UK GDPR & Compliance 2025
The United Kingdom's data protection landscape has been fundamentally reshaped in mid-2025, marking a pivotal moment for organisations developing and deploying Artificial Intelligence (AI). The enactment of the Data (Use and Access) Act 2025 (DUAA) on 19 June 2025 represents the most significant legislative reform of the UK's data protection framework since its departure from the European Union. This legislation deliberately moves the UK onto a distinct, though related, trajectory from the EU General Data Protection Regulation (GDPR), aiming to establish a more "pro-innovation" environment.
This report provides an exhaustive analysis of this new legal and regulatory terrain. It will demonstrate that while the DUAA ostensibly creates a more permissive legal framework for AI, this is counterbalanced by a newly assertive regulatory strategy from the Information Commissioner's Office (ICO). The result is a more complex and nuanced compliance environment where the practical application of the law will be defined by forthcoming regulatory codes and enforcement priorities. The unresolved and highly contentious matter of AI and copyright, which dominated the DUAA's legislative passage, further complicates the strategic landscape, creating long-term uncertainty for data acquisition and model training.
This analysis will proceed in four parts. First, it offers a deep dive into the legislative changes of the DUAA, deconstructing its key amendments to the UK GDPR. Second, it examines the ICO's new AI and Biometrics Strategy, interpreting the regulator's priorities and the practical implications for compliance. Third, it provides a dedicated analysis of the critical AI and copyright impasse, outlining the competing visions of the creative and technology sectors. Finally, it concludes with a strategic, actionable set of recommendations for organisations to navigate this new frontier, maintain compliance, and mitigate risk in the dynamic world of AI.
The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, amends rather than replaces the existing UK data protection regime, including the UK GDPR and the Data Protection Act 2018. Its provisions are being phased in, with most requiring a statutory instrument for implementation, expected around December 2025. However, some key changes took effect immediately upon Royal Assent or two months thereafter on 19 August 2025. The Act's reforms are designed to reduce burdens on organisations and unlock economic and research opportunities, with profound implications for the use of AI.
The following table provides a high-level summary of the most significant amendments for organisations deploying AI systems:
| Area of Reform | Pre-DUAA Position (UK GDPR) | Post-DUAA Position (Amended UK GDPR) | Direct Implication for AI Systems |
|---|---|---|---|
| Automated Decision-Making (ADM) | Article 22: General prohibition on solely automated decisions with legal/significant effects. Permitted only if necessary for a contract, authorised by law, or based on explicit consent. | Amended Article 22: Prohibition lifted for non-special category data. ADM permitted under any lawful basis (except 'recognised legitimate interests' alone). Mandatory safeguards introduced. | Broader scope to deploy ADM for applications like fraud detection, dynamic pricing, and initial recruitment screening. Requires robust implementation of new safeguards, including the right to make representations and challenge decisions. |
| Scientific Research | Definition of 'scientific research' not explicitly defined in the articles, leading to ambiguity for commercial R&D. Consent required for specific purposes. | Amended Articles: Definition broadened to explicitly include commercial research and technological development. 'Broad consent' for general areas of research is permitted under ethical conditions. | Provides a clearer legal pathway for using personal data to train and develop commercial AI models under the research provisions. Simplifies the process of obtaining consent for long-term or exploratory AI development projects. |
| Legitimate Interests | Article 6(1)(f): Requires a three-part balancing test to weigh the controller's interest against the individual's rights and freedoms. | New Article 6(1): Introduces a list of 'recognised legitimate interests' (e.g., crime prevention, safeguarding) that do not require the balancing test. | Streamlines justification for ancillary data processing activities related to AI (e.g., system security monitoring). However, it cannot be used as the sole basis for significant ADM, limiting its direct application for core AI decisioning. |
| Data Subject Access Requests (DSARs) | Article 15: Right of access to personal data. ICO guidance suggested proportionality, but the legal text was absolute. No formal "stop the clock" provision in the articles. | Amended Article 15: Codifies that controllers need only conduct a "reasonable and proportionate" search. Formalises a "stop the clock" mechanism when seeking clarification. | Provides a crucial legal defence against disproportionately burdensome DSARs concerning complex AI systems where identifying an individual's data within a trained model is technically infeasible. Places a premium on having a documented, defensible search methodology. |
| Complaints | Article 77: Data subjects have a direct right to lodge a complaint with the ICO. | New Provisions: Data subjects are required to complain to the controller first. Controllers must acknowledge within 30 days and resolve without undue delay. | Creates an opportunity for organisations to resolve AI-related complaints internally before regulatory escalation. Requires new internal processes and resources for handling complaints effectively. |
The DUAA's most significant reform for the AI sector is the restructuring of the rules governing solely automated decision-making (ADM) that produces legal or similarly significant effects on individuals. The legislation reframes Article 22 of the UK GDPR, moving from a framework of general prohibition to one of permission with safeguards. This shift is designed to make it easier for organisations to innovate and deploy ADM systems, but it is accompanied by new, explicit compliance obligations.
For ADM that does not involve the processing of special categories of personal data, the default prohibition is lifted. Organisations are no longer restricted to relying on contractual necessity, legal authorisation, or explicit consent. Instead, they can use any of the lawful bases in Article 6 of the UK GDPR, such as legitimate interests. A key exception is that the new 'recognised legitimate interests' basis cannot be used for significant ADM without a separate legitimate interests assessment. This change substantially broadens the potential for using AI in areas like dynamic insurance premium calculation, automated loan application processing (where not based on sensitive data), and initial filtering in e-recruitment processes.
