The Data (Use and Access) Act 2025 has officially become law, aiming to reform parts of the UK GDPR and the Data Protection Act 2018. However, as the ICB (Institute of Certified Bookkeepers) notes, the government has not confirmed when the new rules will come into force.
The Act introduces wide-ranging changes. These include:
● Subject Access Requests: A new test allows organisations to refuse or charge for requests that are “vexatious or excessive,” replacing the older “manifestly unfounded” test.
● Record-Keeping: Small organisations conducting low-risk processing may no longer be required to maintain detailed records.
● Cookies and Tracking: Some use of cookies without consent may become lawful in limited circumstances.
● Automated Decision-Making: The Act outlines how individuals can challenge automated decisions, updating previous safeguards.
● Legitimate Interests: The Secretary of State gains new powers to define recognised “legitimate interests” through regulation.
Despite these changes, the law will not apply until commencement regulations are introduced, and no implementation date has yet been announced.
Until then, the UK GDPR and existing rules remain in full force.
