The Impact of the Data Use Access Act 2025 on Businesses

The Data (Use and Access) Act 2025, originally introduced as a bill and debated in both the House of Lords and House of Commons, received royal assent on June 19, 2025, marking the most comprehensive transformation of the United Kingdom’s data protection landscape since Brexit.

This legislation, now commonly referred to as the DUAA (Data Use and Access Act), promises to inject £10 billion into the British economy while fundamentally reshaping how organisations handle data processing, access, and innovation across multiple sectors. The new data laws significantly enhance organisations’ ability to innovate, grow, and improve efficiency by empowering them to utilise data more confidently and responsibly.

For UK business leaders, data professionals, and legal teams, understanding the DUAA is essential for maintaining compliance and capitalising on new opportunities. With the act now in force, organisations must grasp its core elements to adapt their strategies and operations accordingly, as the DUAA facilitates innovation and introduces key legal changes in data protection.

Key Takeaways

The Data (Use and Access) Act 2025 represents a strategic pivot toward innovation-friendly data regulation without compromising protection standards. Here are the essential points every organisation needs to understand:

• Royal Assent and Economic Boost: The Data (Use and Access) Act 2025 received royal assent on June 19, 2025, marking a significant legal milestone and is projected to inject £10 billion into the UK economy by reducing bureaucracy and fostering innovation.

• Healthcare Transformation: The act enables real-time data access across NHS systems, saving 140,000 administrative hours annually and significantly improving patient care coordination and emergency response. It also allows patients and providers to receive faster and more precise answers to healthcare queries, thereby reducing frustration and facilitating better decision-making.

• Regulatory Overhaul and Enforcement: The establishment of the new Information Commission replaces the Information Commissioner’s Office with expanded powers, including increased maximum fines of up to £17.5 million or 4% of global turnover, enhancing data protection enforcement across sectors.

For example, in the healthcare sector, the act enables doctors to instantly access up-to-date patient records, resulting in quicker diagnoses and more accurate treatment plans. This practical benefit demonstrates how the act delivers timely answers and streamlines processes for both patients and providers.

The act is also designed to make everyday life easier and more efficient for citizens by reducing administrative burdens and improving access to public services.

The act also introduces significant changes to how organisations can process data for research, innovation, and consumer services, while maintaining robust protections for individuals’ privacy rights.

What is the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 is comprehensive legislation that modernises the UK’s data protection framework for the digital age. Rather than entirely replacing existing laws, the act strategically amends core statutes, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) (PECR), facilitating a transition from old to new frameworks.

This legislative approach ensures continuity while introducing essential updates for modern data challenges. The act establishes new frameworks for lawful data access and processing across various sectors, including healthcare, finance, utilities, and education technology. As part of these frameworks, the act provides for the creation of new registers, digital services, and data management systems to support regulatory compliance and privacy considerations.

The legislation establishes explicit pathways for accessing customer and business data, enabling enhanced services such as improved price comparison tools, real-time healthcare coordination, and streamlined financial services. These changes support the government’s vision of a data-driven economy that strikes a balance between innovation and robust protection measures.

Key sectors benefit from tailored provisions that address specific operational needs while maintaining consistent protection standards. The act recognises that different industries require different approaches to data handling, particularly in areas like social care, emergency services, and scientific research.

Key Changes to Data Protection Laws

The act introduces substantial modifications across multiple areas of data regulation, creating a more flexible yet secure framework for modern data use. It is designed to protect personal information while enabling organisations to use data responsibly. Additionally, the act clarifies how data should be handled in legal or regulatory matters, ensuring compliance and proper data preservation in official scenarios.

Updates to UK General Data Protection Regulation Requirements

The most significant changes affect legitimate interest grounds for data processing. Organisations can now rely on streamlined risk assessments in specified circumstances, particularly when processing data for innovation and research purposes. This reduces administrative burden while maintaining protection standards.

The act clarifies when organisations can process personal data without conducting complete legitimate interest assessments, provided they follow prescribed guidelines and implement appropriate safeguards. This change particularly benefits technology companies, research institutions, and organisations developing new services.

Amendments to Data Protection Act 2018 Provisions

New rules for digital verification services create standardised frameworks for identity confirmation across the public and private sectors. These amendments support the development of secure digital identity systems while ensuring consistent protection standards.

