The Data (Use and Access) Act 2025 has finally received Royal Assent after months of parliamentary debate, marking a pivotal moment for UK data governance. For Chief Data Officers across British organisations, this legislation represents both an opportunity and a challenge: whilst it offers new freedoms to innovate with data, it also requires careful navigation to maintain compliance and preserve the UK's critical EU adequacy status.
The Act, which came into law on 19 June 2025, amends rather than replaces existing UK data protection legislation. Unlike its more ambitious predecessor bills, this measured approach demonstrates the government's recognition that data governance reform must balance innovation with privacy protection. For CDOs, understanding these nuanced changes and implementing them strategically will be essential for organisational success.
Understanding the legislative landscape
The Data (Use and Access) Act represents the culmination of several years of post-Brexit data protection reform attempts. Previous iterations, including the more extensive Data Protection and Digital Information Bill, ultimately expired before implementation. This final version adopts a pragmatic approach, carefully designed to enhance business flexibility whilst preserving the UK's adequacy status with the European Union.
The timing is particularly significant. The European Commission's review of the UK's adequacy status has been extended until 27 December 2025, providing a critical window for organisations to implement the new provisions whilst demonstrating continued commitment to data protection standards. For CDOs, this creates both urgency and an opportunity to position their organisations advantageously within the evolving regulatory framework.
Key changes affecting CDO strategy
Automated decision-making revolution
Perhaps the most significant change for data-driven organisations concerns automated decision-making. The Act substantially relaxes restrictions on solely automated decisions that produce legal or similarly significant effects on individuals, provided special category data is not involved. This shift moves the UK away from the EU's more restrictive approach, potentially offering competitive advantages for British businesses.
However, safeguards remain essential. Organisations must provide individuals with information about significant decisions, enable them to make representations and challenge such decisions and ensure human intervention is available when requested. For CDOs, this means developing governance frameworks that can operationalise these requirements whilst maintaining the efficiency benefits of automated systems.
The practical implications are substantial. Financial services organisations can now more readily deploy automated lending decisions, whilst retailers can implement sophisticated pricing algorithms with reduced regulatory burden. However, CDOs must ensure their teams understand the boundary between general automated processing and "significant decisions" that trigger additional safeguards.
Enhanced legitimate interests framework
The Act introduces a non-exhaustive list of processing activities presumed to be in the legitimate interests of data controllers, including fraud prevention, network security and certain internal administrative purposes. This provides greater certainty for routine business operations and reduces the burden of detailed balancing tests for recognised activities.
For CDOs, this change offers opportunities to streamline data processing operations and reduce the compliance requirements. However, it also requires careful documentation to demonstrate reliance on recognised legitimate interests and ensure appropriate transparency obligations are met. Organisations should review existing processing activities to identify where the enhanced framework provides operational benefits.
Scientific research flexibility
The legislation clarifies that scientific research can encompass commercial research activities, providing greater flexibility for organisations seeking to leverage data for innovation. The Act allows for "broad consent" to research areas and permits data reuse for compatible research purposes with streamlined privacy notice requirements.
This change is particularly relevant for healthcare, pharmaceutical and technology organisations where research and development activities often blur traditional boundaries. CDOs should consider how these provisions might enable more efficient data utilisation whilst ensuring robust governance around research activities.
Data subject rights modernisation
The Act codifies existing ICO guidance regarding data subject access requests, requiring only "reasonable and proportionate" searches for relevant information. Additionally, organisations can now charge reasonable fees for manifestly unfounded or excessive requests, providing protection against abusive data requests.
A new requirement mandates that controllers establish formal complaint procedures, including electronic complaint forms and acknowledgement within 30 days. For CDOs, this means implementing systematic approaches to handle data protection complaints efficiently whilst maintaining positive customer relationships.
Implementation timeline and practical steps
Immediate actions (June-August 2025)
The most pressing change already in effect concerns data subject access requests. CDOs should immediately review and update data access procedures to reflect the "reasonable and proportionate" search requirement, which applies retrospectively from 1 January 2025. This largely codifies existing best practice but provides legal certainty for proportionate responses.
From 19 August 2025, the ICO gains enhanced powers to send notices electronically and compel document production. CDOs should prepare their teams for potentially more efficient but also more frequent regulatory interactions.
Medium-term implementation (September 2025-March 2026)
Most substantial changes will be implemented within six months through secondary legislation. CDOs should prepare for:
- Automated decision-making updates: review existing algorithmic systems to identify opportunities for enhanced efficiency whilst implementing required safeguards
- Legitimate interests optimisation: audit current processing activities against the new recognised categories and update privacy notices accordingly
- Research governance enhancement: evaluate opportunities for data reuse under the expanded research provisions
- Complaints procedure establishment: design and implement formal data protection complaints handling systems
Strategic planning (2026 and beyond)
Looking ahead, CDOs must consider the broader implications of UK data governance divergence from EU standards. Whilst the current changes are modest, they signal a trajectory towards distinctly British approaches to data regulation. This creates opportunities for competitive advantage but also risks regarding international data flows.
The ICO's planned guidance updates will be crucial for implementation. Expected publications include automated decision-making guidance (Winter 2025/2026), recognised legitimate interests clarification and international transfers frameworks. CDOs should actively engage with these consultations to shape practical implementation approaches.
Maintaining EU adequacy status
Throughout implementation, CDOs must remain cognisant of the UK's EU adequacy review. The European Data Protection Board has emphasised that the December 2025 extension is "technical and time-limited", requiring careful assessment of the Act's provisions. Whilst government and ICO officials express confidence that adequacy will be maintained, any negative determination would significantly complicate international data transfers.
CDOs should develop contingency plans for potential adequacy challenges, including enhanced due diligence for EU data transfers and consideration of alternative legal mechanisms such as Standard Contractual Clauses. Regular monitoring of European Commission statements and data protection authority guidance will be essential for anticipating potential issues.
Building organisational capability
Successfully implementing the Data (Use and Access) Act requires more than policy updates; it demands enhanced organisational capability. CDOs should focus on:
Skills development: ensure data protection teams understand the nuanced changes and can provide practical guidance to business colleagues navigating new opportunities.
Cross-functional collaboration: work closely with legal, compliance and business teams to identify where new provisions create value whilst maintaining appropriate controls.
Technology integration: leverage existing data governance platforms to implement new requirements efficiently, particularly around automated decision-making safeguards and complaints handling.
Stakeholder communication: clearly communicate changes to executive leadership, highlighting both opportunities for innovation and ongoing compliance requirements.
Conclusion
The Data (Use and Access) Act 2025 represents evolutionary rather than revolutionary change to UK data protection law. For CDOs, this creates a manageable implementation challenge with genuine opportunities for organisational benefit. The key to success lies in understanding the subtle but significant shifts in regulatory approach and translating these into practical operational improvements.
As the UK continues to develop its post-Brexit data governance identity, CDOs have the opportunity to position their organisations at the forefront of responsible data innovation. By implementing the Act's provisions thoughtfully and maintaining vigilance regarding EU adequacy developments, data leaders can help their organisations thrive in the evolving regulatory landscape whilst building lasting competitive advantages through enhanced data capabilities.
The implementation roadmap is clear: start with immediate compliance requirements, prepare systematically for phased introductions and think strategically about long-term positioning. For UK CDOs, the Data (Use and Access) Act offers a pathway to enhanced data utility within a framework of continued protection and trust.