16 July 2025

Data (Use and Access) Act 2025: what do you need to do?

By Jess Pembroke, Director of Information Law Services

The Data (Use and Access) Act 2025’s primary function is to amend existing legislation particularly the Data Protection Act 2018 (DPA 2018), Privacy and Electronic Communications Regulations (PECR) and the UK General Data Protection Regulation (UK GDPR). This means it does not replace these laws but modifies and supplements them, especially in areas like lawful grounds for processing, marketing, and archiving in the public interest. However, amendments will require secondary legislation to commence them, so no immediate changes are required but once these do come into force there are some areas of particular note:

Marketing

One particularly positive development is the extension of the soft opt-in to charities. The soft opt-in rule means that as a charity, you may be able to email or text customers without their consent. This allows charity and public sector organisations to communicate more effectively with stakeholders — provided you meet the necessary conditions. Although at the same time, the stakes have been raised: PECR fines are now aligned with UK GDPR, meaning organisations could face penalties of up to £17.5 million or 4% of global turnover.

Archiving

Data Protection law has been updated to allow the use of personal data for archiving in the public interest, regardless of the original lawful ground for processing. Archivists often receive personal data from a wide range of sources, but they typically have little control over the reasons for which that data was originally collected. These revised provisions will allow archiving in the public interest subject to the soon to be created Generally Recognised Standards. As these changes take effect, it’s a timely opportunity for cultural institutions to revisit their archiving strategies.

Complaints

Organisations must make it easier for individuals to raise concerns about how their personal data is handled. This includes offering an electronic complaints form, acknowledging complaints within 30 days, and responding without undue delay.  In addition, organisations should be accountable by maintaining a clear record of all data protection complaints received, as the Information Commissioner’s Office (ICO) may request access to these records as part of their oversight responsibilities.

Next Steps

The Information Commissioners Office (ICO) has released a schedule of plans to update guidance which gives an indication of timescales for these matters, for example, Research, Archiving and Statistics Provisions update is expected to be published in Autumn 2025.

https://ico.org.uk/about-the-ico/what-we-do/our-plans-for-new-and-updated-guidance/general-data-protection/  and https://ico.org.uk/about-the-ico/what-we-do/our-plans-for-new-and-updated-guidance/direct-marketing-and-privacy-and-electronic-communications/

Recent News

London Library Back Stacks © Simon Brown
31 March 2026

Generally Recognised Standards for use in the data protection purpose ‘archiving purposes in the public interest’

read story
Horace Bénédict de Saussure and others ascending Mont Blanc. Coloured aquatint. Wellcome Collection.
25 March 2026

Data Subject Access Requests: A Burden for Small Businesses?

read story
A Battle between Animals, Divs and Hindu Deities, Unknown Artist, Wellcome Collection, via ArtUK
18 March 2026

Get a Grip on Copyright – Understanding the Basics

read story
Salford Quays, Jason Jeandron via Unsplash
12 March 2026

Data Breach News: Salford City College Group

read story

Back to News

Discover more from Naomi Korn Associates

Subscribe now to keep reading and get access to the full archive.

Continue reading