UK data reform: Where have we landed?

The U.K.’s efforts to reform data protection law have finally come to fruition; the Data (Use and Access) Act having received Royal Assent and come into being on 19 June 2025.

This completes a journey that began on 23 October 2024 with the first reading of the Data (Use and Access) Bill in the House of Lords. Although less extensive than the previous government’s proposed legislation, the Data Protection and Digital Information (No.2) Bill, the Act still makes a significant number of changes to U.K. data protection law. Some of these modifications will make data protection compliance slightly easier for organizations — liberalizing the requirements for automated individual decision-making is a good example. There will be a small number of obligations though, too — in particular, privacy notices will have to be amended to refer to a new data subject right to complain. The U.K. Information Commissioner’s Office will also be re-constituted and given strengthened powers — including in relation to enforcement of ePrivacy breaches.

This is a comprehensive summary of the changes to data protection law. The ICO is planning to update and amend its guidance over the coming months; it will be important to follow this to gauge the real practical impact of some of the provisions. Many organizations will have benchmarked their privacy programs against the EU General Data Protection Regulation, and some changes will make life easier, others more difficult, by comparison with GDPR.