The UK’s Data (Use and Access) Act 2025 came into force on the 19 June and received royal assent on 11 June. It introduces updates to the UK’s data protection framework, building on existing laws such as the UK GDPR and the Data Protection Act. The aim is to clarify certain obligations and support the use of data across business, government, and technology sectors. What are the core provisions of the Act businesses should take note ofOur team of Data Protection Officers (DPOsexamine what the Act means for privacy teams and organisations currently operating under UK data protection law. 

Key changes businesses and organisations need to know 

The new Act brings several amendments to existing rules and introduces new mechanisms including guidance on use of personal data, AI and marketingSpecifically: 

  •  Organisations may process personal data for clearly defined purposes such as fraud prevention without repeating a full assessment in every instance. This change is aimed at reducing unnecessary duplication while maintaining the requirement to ensure data use remains appropriate and well documented. 

  • The revised framework limits stricter requirements to cases where automated decisions involve sensitive personal data, including health or ethnicity. Other uses of automation may continue with fewer procedural steps so long as the core principles of data protection are upheld. 

  • Cookies that are essential for improving service delivery may be used without obtaining user consent, with enforcement penalties increased and applicablefines of up to £17.5 million or 4 percent of global annual turnover. Organisations are encouraged to re-examine their cookie practices to ensure they align with the updated consent requirements. 

  • The Act sets out clearer duties for public authorities, including the NHS, to share certain categories of data where appropriate. These measures are intended to support operational improvements, such as faster ambulance handovers and improved access to infrastructure information. 

  • The Act introduces a legal framework for digital identity systems, allowing individuals to reuse credentials securely. In addition, the Act promotes smart data initiatives that allow individuals to share specific categories of personal data, such as energy usage, with authorised third parties in order to receive tailored services or improved offers. 

Implications for DPOs and privacy teams  

The Act requires updates across several core areas of compliance. A key priority is to reviewrecords of processing activities (ROPAs), especially where newly permitted purposes such as fraud prevention are applied. For organisations operating internationally, central registers may need local adjustments. 

Automated systems should be assessed to identify whether sensitive personal data is involved and whether safeguards remain appropriate. DPOs should work with technical teams to review AI decision logic and data flows, especially in tools used for diagnostics, personalisation, or behavioural analysis. 

Considering cookies and marketing, DPOs are advised to check whether banners, consent mechanisms, and associated audit trails align with the revised legal framework. This is important for platforms collecting user preferences, behavioural data, or health-related information via digital channels. Similarly, where data is shared with public bodies, privacy teams should ensure that contracts, access controls, and data minimisation align with statutory duties. 

Also, DPOs should evaluate how digital identity and smart data schemes may impact internal consent processes, third-party data access, and credential management. This is especially relevant for businesses working in identity verification, health data platforms, or consumer-facing utilities. Implementation will often require coordination across legal, engineering, and data governance teams. 

Outlook 

While many of the changes are clarificatory rather than structural, they nonetheless require careful review. This is particularly relevant for organisations involved in large-scale processing, automation, or collaboration with the public sector. Further guidance from the Information Commissioner’s Office (ICO) and sector-specific updates are expected over the coming months. 

Now is the time for organisations to take stock: revisit lawful bases for processing, review how sensitive data is used in automated systems, and start preparing for future developments in digital identity and smart data. 

At HewardMills, we help organisations stay ahead of regulatory change. Whether it’s through governance reviews, policy updates, or preparing for cross-border compliance, our team offers practical, tailored support to help you move forward with confidence