The Data (Use and Access) Act 2025 has now become law. While the Act doesn’t introduce significant change, it makes a number of adjustments and changes designed to clarify the law on data protection and better balance the compliance burden on organisations while adequately protecting individuals.
Most of the Act’s provisions will come into effect gradually through regulations made between now and June 2026. However, clarification on what employers (and other data controllers) must do in response to a data subject access request is now in force, whereby controllers are only required to carry out reasonable and proportionate searches when responding to a data subject access request. This reflects existing case law but provides helpful clarification.
Upcoming changes to be aware of
Further changes of interest to employers will come into force at a later date. These include additional clarity on and codification of the legitimate interest basis for processing personal data.
The Act provides for a new lawful basis where processing is for the purposes of a ‘recognised legitimate interest’. This category will include:
- Disclosure to a person carrying out a public interest task
- Detecting, investigating or preventing crime, or apprehending offenders; and
- Safeguarding vulnerable individuals
Where a recognised legitimate interest is relied on, no balancing assessment is required.
The Act also sets out a non-exhaustive list of examples that can amount to a ‘standard’ (i.e. non-recognised) legitimate interest for the purposes of the UK GDPR which includes:
- Processing necessary for the purposes of direct marketing; and
- Intra-group transmission of client, employee, or other individuals’ personal data for internal administrative purposes
Where the standard legitimate interest basis is used – even if it falls within one of these examples – employers will still need to assess whether their interests are outweighed by those of the employee or data subject.
The circumstances in which significant decisions may be made about an individual based solely on automated processing will be expanded to allow such decisions to be made in a wider range of situations, provided appropriate safeguards are implemented – such as the opportunity to obtain human intervention in the decision.
Organisations will be required to have a data protection complaints procedure in place, acknowledge complaints within 30 days, and respond without undue delay.
What employers should do now
Although only a few of the Act’s changes are currently in force, this is a good opportunity for businesses to review their data processing activities and policies. Ensuring these are up to date will help ease the transition when the remaining provisions take effect.
If you do not already have one, now is a good time to develop a data protection complaints process.
Published 6 August 2025
