Data (Use and Access) Act 2025
Overview
The Data (Use and Access) Act 2025 is a landmark piece of UK legislation designed to unlock greater transparency, portability, and accountability around the use of business and customer data. It introduces new rights for customers to access and control their data, empowers regulators to oversee fair data-sharing practices, and places obligations on businesses to manage digital identity services, smart infrastructure records, and data protection with more precision than ever before.
Whether you’re a small service provider or a data-driven tech firm, this law reshapes how data flows between businesses, customers, and third parties, as well as aligning with broader UK goals for innovation, digital trust, and AI-readiness.
Key requirements include:
- Customer data must be made available to individuals or authorised third parties, on request.
- Business data (e.g. on pricing, quality, usage) must be published or shared under specified conditions.
- Enforcement powers include fines, compliance notices, and inspections by designated regulators.
- Digital verification services (DVS) must comply with trust frameworks and registration requirements.
- Data protection duties are tightened, with clear rules on consent, automated decision-making, and international transfers.
- Businesses may face levies and fees to fund oversight bodies like interface operators and the Information Commission.
The Data (Use and Access) Act 2025 came into force on the 19th of June 2025 and applies to England, Scotland, Wales and Northern Ireland.
Does the Data (Use and Access) Act 2025 affect my business?
The implications of this Act on businesses are significant, particularly for those that:
- Handle large volumes of customer or transactional data
- Provide online services, digital content, or smart infrastructure
- Operate in financial services, where the FCA is empowered to issue rules on data interfaces
- Collect or use data from third-party sources, such as customer dashboards or APIs
- Participate in digital ID systems, trust services, or verification of personal identity/status
- Store or analyse biometric data, user behaviour, or sensitive communications
Even if you’re not directly collecting data, if you process or hold it for another business, you may be classed as a “data holder” with obligations to disclose, format, or provide access upon request.
Do I need the Data (Use and Access) Act 2025 in my ISO Compliance Register?
The Data (Use and Access) Act 2025 will impact the following businesses and sectors:
- Customer-facing services: e.g. online platforms, subscription models, mobile apps
- Financial services providers: banks, fintechs, and payment platforms
- Data processors: including marketing tech, analytics platforms, and cloud service providers
- Health and social care: organisations subject to new standards for digital records and data flows
- Companies managing APIs, interfaces, or dashboards that aggregate or relay customer data
- Infrastructure and utilities firms dealing with underground asset registers or smart meter data
- Telecoms and ISPs: especially those storing data related to online safety or child protection
- Any business seeking ISO 27001 (information security), ISO 27701 (privacy), or ISO 9001/14001 where digital compliance plays a part
If your ISO management system covers data access, consumer rights, or privacy assurance, this Act is highly relevant and should be logged in your compliance register with actions assigned to review future regulations stemming from it.
Legislation related to the Data (Use and Access) Act 2025
Legislation related to the Data (Use and Access) Act 2025 include:
- Data Sharing and Governance Act 2019
- Data Protection Act 2018
- Regulation (EU) 2016/679 (GDPR)
More information
Visit the Data (Use and Access) Act 2025 article on the legislation.gov.uk website.
Create an account in the ISO Compliance Register App and add this article to your Register.
