The Data (Use and Access) Act 2025: Implications for Businesses and Investors
August 20, 2025
Yesterday, on 19 June 2025, the Labour government enacted the Data (Use and Access) Act 2025, marking a significant shift in how the UK manages, protects, and shares data. It is important to note that the Act does not replace the UK GDPR, but rather acts as a targeted amendment. It was designed to fix persistent inefficiencies in public services, streamline fragmented data systems, improve consumer trust in digital services, and lay a foundation for regulating new risks around data use, including in the fields of AI and biometrics. At the same time, it introduces opportunities for businesses to leverage government-backed digital verification and Smart Data schemes to build new products and services.
What It Means for Businesses
For startups and established companies alike, the Act does more than require more legal compliance; it dictates technological change. However, the impact varies. For a company like a small e-commerce retailer on a platform such as Shopify, the Act’s changes to data subject access requests (SARs) will likely be a welcome simplification. These businesses can benefit from reduced administrative paperwork without needing to make major changes to their core business model.
In contrast, other companies will need to:
- Upgrade IT systems to ensure integration with Smart Data frameworks and Digital Verification Services.
- Redesign data storage and processing systems architecture to meet new privacy and interoperability requirements.
- Build secure APIs to exchange data with government or sector-specific platforms.
- Train teams to handle data in line with the new standards.
For many, these steps won’t just add costs; they’ll require fundamental changes to technical infrastructure and processes, which could affect margins in the short term.
What It Means for Investors
Investors will need to view technical readiness as a key marker of value. Startups that can adapt their systems quickly and prove they can scale within this new data environment will be more attractive. Those lagging in technical integration will face slower growth, reduced market entry, and potentially lower valuations.
How Stakeholders Can Navigate the Act
While the Act imposes new demands, it also creates a roadmap for potential growth. Rather than treating this only as a regulatory hurdle, businesses should view it as an opportunity to future-proof their systems, build consumer trust, and create new services that rely on secure, standardised data flows.
- Startups should align product roadmaps with Smart Data and digital verification frameworks early, so they’re not left behind as standards become the norm. For a company developing a professional networking product, like LinkedIn for example, the Act is both a challenge and a massive opportunity. The company would likely need to register for the Digital Verification Services (DVS), which adds a new compliance layer. However, by embracing a roadmap that allows users to securely share their professional data from other platforms, the startup could attract users and create a powerful competitive edge that wasn't possible before.
- Established companies should modernise legacy systems to take advantage of interoperability, while ensuring customer data handling boosts trust.
- Investors should prioritise businesses that have credible technology strategies for compliance and integration.
Trade-Offs and Potential Consequences
The Act forces a series of trade-offs that businesses must navigate:
- Efficiency vs. Complexity: Simplified data sharing will drive efficiency, but integration projects require investment and transition costs.
- Innovation vs. Disruption: New opportunities for products and services exist, but adapting legacy systems could disrupt day-to-day operations.
- Trust vs. Expenditure: Stronger protections build customer confidence but require investment in new digital infrastructure, and their efficacy over public reviews is debatable.
- Trust vs. State Control: The Act is presented as a pro-consumer measure, but critics argue its provisions for state-mandated data sharing could lead to a "Big Brother" scenario, creating a different kind of public mistrust.
- Growth vs. Margin Pressure: Upgrades and training may squeeze budgets before benefits are realised.
- Competitive Edge vs. Lagging Behind: Early adopters will gain market advantage; slower movers will risk losing customers and investor interest.
The Bottom Line
Preparing for the outcomes of the Data (Use and Access) Act 2025 is not just about compliance; it’s about building the technical capability to thrive in a new data-driven economy. Businesses that invest early in integration, infrastructure, and digital trust mechanisms will not only reduce risk but also position themselves for growth in a landscape that rewards transparency, interoperability, and consumer confidence.
Further reading:
Official & Regulatory Guidance 🏛️
These resources are essential for understanding the Act's official text and the regulator's interpretation.
- Government Summary of Changes: A concise overview of the key amendments to data protection laws.
- Full Text of the Legislation: The complete and official text of the Act as passed into law.
- ICO Overview: The UK’s data regulator's summary of the Act and its implications.
- ICO Organisational Guidance: A practical checklist for businesses to prepare for the changes.
Legal & Industry Analysis ⚖️
These resources offer a more critical analysis of the Act from the perspective of law firms and business associations.
- Analysis from a Law Firm: Provides a detailed legal breakdown of the Act’s clauses and their potential impact on compliance.
- Industry Perspective from TechUK: An overview of the Act's implications from the perspective of the UK's leading technology trade association.
Written by our Head of Strategy, Tom Birch.
From Blog
Recent posts
Let's have a coffee ☕️
.svg){kind=small}