The UK Data (Use and Access) Act: How it Changes Corporate Data Strategy

The way organisations handle data in England and Wales is undergoing one of the most significant legal shifts in recent memory. The Data (Use and Access) Act 2025 (often referred to as the UK Data Act) received Royal Assent on 19 June 2025 and is being brought into force in stages through 2025 and 2026. The legislation reforms key parts of the UK’s data protection and access framework and has direct implications for corporate data strategy. Companies must rethink how they govern, share, protect, and innovate with data in this new environment.

This article explains the core features of the Act, outlines practical strategic considerations for boards and senior management teams, and details how data policies should evolve to remain compliant and commercially competitive.

Free Initial Telephone Discussion

For a free initial discussion with a member of our New Enquiries Team, get in touch with us today. We are experienced in dealing with all the legal aspects of corporate law, and once instructed, we will review your situation and discuss the options open to you in a clear and approachable manner. Early expert legal assistance can help ensure you are on the best possible footing from the start and also avoid the stress of dealing with these issues on your own. Simply call us on 0345 901 0445 or click here to make a free enquiry and a member of the team will get back to you.

What is the Data (Use and Access) Act?

The Data (Use and Access) Act 2025 is a wide-ranging statute designed to modernise the UK’s approach to data governance. Its stated aims include supporting economic growth, modernising digital government, and enabling secure and effective use of both personal and non-personal data.

Key elements of the Act include:

• A legislative framework facilitating secure sharing of customer and business data with authorised third parties at a customer’s request, akin to Smart Data schemes such as Open Banking.
• Reforms to the regulatory landscape, including a new governance model for the information regulator, the Information Commission (replacing the Information Commissioner’s Office).
• Amendments to parts of the UK GDPR and Data Protection Act 2018, with changes to automated decision-making, data subject access requests, international data transfers, and recognised lawful bases for processing.

The Act does not replace existing data protection law but builds on it. Organisations must continue to comply with UK GDPR and other data governance requirements while adapting to the new provisions.

Strategic implications for corporate data governance

Data governance is no longer a behind-the-scenes compliance exercise. The UK Data Act requires companies to align data strategy with evolving legal responsibilities while turning compliance into a competitive advantage.

1. Embracing Smart Data and interoperability

One of the most striking features of the Act is its push towards Smart Data. This is a framework for securely sharing customer and business data, often at a customer’s request, with authorised third parties to drive competition and innovation. Under this regime, data holders such as banks, utilities, and telecoms providers will be required to permit customers to port their data to trusted third parties.

From a corporate perspective, this means rethinking legacy systems that isolate data in silos. Organisations must invest in:

• APIs and secure data transfer mechanisms
• Customer authorisation management and consent frameworks
• Interoperable systems that can safely ingest and export data

Forward-thinking companies can leverage Smart Data to develop new services and products that exploit data portability to their advantage.

2. Rethinking data protection and privacy mechanisms

The Act introduces changes to how data protection principles apply, particularly around automated decision making, subject access requests, and international transfers.

Automated decision making (ADM) is now governed by a more flexible framework. Businesses can rely on broader circumstances for ADM—a shift that can support AI and machine learning initiatives—provided they incorporate transparency and human intervention safeguards.

Subject access requests (SARs) are also modernised. Organisations can now conduct reasonable and proportionate searches and may “pause the clock” if they require further information.

These reforms mean that corporate data strategies must align with new procedural and documentation obligations. Privacy policies, internal procedures, and customer interfaces need revision to incorporate these modernised requirements.

3. New lawful basis for data use

A notable innovation under the Act is the introduction of recognised legitimate interests as a lawful basis for processing data. This can reduce the burden of performing balancing tests in certain contexts and offers increased clarity on permissible uses.

For example, this lawful basis expressly covers activities such as network security, fraud prevention, and certain direct marketing operations. However, the continued requirement to assess whether individual rights override business interests remains important, particularly when personal data is involved.

From a corporate strategy perspective, this means revisiting data processing activities to identify where the new recognised legitimate interests basis could streamline operations without undermining privacy rights.

