The UK’s Data (Use and Access) Act brings useful updates to the country’s data protection regime – particularly for research-driven and tech-forward businesses – but it doesn’t rewrite the rulebook.
The Act introduces clarification and incremental changes rather than wholesale reforms. While it leaves much of the substance of the UK GDPR intact, it offers some helpful clarifications and adds flexibility in specific areas, especially for data-driven businesses in tech, life sciences, and AI.
One area that has drawn attention is the treatment of personal data used for “scientific research”. The term may sound narrow, but the Act confirms it includes not only academic and publicly funded research, but also a broad range of commercial R&D activities.
In some cases, data collected for one purpose can now be reused for research without requiring fresh consent from the individuals. This will not open the floodgates, but it may remove friction for teams working on new features or exploratory analysis, particularly in fields like health tech and machine learning.
The Act also softens some constraints around automated decision-making. It allows decisions with legal or similarly significant effects to be made using AI or algorithms, as long as there is a valid legal basis, no sensitive data is involved, and other safeguards such meaningful human oversight are available. While this offers more flexibility than the original GDPR rules, companies must still ensure the process is fair, transparent and accountable.
Cross-border data transfers remain unchanged for now. The EU is expected to review the UK’s adequacy status by the end of 2025.
While no major issues are anticipated, businesses should keep the review on their radar and ensure that their transfer mechanisms for non-adequate jurisdictions – such as the UK International Data Transfer Addendum – remain up-to-date, especially where large-scale data transfers are occurring.
The Act signals continuity with some practical refinements. While it won’t require most companies to overhaul their compliance programmes, it is a timely reminder to review internal practices, especially where the processing of personal data supports research, product development or AI.
Getting ahead of these changes now can help smooth the path for future growth.
Guadalupe Sampedro is partner and head of the cyber, data and privacy practice at Cooley
The post The DUA Act: Evolution not revolution appeared first on UKTN.