The act also introduces updated provisions for sector-specific regulatory powers, allowing tailored approaches for different industries. This includes special considerations for children’s services, where enhanced protections apply to the processing of young people’s data. The act explicitly addresses investigations and protections related to child safety, including the handling of child data and measures to support inquiries into incidents affecting children.

Modifications to Privacy and Electronic Communications Regulations

Perhaps the most immediately noticeable change affects cookie usage. Certain cookies and analytics tools can now be deployed without explicit user consent in prescribed, low-risk circumstances. This reduces friction for web-based services while maintaining meaningful consent requirements for higher-risk data processing.

The modifications also clarify rules around electronic marketing and communications, providing clearer guidance for businesses operating digital services and platforms.

Research and Innovation Support

The act establishes clearer routes for universities, think tanks, and private research bodies to process data lawfully. These provisions aim to support scientific advancement and technological development while ensuring appropriate oversight and protection measures. As part of the regulatory framework, the act also provides for the grant of licences or permissions, such as smart meter communication licences, to facilitate secure and compliant data use in innovative projects.

Restrictions on automated decision-making are partially relaxed, allowing more sophisticated AI-driven analysis and decision processes. However, organisations must implement the specified controls and transparency measures outlined in the updated regulatory guidance.

Economic Impact and Benefits

The government’s impact assessment projects that the Data (Use and Access) Act 2025 will deliver approximately £10 billion in economic benefits, primarily through reduced administrative burdens and facilitation of new data-driven business models. By enabling better access to data and increasing competition, the act helps consumers and businesses save money on bills and services, leading to more informed financial decisions and enhanced economic growth.

Healthcare Sector Transformation

The NHS stands to benefit substantially from real-time access to data. The projected 140,000 hours of annual administrative savings come from eliminating duplicate data entry, reducing transfer delays, and enabling more efficient patient care coordination.

Emergency services gain immediate access to patient records, potentially saving lives through faster and more informed treatment decisions. GP surgeries, hospital trusts, and ambulance services can now share critical information seamlessly, improving continuity of care and reducing medical errors.

Social care providers also benefit from improved data coordination, enabling better support for vulnerable individuals and more efficient resource allocation.

Law Enforcement and Public Safety

Police forces will benefit from enhanced investigative capabilities through improved access to data and increased collaboration across forces. The act enables more efficient information sharing while maintaining appropriate oversight and protection measures.

This improved coordination enables faster investigations, more effective resource allocation, and improved public safety outcomes across various jurisdictions and police services.

Infrastructure and Utilities

Data-sharing improvements accelerate infrastructure projects, particularly road construction and other related activities. The act enables local authorities and contractors to carry out roadworks and manage asset information more efficiently, reducing delays and improving project planning efficiency.

The utilities sectors benefit from enhanced customer data portability, driving more effective price comparison tools and increased market competition. Consumers can more easily switch providers and access better deals, while suppliers gain clearer frameworks for data handling and customer acquisition.

Technology and Science Advancement

The act’s innovation-friendly provisions position the UK as a leader in technology development and scientific research. Enhanced data access and more permissive research environments support advancement in artificial intelligence, health technology, and other critical sectors.

This competitive advantage helps attract international investment and talent while supporting domestic innovation across multiple industries.

Healthcare Data Transformation

Healthcare represents one of the most significant areas of transformation under the new legislation. The act establishes unified standards for the processing of health and social care data, enabling unprecedented coordination across the healthcare system.

Real-time data flows between NHS trusts, GP surgeries, ambulance services, and other providers eliminate many current inefficiencies. Patient transfers become seamless, with receiving facilities having immediate access to complete medical histories and current treatment plans.

Emergency response capabilities improve dramatically through immediate access to patient records. Paramedics and emergency department staff can make informed treatment decisions based on complete medical information, potentially preventing adverse reactions and improving outcomes.

The legislation also supports data-driven research and development within the healthcare sector. Anonymised patient data can be used more effectively for medical research, drug development, and healthcare planning, accelerating improvements in treatment and care delivery.