Regulatory and enforcement changes

The Act reconfigures the UK’s data protection regulator by establishing the Information Commission with a broader mandate, including supporting innovation and competitive markets alongside privacy enforcement.

Enforcement powers are being strengthened. New powers include the ability to:

• Compel technical reports and interviews during investigations
• Issue penalties under PECR up to 4% of global turnover or £17.5 million, aligning them with UK GDPR penalty levels
• Enhance compliance oversight across trust service providers and digital identity frameworks.

Boards and data leaders must ensure that risk assessments, audit trails, and documentation are robust enough to withstand intensified scrutiny. This includes revisiting data protection impact assessments, vendor management processes, and cross-border data flow strategies.

Integrating data strategy with business objectives

The UK Data Act highlights that effective data strategy is a business strategy. Organisations should act now to update their approaches in the following areas:

1. Data governance frameworks

Existing data governance structures need to be reconfigured to support:

• Real-time monitoring of compliance obligations
• Clear accountability for data sharing decisions
• Integration with enterprise risk management and cyber security practices

This is not merely a legal requirement, but a foundation for extracting meaningful value from data assets.

2. Data sharing and commercial opportunities

Smart Data schemes and new frameworks for inter-operability offer businesses the chance to innovate with data-driven services and create value beyond traditional models. Companies should explore:

• Developing data-sharing partnerships
• Using data portability to enhance customer experience
• Leveraging internal data for cross-sell opportunities while maintaining compliance

A strong governance regime fosters trust, which in turn supports adoption of new data-based offerings.

3. Global data flows and international strategy

The Act simplifies some aspects of international data transfers, making it easier to navigate a post-Brexit data landscape. However, organisations must still ensure proper safeguards are in place and conduct transfer impact assessments where needed.

This is particularly relevant for multinational businesses. Ensuring UK and non-UK operations remain aligned with data strategy is essential to avoid fragmentation and compliance gaps.

Practical steps for boards and leadership teams

Given the breadth of changes introduced by the Data (Use and Access) Act, senior leadership should consider the following:

1. Review and update data governance policies to integrate new compliance obligations and business opportunities.
2. Map data flows and processing activities to clarify where recognised legitimate interests may apply and where protections must be strengthened.
3. Reassess vendor contracts and data sharing agreements to ensure alignment with new Smart Data and interoperability obligations.
4. Strengthen subject access and ADM frameworks to comply with revised procedures and safeguards.
5. Incorporate data strategy into board-level risk reporting and decision making to underscore its strategic importance.

In doing so, organisations protect themselves legally and position their data practices to support innovation and competitive advantage.

Conclusion

The UK Data (Use and Access) Act 2025 represents a major development in the legal landscape for data use, protection, and access. It goes beyond incremental reform and seeks to shape how organisations harness data for economic growth and innovation, while updating compliance frameworks to reflect modern digital realities.

For boards and senior leadership teams, the Act demands not only legal attention but strategic anticipation. This means adapting governance frameworks, exploring new data-driven business models, and ensuring that data strategy is integrated into core corporate planning.

In an era where data is one of the most valuable corporate assets, those organisations that understand and implement a forward-looking approach to data governance will be best placed to thrive in a rapidly evolving regulatory and commercial environment.

We have a proven track record of helping clients deal with the legal implications of corporate law. We will guide you diligently and ensure all checks are carried out swiftly and efficiently and we firmly believe that with the right solicitors by your side, the entire process will seem more manageable and far less daunting. You can read more about the range of corporate services we offer by clicking here: https://blackstonesolicitorsltd.co.uk/corporate-legal-services/

How to Contact Our Corporate Solicitors

It is important for you to be well informed about the issues and possible implications of corporate law. However, expert legal support is crucial in terms of ensuring a positive outcome to your case.

To speak to our Corporate solicitors today, simply call us on 0345 901 0445, or click here to make a free enquiry. We are well known across the country and can assist wherever you are based. We also have offices based in Cheshire and London.

Authored by Ben Posted in Blog, News Tagged as

Comments are closed.