The Data (Use and Access) Act 2025 recently came into force in the UK and it makes a significant amendment to existing provisions of the Data Protection Act 2018, which affect most organisations.
It’s important to understand the implications of these new requirements for both your clients and your internal operations. Here we look at the differences between the two pieces of legislation and outline the actions you need to take to ensure compliance.
Key differences between the Data (Using and Access) Act 2025 and the Data Protection Act 2018
The Data (Use and Access) Act 2025 introduces several new provisions that expand upon the foundations laid by the Data Protection Act 2018. While the 2018 act focuses mainly on the protection of personal data and the rights of individuals, this new 2025 act focuses on the responsible use and access of data particularly in the context of emerging technologies and data-driven decision making such as artificial intelligence, AI.
Scope and Coverage: The 2025 act broadens the scope to include not only personal data but also non-personal data that can impact individuals directly. So this includes data generated by AI models, IoT devices and other advanced technologies.
Data Access Rights: Rights for individuals to access and control their data have been enhanced as part of the 2025 act. This includes more stringent requirements for obtaining explicit consent and providing clear accessible information about how data is used.
Accountability in Governance: Organisations are now required to implement robust data governance frameworks including regular audits and assessments to ensure compliance with the new legislation. For those with an ISO 27001 ISMS, and especially those using the privacy Information Management System (PIMS) ISO 27701 this requirement should be easy to meet.
Technological Safeguards: The act mandates the use of ‘advanced technological safeguards’ such as encryption, anonymization and pseudonymization to protect data integrity and confidentiality, going a step further than the data protection acts 2018.
Data User and Access Actions you need to take Now
To comply with a new Data (Use and Access) Act 2025 organisations must undertake several key actions including:
Conduct a data audit: identify and categorise all data held by the organisation including personal and non-personal data. This audit should assess the sources storage and use of that data.
Update Data Governance Policies: Now is a good time to review your privacy policy and any other policies related to data governance to make sure they align with the new requirements. Particularly focus on establishing clear roles for disabilities for data protection even where you’re not required to assign a data protection officer (DPO).
Enhanced Data Security Measures: Review your IT and physical data security measures, and enhance them where possible, with encryption and anonymization for example. Regularly review these measures to ensure they address emerging threats.
Train Employees: Provide training for employees on the new requirements and best practices for data protection in general. This will ensure that everyone in the organisation understands their role in maintaining privacy and compliance with these legislations.
Engage with Clients: It’s important to clearly communicate with clients about the changes and how their data will be protected under the new act. Ensure that consent mechanisms are clear and accessible.
Updating Privacy Policies
You should review your privacy policy regularly and these new requirements of the data using access to 2025 provides a good opportunity to do so. key updates include
Expanded Data Categories: Clearly define the types of data collected including personal and non-personal data.
Enhance Consent Mechanisms: Detail the processes for obtaining explicit consent and maintaining the rights of individuals to access and control their data, however note that there are other legitimate reasons for storing and processing data under the Data Protection Act 2018.
Data Usage and Sharing: Provide transparent information about how data is used and shared including any third party involvement
Security Measures: Outline the technological safeguards you have in place to protect data such as encryption and anonymisation.
Contact information: Ensure that contact information for data protection officers (DPO) or the relevant person for privacy in your organization is up to date and easily accessible. Including this in the privacy policy or a trust Center page on your website is a good idea.
Do you need help with the Data (Use and Access) Act 2025?
When new legislation comes along it can be hard to know if you’re doing the right thing.
Assent Risk Management has expert privacy and data protection consultants who have experience implementing best practices, including international standards such as ISO 27001 and ISO 27701.
Although you might not need to comply fully with these standards, they’re a good basis for complying with legislation. Our privacy consultants can advise you on changes that need to be made to your documentation, processes and conduct internal audits to verify that they are embedded effectively.
Subscribe to our free monthly legal updates to stay up-to-date with changes.