These changes maintain strict privacy protections while enabling the data sharing necessary for modern healthcare delivery. Patients retain control over their information while benefiting from improved care coordination and reduced administrative delays.

New Information Commission

The establishment of the Information Commission represents a fundamental shift in UK data regulation. This new body replaces the Information Commissioner’s Office (ICO) with expanded powers and a more robust governance structure.

Enhanced Regulatory Authority

The Information Commission gains significant new enforcement capabilities, including the power to compel witnesses and request detailed reports during investigations. These expanded powers enable more thorough investigations and more effective enforcement of data protection requirements.

Maximum fines increase to £17.5 million or 4% of the global annual turnover, bringing penalties in line with the most serious breaches under the UK GDPR while extending to a broader range of violations, including those under PECR.

Governance Structure

The Commission operates under a new board structure comprising executive leadership and seven non-executive members. The government has announced the launch of a recruitment campaign for these non-executive positions, with applications closing on August 1, 2025, demonstrating the government’s commitment to establishing robust oversight mechanisms.

This governance structure aims to deliver a more “modernised” and “balanced” approach to regulation, explicitly mandated to support responsible innovation while protecting data subjects’ interests.

Sector-Specific Guidance

The Commission will issue new codes of practice for emerging technologies, including artificial intelligence, digital health, and educational technology. These sector-specific guidelines offer tailored compliance frameworks that maintain consistent protection standards.

The Commission also supports regulatory “sandboxes” and innovation hubs, providing statutory backing for experimental approaches to data regulation in controlled environments.

Innovation and Technology Support

The act creates substantial support mechanisms for innovation across multiple technology sectors. Updated data protection frameworks specifically encourage responsible innovation while maintaining robust protection standards.

Streamlined Compliance for Innovation

Technology companies, particularly startups and emerging businesses, benefit from clarified legitimate interest provisions. These changes reduce unnecessary barriers while ensuring appropriate risk management and protection measures.

The legislation provides explicit support for digital verification services and digital identity frameworks, enabling more sophisticated identity management across the public and private sectors.

Artificial Intelligence and Machine Learning

The act enables more flexible data use for training, testing, and deploying machine learning systems. Organisations can process data for AI development under clearer legal frameworks, supporting the UK’s position in global AI competition.

Automated decision-making restrictions are partially relaxed, allowing more sophisticated AI-driven processes provided organisations implement appropriate controls and transparency measures.

Research and Development

Universities, think tanks, and private research organisations gain clearer pathways for lawful data processing. These provisions support scientific advancement and technological development while ensuring appropriate oversight.

The act also facilitates international research collaboration by providing frameworks for secure data sharing with international partners, supporting the UK’s role in global research networks.

Consumer Data Access Expansion

The legislation significantly enhances consumer rights and access to personal data, building upon existing frameworks, such as open banking, to create comprehensive data portability across multiple sectors.

Enhanced Third-Party Access

Consumers gain stronger rights to authorise third parties to access their personal and business data in secure, standardised formats. This expansion enables better price comparison tools, enhanced financial services, and more personalised service offerings.

The concept of “smart data schemes” extends beyond banking to utilities, telecommunications, and other consumer services. These schemes enable consumers to share their data securely with authorised service providers for comparison and switching purposes.

Improved Market Competition

Enhanced data portability drives increased competition in the utilities and telecommunications sectors. Consumers can more easily compare services and switch providers, while businesses gain clearer frameworks for accessing customer data with appropriate consent.

These changes particularly benefit small and medium enterprises, which gain better access to the data necessary for competitive service offerings and customer acquisition.

Business Data Rights

The act introduces new provisions for business data access and portability, specifically designed to support small and medium-sized enterprises. Businesses can more easily access and transfer their operational data, reducing switching costs and increasing competition in business services markets.

Implementation Timeline

The Data (Use and Access) Act 2025 follows a carefully planned phased implementation approach, recognising the complexity of changes and the need for adequate preparation time.

Immediate Changes (2-6 Months)

The majority of provisions take effect between two and six months after royal assent, with full implementation targeted for late 2025. These include basic compliance requirements, updated consent mechanisms, and enhanced regulatory powers.

Organisations should prioritise reviewing existing data protection policies and preparing staff training for these immediate changes.

