Changes to UK data protection legislation – UK Data (use and access) Act 2025

James Howarth, Associate

In July 2024, the government announced proposed changes to UK data protection legislation. The proposal intended to make changes to data protection laws as part of a push for growth. The idea being that change would promote innovation and economic growth by making things easier for organisations, whilst still protecting people and their data protection rights.

On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUAA”) passed and now awaits Royal Assent. It is expected to be phased in between June 2025 and June 2026.

The DUAA amends, but does not replace, the UK General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.

In reality, the changes under the DUAA are somewhat limited, and will not lead to any material changes in the way that businesses operate in the UK. However there are a few proposed changes that may be relevant from an employment law perspective:

• There is a new ‘recognised legitimate interests’ lawful basis for processing personal data. Currently when relying on a business’s legitimate interests to process individual’s personal data, businesses must balance the impact of this processing on the individual, against the benefits to the business arising from that  This commonly involves businesses undertaking a data protection impact assessment to ensure that it has adequately balanced the impact, risk and benefit. Under the new ‘recognised legitimate interests’ lawful basis, businesses will no longer have to undertake this balancing test. This in theory will save businesses time and resources, and allow for freer processing of personal data.
• Currently businesses can only use an individual’s personal data for the reason it was collected. The DUAA now introduces an assumption of compatibility. This means businesses will be allowed more flexibility to re-use personal information so long as it is compatible with the original purpose it was collected for. Previously, if you wanted to do this, you would have to undertake a compatibility test. So, for example, if you collected an employee’s phone number for emergency purposes, it may be that you can use that for other limited reasons that are compatible with the original purpose, such as contacting them to let them know there has been an office/site closure.
• The DUAA makes it clear that when complying with subject access requests, businesses must only undertake a reasonable and proportionate search of their systems when someone asks for access to their personal information. This is the position currently, however the position is only set out in ICO guidance as opposed to primary legislation. This will be rectified by the DUAA.

There are other changes that will be implemented by the DUAA, so if you would like to discuss these changes, or data protection and subject access requests generally, please contact the team at info@kuits.com.