However, the rules for processing special category data (e.g., health, biometric, racial or ethnic origin) remain strict. For ADM involving this type of data, the default prohibition is maintained. Such processing is only lawful if it is based on the individual's explicit consent or is necessary for reasons of substantial public interest that are substantiated in law.
This new flexibility is balanced by the introduction of a mandatory set of safeguards that must be implemented for any significant ADM. These safeguards codify and expand upon previous requirements, obliging controllers to ensure individuals can:
Furthermore, the Act provides a statutory definition for when a decision is considered "based solely on automated processing." It clarifies that this occurs where there is no "meaningful human involvement" in the taking of the decision. This codification elevates the importance of the quality of human oversight, making it a critical legal threshold that will be subject to regulatory scrutiny. It directly incorporates years of ICO and European Data Protection Board (EDPB) guidance into the primary legislation, solidifying the principle that a mere token gesture or "rubber-stamping" exercise by a human does not negate the automated nature of a decision.
The DUAA introduces crucial clarifications to the provisions for processing personal data for research purposes, creating a more defined legal pathway for training AI models. A significant change is the broadening of the definition of "scientific research." The Act clarifies that this term is to be interpreted widely and can include research carried out for commercial purposes, technological development, and privately funded projects. This is a vital enabler for the UK's private sector AI industry, as it provides a stronger legal foundation for using personal data in the development and training of commercial AI products under the research exemptions of the UK GDPR.
Complementing this is the codification of 'broad consent'. The Act permits organisations to obtain consent for a general area of scientific research, even if all the specific purposes of the processing cannot be fully identified at the time of data collection. This provision is particularly relevant for the iterative and exploratory nature of AI development, where the full potential applications of a model may not be known at the outset.
To further streamline the use of data for AI development, the DUAA establishes that any further processing for research, archiving, or statistical (RAS) purposes is automatically considered compatible with the original purpose for which the data was collected. This simplifies the legal justification for re-purposing existing datasets for new AI training objectives, reducing the need for complex compatibility assessments.
These permissive measures are, however, contingent upon the implementation of appropriate safeguards. The Act mandates that processing for RAS purposes must not be used to make decisions about specific individuals (unless for approved medical research) and must not be likely to cause anyone substantial damage or distress. Furthermore, it requires the application of technical and organisational measures, such as pseudonymisation, to protect the rights of data subjects. While these provisions create a clearer route for accessing and using training data from a data protection perspective, they do not address the separate and unresolved legal challenges related to copyright, which remains a primary hurdle for many AI developers.
In a move to reduce compliance burdens, the DUAA introduces a new lawful basis for processing personal data into Article 6 of the UK GDPR: 'recognised legitimate interests'. This provision creates a specific, exhaustive list of processing activities for which controllers can claim a legitimate interest without needing to conduct the traditional three-part balancing test against the rights and freedoms of the data subject.
The list of recognised interests includes processing necessary for purposes such as preventing or detecting crime, responding to emergencies, safeguarding vulnerable individuals, and for national security or defence. The Act also clarifies that certain existing legitimate interests, such as direct marketing, intra-group administrative transfers, and ensuring network and information security, can be relied upon, although these still require a balancing test.
The utility of this new basis for core AI functionalities is significantly limited. The Act explicitly states that a 'recognised legitimate interest' cannot be used as the lawful basis for ADM that produces a legal or similarly significant effect on an individual. This means that while it might be used for ancillary data processing activities that support an AI ecosystem—for instance, processing network logs for security purposes to protect an AI platform—it cannot justify the primary decision-making function of a high-impact AI system. This careful restriction prevents the new, simplified legal basis from becoming a loophole to bypass the more stringent requirements and safeguards associated with high-risk automated decisioning.
The DUAA codifies several aspects of existing ICO guidance on data subject rights, providing greater legal certainty for organisations, particularly those managing large and complex datasets typical of AI environments.
A key change concerns Data Subject Access Requests (DSARs). The Act gives legislative footing to the principle that controllers are only required to conduct a "reasonable and proportionate" search for personal data when responding to a DSAR. This provision, which came into force on 19 June 2025 and applies retroactively, is of immense practical value for organisations using AI. It provides a statutory basis to argue that an exhaustive search to identify every trace of an individual's data within a trained model or its vast underlying datasets is disproportionate and not legally required. This is expected to become a new area of legal contention, as the definition of "reasonable" in the context of opaque AI systems will likely be tested through complaints and litigation. Organisations will need to develop and document a defensible methodology for how they search their AI systems to meet this standard.
The Act also formalises the "stop the clock" mechanism for DSARs. This allows controllers to pause the one-month response deadline while they await necessary clarification from a requester regarding the scope of their request.
A significant procedural shift is introduced in the complaints process. The DUAA requires individuals to lodge complaints about data protection compliance with the data controller in the first instance, before escalating the matter to the regulator. Controllers are mandated to provide an accessible means for making complaints (such as an electronic form) and must acknowledge receipt within 30 days, taking appropriate steps to resolve the issue "without undue delay". While data subjects "may" still complain to the ICO, their automatic right to do so under Article 77 has been removed. This change is intended to empower organisations to resolve issues directly and reduce the ICO's caseload, allowing it to focus on more significant or systemic issues.
The TopTenAIAgents.co.uk Team consists of expert researchers and industry analysts dedicated to providing UK businesses with the most accurate and actionable insights into the AI landscape.
What are your thoughts on Navigating the New Frontier: A Definitive Analy...?