Modernising data law: The Data (Use and Access) Act 2025 and the future of the digital economy

When the Data Protection Act 2018 aligned the United Kingdom’s data framework with the EU’s General Data Protection Regulation (GDPR), it set one of the highest global standards for privacy and accountability (UK Government, 2018; European Parliament and Council, 2016). 

That framework shaped how organisations managed information, but over time it came to be seen as too rigid for a fast-moving digital economy.

On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, marking the most significant update to UK data protection law in seven years (legislation.gov.uk, 2025). The DUAA keeps the same commitment to privacy but aims to make data easier to use safely across research, technology, and business. It also gives law enforcement clearer powers to use data more effectively to prevent and investigate crime (ICO, 2025). It simplifies how data rights are exercised and how companies are expected to respond, giving organisations a clearer, more practical structure for compliance. In doing so, the Act marks a new stage in the evolution of digital regulation, redefining how data supports growth, security, and innovation in the modern economy.

The DUAA was introduced to make data law work better for how information is actually used today. The principles introduced in 2018 gave the UK a strong privacy foundation, but they also made everyday compliance complicated and slow. Government analysis accompanying the Act argues that the complexity of the current regulatory regime means firms are not able to take full advantage of the benefits available through effective use of data and data sharing (UK Government, 2024). The new Act keeps the same principles of accountability and transparency but applies them in a way that reflects how quickly technology, data, and digital business are developing (UK Government, 2025a).

It also shows how the UK is responding to the rise of artificial intelligence. While the European Union has chosen to introduce a separate AI Act, the UK has taken a different approach by building flexibility into its existing data laws instead (ICO, 2025). The aim is to create space for innovation and investment without losing sight of individual rights or the need for oversight. In simple terms, the DUAA is about making data law keep up with the pace of modern life rather than holding it back.

The DUAA changes far more than just how data is shared. It reshapes how organisations across the UK collect, use, and manage information. One of the most visible developments is the creation of Smart Data schemes, which build on the success of Open Banking. Open Banking showed that allowing customers to share their information easily can drive competition and innovation. The DUAA extends that approach to other sectors, such as energy and telecoms, where consumers and businesses will be able to share data securely with authorised third parties. This is intended to open markets, improve transparency, and create space for new entrants to compete with established providers (Freshfields, 2025).

Beyond Smart Data, the DUAA introduces a range of reforms that affect almost every organisation handling data. It narrows restrictions on automated decision-making, meaning AI-driven systems can now be used more freely as long as they do not involve special category data. This gives companies greater flexibility to integrate automation while keeping accountability measures in place (Brodies, 2025; ICO, 2025).

The DUAA also updates several other core areas of the UK’s data protection framework. It extends the purpose limitation principle so that research is treated as a legitimate purpose and introduces clearer guidance on how data can be reused responsibly. Certain activities, including direct marketing, network security, and intra-group transfers, are now “whitelisted” as legitimate interests, removing the need for separate assessments in each case (Brodies, 2025).

The DUAA also changes how data rights and complaints are handled in practice. Individuals must now raise issues directly with the organisation before contacting the ICO, and controllers are required to acknowledge complaints within 30 days. Businesses also have more time to verify a person’s identity before the 30-day response window begins for subject access requests, and they only need to respond to requests that are reasonable and proportionate (UK Government, 2025a). Together, these updates aim to keep the process fair for individuals while reducing unnecessary administrative pressure on organisations.

Other updates include reforms to digital verification services, which are now being trialled across sectors, including schemes for veterans. These are intended to make proving identity simpler and safer online, though they may face public debate. While digital IDs could help reduce fraud and make verification faster, many people remain cautious about how such systems might be used or who could access their data (ICO, 2025; UK Government, 2025b). Balancing these concerns with the government’s push for efficiency will be an ongoing challenge.

The DUAA also brings a number of other important changes, such as giving law enforcement clearer powers to use data in preventing and investigating crime and updating cookie and tracking rules so that certain analytics tools can operate more efficiently without prior consent, as long as users can still opt out easily (Brodies, 2025; UK Government, 2025a).

Caelan Grant

Caelan is a first-year Criminology & Law student with The Open University. He is the CEO and founder of Fibeo, a broadband company due to launch in 2026. 

Caelan applies the knowledge and skills he gains through his studies to the daily challenges of building and managing his business.

He has a particular interest in data law and employment law, and how these areas shape the modern digital and workplace landscape.

This is Caelans LinkedIn profile linkedin.com/in/caelan-grant

Reference list