The Data (Use and Access) Act 2025: Key Changes Businesses Should Know

The Data (Use and Access) Act 2025 was given Royal Assent on 19 June 2025, bringing with it a series of important updates to the UK's data protection regime to be implemented over the coming months. While the Act doesn’t go as far as the more sweeping changes originally proposed in the earlier (now abandoned) attempts to reform the UK GDPR, there are nonetheless some meaningful shifts that businesses need to be aware of.

Here are three of the key changes:

1. Tougher Penalties for Direct Marketing Breaches

One of the most significant changes is the alignment of fines under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) with the UK GDPR penalty framework.

Previously, breaches of direct marketing rules under PECR were capped at £500,000. Under the new Act, such breaches can now attract fines of up to £17.5 million, or 4% of the total worldwide annual turnover of the preceding financial year (whichever is greater).

This change is a clear warning to businesses: non-compliance with marketing rules is now a much more serious risk. If your organisation sends marketing emails, text messages or makes marketing calls, it’s time to check your practices and ensure compliance with both GDPR and PECR.

2. Clarity on Subject Access Requests

The Act provides helpful clarification for data controllers responding to subject access requests (SARs). It confirms that controllers are only required to conduct searches that are reasonable and proportionate.

This isn’t a change in the law as such, it reflects existing case law, but it’s welcome confirmation for employers and other organisations that have had to manage time-consuming and, at times, vexatious SARs. It means there is less room for doubt about the scope of an organisation's obligations and more confidence in pushing back where requests go beyond what is reasonable.

3. A New Complaint Procedure

Previously, individuals could complain directly to the Information Commissioner's Office (ICO), often resulting in organisations receiving unexpected letters or investigations. Under the new Act, individuals must first raise their complaint with the data controller.

Only if the matter isn’t resolved can they escalate it to the ICO (which will be restructured and referred to more simply as the Information Commissioner).

While this change may result in more complaints landing initially with businesses, it should reduce the disruption caused by sudden and sometimes disproportionate ICO involvement. It also gives organisations an opportunity to resolve issues early and demonstrate their accountability.

Other Changes and the Importance of Context

The Act introduces other updates too, some of which may affect the way your business manages data protection compliance. The extent to which these changes apply will depend on the nature and scale of your data processing activities.

It’s important to:

• Reassess your risk profile in light of these changes.

• Review your accountability framework to ensure it remains bespoke and proportionate.

• Consider whether your existing systems and policies need to be updated.

  
  

At Lawpoint, we help organisations navigate complex data protection requirements and tailor compliance to what’s appropriate and realistic for your business.

If you’re unsure how these changes affect you or want to review your processes in light of the new Act, get in touch with us for practical, no-nonsense advice. Contact Tracey at 01202 729 444 or email tracey@law-point.co.uk.