The Data (Use and Access) Act 2025 finally received royal assent on the 19th of June 2025. The underlying theme to the changes are consistent with the Government’s agenda to promote innovation and make it easier to do business in the UK. The changes will be phased in over the next 12 months – to June 2026.
A summary of some of the changes include:
- Only special category data such as medical information which is processed, and decisions made, using automated decision making tools will continue to be subject to the tight controls required by Article 22 GDPR. There will now be more ‘lawful bases’ for an organisation to use automation techniques to make decisions about individuals based on their personal data than previously available which may open up more opportunities for organisations to use artificial intelligence (AI) who may previously have been restricted from doing so.
- Charities will benefit from a ‘soft opt in’ meaning they can send out e-mail marketing to individuals whose personal data is collected when they support, or express an interest, in the charity’s work, unless the individual objects.This is different to the previous blanket ‘opt in’ requirement.
- Individuals can give broad consent for their personal data to be used for both commercial and non-commercial scientific research purposes. Personal data can also be re-used for scientific research purposes without those individuals being provided with a privacy notice if doing so would be disproportionate.It’s provision is subject to an individual’s rights being protected in other ways and provided an explanation is published on the organisation’s website.
- Some website cookies such as those which collect information for statistical purposes or to improve website functionality can be set without the requirement for consent.
- Organisations only have to make reasonable and proportionate searches in responding to subject access requests (SARs) which firmly confirms the generally accepted position under current case law and guidance.
- Online services which may be used by children, expressly requires the provider to take their needs into consideration when deciding how to use their personal information thus mirroring the AADC (Age Appropriate Design Code).
- Organisations must make it clear to individuals how they can submit complaints about how that organisation uses their personal information (e.g. an electronic form). Complaints must be acknowledged within 30 days and a response ‘without undue delay’.
The information on this site about legal matters is provided as a general guide only. Although we try to ensure that all of the information on this site is accurate and up to date, this cannot be guaranteed. The information on this site should not be relied upon or construed as constituting legal advice and Howes Percival LLP disclaims liability in relation to its use. You should seek appropriate legal advice before taking or refraining from taking any action.
