The New Data (Use and Access) Act 2025 – What this Means for Employers

The Data (Use and Access) Act 2025 (the ‘Act’) received Royal Assent on 19 June 2025, with most of the changes coming into force over staggered implementation dates.

By Deborah Margolis, Hannah Drury and Stephanie Compson

July 2, 2025
10 min read

The Data (Use and Access) Act 2025 (the ‘Act’) received Royal Assent on 19 June 2025, with most of the changes coming into force over staggered implementation dates (some of which are backdated and some of which are subject to secondary legislation). The Act amends the UK data privacy regime and although it is not a full-scale transformation, there are nonetheless some important changes for employers to understand.

This article aims to cover the main changes for employers. Please note that there are wider changes, of less significance to employers, which are not covered by this article.

Background

Following Brexit, changes to the UK’s data privacy laws have been long anticipated and, as we had noted in our previous article, the previous government tried to introduce changes, which did not come to fruition before the election in July 2024.

Following being elected, the current Government introduced the Data (Use and Access) Bill in October 2024 which, in the employment context, makes changes to UK GDPR and the UK Data Protection Act 2018. The Bill’s explanatory notes state that its purpose is to “harness the power of data for economic growth, support a modern digital government, and improve people’s lives”. It seeks to balance the privacy rights and protections of individuals which are a fundamental principle of UK GDPR, while relaxing regulation where possible to unleash the power of data for innovation as part of the Government’s growth agenda.

Further to our previous article, during the Bill’s passage through Parliament, changes were made allowing it to finally receive Royal Assent on 19 June 2025. We summarise the key provisions relevant for employers in further detail below.

Importantly, much of the Act requires further regulations before it comes into force and as a result, we don’t yet have certainty as to when they will come into force. However, several provisions are already in force as set out below.

Key provisions of the Act

Data subject access requests (DSARs)

The Act provides some helpful clarifications for employers and codifies some existing principles, including:

Setting out in statute the ability to ‘stop the clock’ when responding to DSARs (which was previously set out in ICO guidance) and the circumstances in which this applies. The Act helpfully gives the example that a company may rely on the stopping the clock provisions where they reasonably require further information about a request because they process a large amount of information about the individual.

Codifying in legislation the principle that individuals are only entitled to information that the employer is able to provide based on a ‘reasonable and proportionate’ search.

Most of the changes to DSARs require further regulations before coming into force, save for the provisions relating to reasonable and proportionate searches, which is treated as coming into force on 1 January 2024.

Automatic decision-making

The Act relaxes some restrictions on automated decision-making, which are currently based on a general prohibition with limited exceptions. The Act narrows the restriction on automated decision making to only significant decisions based entirely or partly on the processing of special category data (such as health or racial/ethnic origin). This opens up the possibility for UK employers to be able to lawfully rely on automated decision-making in a broader set of circumstances. This is unless one of the specified conditions are met, namely,

where the individual has given explicit consent (which is unlikely to be appropriate in the employment context since consent is unlikely to be freely given); or
where the decision is necessary for the performance of a contract or required or authorised by law and processing is necessary for reasons of substantial public interest.

Note that these exceptions are set at a high threshold and unlikely to be routinely met in the employment context.

This is a significant shift in approach from the EU approach under GDPR and makes it significantly easier for employers to use automated decision-making in their internal processes.

However, employers should still be mindful of the other employment and data protection considerations in relation to the use of automated decision-making, including discrimination issues. In all cases where automated decision-making is used for making a significant decision using personal data, safeguards will still need to be put in place, including:

providing information to individuals about the decisions taken;
enabling individuals to make representations about such decisions; and
enabling the individual the opportunity to obtain human intervention and allowing them to contest these decisions.

These changes are not yet in force and are subject to further regulations.

