The Data (Use and Access) Act 2025: A no-nonsense guide for in-house legal teams

You’ve just got a handle on UK GDPR. Your DPIAs are in good shape. Maybe – just maybe – you’ve even got the SAR workflow running smoothly.

Enter: the Data (Use and Access) Act 2025.

Another law. More guidance pending. And yes, more pressure on Legal to translate legislative complexity into business action.

If you're an in-house lawyer trying to make sense of it all – here’s what the Act is, how it interacts with existing privacy laws, and what you actually need to do.

What is the Data (Use and Access) Act 2025?

The Act is part of the UK Government’s long-term data strategy – aiming to make the UK a “data-driven” economy while keeping public trust intact.

At its core, the legislation introduces:

  • Smart Data Schemes – sector-specific rules that let individuals and businesses access, control and port their data across service providers (think Open Banking – but for energy, telecoms, and more).
  • Legal duties for data intermediaries – setting transparency, fairness, and security standards for platforms that broker or facilitate data sharing.
  • Extra safeguards for “high-risk” data access – including cross-border transfers, automated decision-making, and sensitive public-sector reuse.
  • A framework for interoperability and data standards – requiring data to be shared in structured, machine-readable formats.

It’s less about whether data can be processed (that’s still GDPR territory) – and more about how it’s accessed, shared, and reused.

How does this interact with UK GDPR and the Data Protection Act 2018?

Short answer: it layers on top.

  • UK GDPR and the DPA 2018 remain the core privacy laws in the UK. They govern how personal data must be collected, processed, and protected.
  • The 2025 Act doesn’t replace them – instead, it governs the mechanics of access and sharing, especially where third parties or sector-level schemes are involved.

That means:

  • A Smart Data request might also be a Subject Access Request (SAR).
  • A data-sharing arrangement under the new Act still needs a lawful basis under GDPR.
  • High-risk access activities may require both a Data Protection Impact Assessment (under GDPR) and a Data Access Impact Assessment (under the new Act).

It’s a compliance add-on, not a carve-out – and legal teams will need to coordinate both frameworks side by side.

Has the ICO issued guidance?

Yes – and it's a helpful starting point.

The Information Commissioner’s Office (ICO) has published initial guidance to help organisations understand the changes introduced by the Act. This includes:

  • A summary of changes to UK data protection law, showing how the Act interacts with existing GDPR and DPA obligations.
  • An overview for organisations, outlining what the Act means in practice and highlighting opportunities to innovate while remaining compliant.

Further guidance is expected as the provisions of the Act roll out, and legal teams should keep an eye on the ICO’s dedicated hub for updates: ICO DUAA Hub

What in-house lawyers need to know

1. You’ll need to revisit contracts

If you share data with suppliers, platforms, or partners, those agreements may need updating – especially around:

  • Smart Data Scheme obligations.
  • Definitions and responsibilities under the new Act.
  • Cross-border data access and high-risk use cases.

2. Your internal policies will need a refresh

Look at how your policies deal with:

  • Responding to access or portability requests.
  • Reviewing algorithmic tools.
  • Using or supplying data intermediaries.

Clarity and consistency across legal, tech, and data teams will be key.

3. Cross-functional coordination just got more urgent

The Act isn’t just a legal issue. Implementation sits at the crossroads of Legal, Tech, Ops, and Compliance.

You’ll need to partner up on:

  • Mapping current data-sharing arrangements.
  • Building new access or interoperability pathways.
  • Training internal stakeholders.

4. SARs may increase – and become more complex

With more formalised rights to access data under Smart Data Schemes, expect a rise in individual and third-party requests. Some will be GDPR SARs; others will be under the new Act. Many will be both.

You’ll need to align systems and comms to handle these requests quickly and clearly.

5. There’s still lots to be clarified

Many terms (e.g. “high-risk access”, “data intermediary”) are open to interpretation. The ICO and sector regulators will issue guidance – but in the meantime, be prepared to:

  • Apply judgement.
  • Document your rationale.
  • Adapt as the picture evolves.

Final thought: Make calm, clear decisions – even if the law isn’t

For busy in-house teams, the Act is another plate to spin. But with a clear plan and a cross-functional approach, it doesn’t have to derail you.

Start by reviewing your contracts, policies, and data-sharing map. Make friends with your tech team. And stay close to the guidance as it drops.

This isn’t about perfection – it’s about being proactive, prepared, and pragmatic.

And if you need support? We’ve got your back.

the plume press

THE NEWSLETTER FOR IN-THE-KNOW IN-HOUSE LAWYERS

Get the lowdown on legal news, regulatory changes and top tips – all in our newsletter made especially for in-house lawyers.

sign up today