
If you’re considering using automated systems for decision-making (including AI), the legal pathway is clearer. But the safeguards are non-negotiable.
Action required:
- Document the logic and purpose of automated systems
- Establish human review procedures
- Update privacy notices to explain automated decision-making
- Create processes for individuals to challenge decisions
Cookie Rules Relaxation
PECR has been amended to allow certain cookies without explicit consent.
Low-risk cookies without consent
You can now set “low-risk” cookies without obtaining prior consent. This includes:
- Analytics cookies: Those that help you understand how people use your website
- Functional cookies: Those necessary to remember user preferences
Opt-out still required
Even for low-risk cookies, you must:
- Inform users the cookies are being set
- Provide an easy way to opt out
- Respect opt-out preferences
This isn’t a free pass to set all cookies. The exemption is limited to genuinely low-risk, non-intrusive cookies.
Marketing and tracking cookies
Consent remains mandatory for:
- Advertising and marketing cookies
- Cross-site tracking
- Profiling for commercial purposes
Action required:
- Review your cookie policy and banner
- Identify which cookies qualify as low-risk
- Implement opt-out mechanisms
- Update cookie documentation
Changes Coming to ICO Guidance
The ICO is updating all its guidance to reflect the Act’s changes.
Current state
Existing ICO guidance carries a notice that it’s under review. The guidance remains relevant for core UK GDPR principles, but specific sections may not reflect the Act’s amendments.
Planned updates
The ICO has committed to:
- Updating guidance on recognized legitimate interests
- Publishing new material on complaints handling
- Revising subject access request guidance
- Clarifying automated decision-making requirements
Consultations (closing October 2025)
The ICO is consulting on key topics including:
- How to apply recognized legitimate interests in practice
- What constitutes a “reasonable and proportionate” SAR search
- Safeguards for automated decision-making
If you have views on how these should work in practice, engage with the consultations. ICO guidance shapes how all organisations interpret the law.
What to do while guidance is pending
Don’t wait for perfect clarity. The law is already changing, and you need to prepare based on what you know now. When updated guidance arrives, review and adjust.
EU Adequacy Review
The UK’s adequacy status under EU GDPR is under review in December 2025. This matters if you receive personal data from the EU.
What’s being assessed
The European Commission is evaluating whether the UK maintains data protection standards “essentially equivalent” to EU GDPR. The Data (Use and Access) Act is part of that assessment.
Current indications
The Commission has indicated approval is likely. The Act’s changes are generally considered compatible with EU standards, particularly because the UK is maintaining core protections.
Impact on EU-UK data transfers
If adequacy is maintained (expected):
- Data can continue flowing freely from the EU to the UK
- You don’t need additional transfer mechanisms (like Standard Contractual Clauses) for EU data
If adequacy were revoked (unlikely – this is exactly what the Government don’t want to happen, as it’s bad news for trade):
- You’d need alternative legal mechanisms for EU transfers
- Additional compliance burden and potential business disruption
Action required:
- Monitor the December 2025 adequacy decision
- If you receive EU data, prepare contingency plans for alternative transfer mechanisms
- Stay informed through ICO and European Commission updates
What Organisations Should Do Now
The Act’s phased implementation gives you time to prepare. Here’s a practical approach.
Immediate actions (by end of 2025)
- Review current policies and procedures to identify what needs updating
- Engage with ICO consultations (deadline October 2025) if you have practical insights
- Identify where recognised legitimate interests apply and update documentation
- Begin developing your complaints handling process to meet the June 2026 deadline
Ongoing actions through 2026
- Review and update cookie policies to reflect relaxed consent rules
- Update privacy notices to reflect changes in how you process data
- Train staff on changes, particularly those handling SARs and complaints
- Monitor ICO guidance updates and adjust when new material is published
Sector-specific considerations
Children’s online services: The Act includes specific requirements for age-appropriate design and child safety online. If you operate services accessible to children, pay close attention to these provisions.
Scientific research: Relaxed rules around reusing data for research purposes. If you conduct research, review how this might enable previously restricted activities.
Smart data schemes: New provisions around data sharing for authorized smart data schemes. If you participate in open banking, pensions dashboards, or similar initiatives, understand the new framework.
Digital verification services: Specific rules for digital identity verification. If you provide or use these services, review compliance requirements.
Timeline for Preparation
Plan your preparation around key dates:
- October 2025: Submit responses to ICO consultations if relevant
- December 2025: Monitor EU adequacy review outcome
- Early 2026: Review updated ICO guidance as published
- June 2026: Complaints process must be operational
Build in time for testing, particularly for your complaints process. Don’t wait until June 2026 to discover your complaint form doesn’t work or your acknowledgment workflow fails.
Conclusion
The Data (Use and Access) Act 2025 is not a radical overhaul. It’s a set of targeted amendments designed to reduce burden in specific areas while maintaining protection.
But “modest reforms” doesn’t mean “no action required.” You need to:
- Implement a formal complaints process by June 2026
- Review how recognised legitimate interests apply to your processing
- Update subject access request procedures
- Adjust cookie compliance for low-risk cookies
- Prepare for automated decision-making if relevant
The gradual rollout is helpful—it gives you time to adapt. But don’t mistake phased implementation for optional compliance. The law has changed, and your organisation needs to change with it.
Start with the complaints process. It’s the most concrete new requirement with a clear deadline. While building that, review your legitimate interests assessments and identify where the Act simplifies your approach.
The opportunities are real: easier compliance for recognised activities, clearer SAR procedures, and flexibility for innovation. Take advantage of them, but ensure you meet the new obligations at the same time.