Legitimate interests

Under the current legislation, to rely on legitimate interests as a lawful basis for processing, employers are required to conduct a ‘balancing test’ to weigh up the interests in processing personal data against the rights of individuals. This can be perceived as complicated and administratively burdensome. The Act:

introduces a new lawful basis of ‘recognised legitimate interests’ specified in an exhaustive list, which can be amended by regulations and which businesses can rely on by default without needing to complete this balancing exercise (although the list is limited to security-related interests such as prevention of a crime, national security and safeguarding vulnerable individuals, so will not be particularly helpful to most employers); and

includes a non-exhaustive list of examples of types of processing that maybe considered necessary processing for the purposes of a legitimate interest to assist businesses, although employers will still need to complete a balancing exercise. Helpfully for employers, processing that is necessary for the purposes of intra-group transmission of personal data (including relating to employees) and is necessary for internal administration has been included in the example list, which will assist large businesses in justifying processing of this kind.

It was hoped that this adjusted framework would address employers’ concerns, but given the limited inclusion of employment related clarifications, this balancing act will still need to be completed in most cases. As a result, this change has a fairly limited impact on employers at this stage.

These changes are not yet in force and are subject to further regulations.

A new ‘right to complain’

The Act provides that an individual may now make a complaint directly to their employer if they consider there has been a breach of UK data privacy laws in respect of their personal data, and employers must facilitate these complaints by the provision of a complaints form, electronically or otherwise.

Where a complaint is made, the employer will have 30 days to acknowledge receipt and must “without undue delay” take appropriate steps to respond (such as making enquiries and informing on progress) and inform the complainant the outcome of the complaint. Employers may also be required to inform the new Information Commission (see below) about the number of complaints they receive (although the details of this reporting process are to be confirmed in regulations).

This change represents an additional administrative burden for employers to navigate, although it may go some way to reducing the number of complaints made to the Commission. These changes are not yet in force and are subject to further regulations.

International data transfers

The Act lowers the test for data transfers to third countries, introducing a new data protection test, so that these transfers will be permitted where the standard of protection in the country to which data is being transferred or by the international organisation is ‘not materially lower’ than that under UK data privacy laws, essentially making it easier for businesses to transfer personal data internationally. Approval for international data transfers may now be granted:

By regulations where the Secretary of State has ‘approved’ transfers to the specific country and/or international organisation. This will replace the current ‘adequacy decision’ regime; or
Where appropriate safeguards are used, including the use of new standard data protection clauses capable of ensuring the new data protection test is met, to be published by the Secretary of State in due course.

In addition, derogations can be made for specific circumstances. Note, as we mentioned in our previous article here, the adequacy decisions for the UK (which permit the free flow of data from the EU to the UK) have been extended until 27 December 2025, but the changes enacted in this Act may impact the prospect of further adequacy decisions being given in respect of the UK. These changes are not yet in force and are subject to further regulations.

General changes

The Act includes a suite of additional changes, including:

Reform of the Information Commissioner Office (ICO), which will be abolished and replaced by the new Information Commission, aligning enforcement powers and structure to other UK regulators. However, where it suspects they are failing to comply with their data protection obligations, the Information Commission has also been prescribed new powers to interview companies, request copies of documents and require the preparation of reports (in addition to their existing powers to issue enforcement and penalty notices).
The ability for the Secretary of State to add to the list of the types of data falling within ‘special category’ personal data (but not removing the types of data that are already specified as special category personal data under UK GDPR). The potential for the list of special category personal data to be expanded is more significant given the changes to automated decision-making purposes (see above).

These changes are not yet in force and are subject to further regulations.

Next steps and what employers should consider doing now

As mentioned above, much of the Act requires further regulations before coming into force, but some minor provisions are already in force.

The UK Government explains that the Act does not replace UK GDPR and data privacy laws (which largely replicate EU GDPR in the UK), but it does make some changes to them to make the rules simpler for organisations, to encourage innovation and to allow responsible data-sharing while maintaining privacy standards. Although the core principles and protections of EU GDPR remain, there are now some differences in approach and international employers are advised to make sure they are aware of the differences that could impact their business.

There are several steps employers should be taking to ensure they are compliant with the new regime, including:

Familiarising themselves with the upcoming changes
Updating data privacy notices and data protection policies
Reviewing automated decision-making processes and safeguards that are in place, noting that the Act permits a wider scope of automated decision-making than previously permissible which may enable employers to take advantage of additional tools and systems (although, note our comments above regarding other employment laws to keep in mind, e.g. discrimination)
Preparing a complaints form and procedure, which may include the preparation of a new complaints policy
Updating any internal trainings to ensure they are compliant with the new rules