The UK’s efforts to reform data protection law have finally come to fruition; with the Data (Use and Access) Act (the Act) being adopted on and entering into force on 19 June 2025.
The Act still makes a significant number of changes to UK data protection law. Some of these modifications will make data protection compliance slightly easier for organisations — liberalising the requirements for automated individual decision-making and updates to ePrivacy cookie rules are good examples. There will be a small number of obligations though, too — in particular, privacy notices will have to be amended to refer to a new data subject right to complain. The UK Information Commissioner’s Office will also be re-constituted and given strengthened powers — including in relation to enforcement of ePrivacy breaches.
For more detail, read our comprehensive summary of the changes to data protection law published in IAPP covering the degree of change in UK data protection law. We have also prepared redlines showing the impact of the Act to existing laws. The ICO is planning to update and amend its guidance over the coming months; it will be important to follow this to gauge the real practical impact of some of the provisions.
For more information contact Ruth Boardman, Emma Drake and Alex Jameson.
For further information, please contact:
Ruth Boardman, Partner, Bird & Bird
ruth.boardman@twobirds.com