Complex Provisions (6-12 Months)

More technically challenging provisions, particularly those affecting digital verification and sector-specific open data schemes, may be delayed up to twelve months. This extended timeline allows for stakeholder consultation and technical preparation.

Secondary legislation will specify precise commencement dates for different provisions, with detailed guidance released throughout the implementation period.

Ongoing Support

The Information Commission is releasing updated guidance as each provision comes into force. This includes sector-specific codes of practice and educational resources to support the adaptation of businesses and the public sector.

Regular stakeholder consultation ensures that implementation challenges are addressed promptly and that guidance remains practical and relevant.

Organisational Compliance Requirements

Organisations across all sectors must undertake comprehensive compliance reviews to align with the new regulatory framework.

Policy and Procedure Updates

A thorough review of existing data protection policies is essential to ensure alignment with new requirements. This includes updating privacy notices, consent mechanisms, and data processing procedures to reflect expanded lawful bases and new regulatory requirements.

Staff training programs must address updated requirements, particularly relating to consent mechanisms for cookies and data access, complaint handling procedures, and enhanced protections for children’s services.

Enhanced Regulatory Oversight

Organisations should prepare for increased regulatory scrutiny, including potential on-site investigations, witness requests, and more significant penalties for non-compliance. This requires robust documentation of data processing decisions and clear accountability frameworks.

Practical preparation includes early engagement with Information Commission updates, subscribing to sector-specific guidance, and documenting data processing decisions in anticipation of enhanced reporting and accountability requirements.

Complaint Handling

The act introduces specific requirements for complaint handling processes. Organisations must implement explicit procedures to manage and resolve data protection complaints effectively, with clear timelines and escalation procedures.

Children’s Services

Enhanced protections apply to services used by children, requiring special consideration for consent mechanisms, data processing purposes, and risk assessments. Organisations serving young people must carefully review their procedures to ensure compliance with the strengthened requirements.

Regulatory Support and Guidance

The Information Commission is providing comprehensive support to help organisations navigate the transition to the new regulatory framework. This includes written guidance, summaries, and codes of practice to support compliance.

Updated Guidance Release Schedule

New guidance is released as each provision comes into force, ensuring organisations have current information for compliance planning. This includes practical implementation guides, sector-specific advice, and template documentation.

Sector-Specific Codes of Practice

Special codes of practice are being developed for educational technology (EdTech), digital health, and AI deployments. These codes provide tailored guidance while maintaining consistency with overall regulatory principles.

Additional codes address open data and smart data scheme participation, handling subject access and data portability requests under new frameworks, and managing international data transfers.

Educational and Outreach Programs

Comprehensive educational outreach and public awareness campaigns support the adaptation of businesses and the public sector. These programs include webinars, workshops, and consultation sessions to address specific implementation challenges.

The government has published full impact assessments and regulatory summaries on the GOV website.UK to assist organisations in compliance preparatory work and strategic planning.

Stakeholder Consultation

An ongoing stakeholder consultation process ensures that sector-specific guidance remains practical and responsive to real-world implementation challenges. This collaborative approach helps identify potential issues early and develop effective solutions.

Conclusion

The Data (Use and Access) Act 2025 marks a watershed moment for UK data regulation, striking a balance between supporting innovation and implementing robust protection measures. With implementation already underway following royal assent in June 2025, organisations must act swiftly to ensure compliance while capitalising on new opportunities.

At GDPR Local, we specialise in helping organisations navigate complex data protection changes. Our expert team provides comprehensive compliance support, from policy development to staff training, ensuring your organisation is ready for the Data (Use and Access) Act 2025. Contact us today to discuss how we can support your transition to the new regulatory framework and help you capitalise on these significant opportunities.

Frequently Asked Questions

When did the Data (Use and Access) Act 2025 become law?
The act received royal assent on 19 June 2025, officially integrating comprehensive data protection reforms into UK law.

What economic benefits does the act provide?
The government estimates the act will inject approximately £10 billion into the UK economy by reducing administrative burdens and fostering innovation across multiple sectors.

What is the new regulatory body replacing the Information Commissioner’s Office?
The act establishes the new Information Commission, which has enhanced enforcement powers and a governance structure including seven non-executive members to oversee data protection regulation.