Data (Use and Access) Act 2025: What UK Boards Must Act On Now

The Data (Use and Access) Act 2025 introduces a mandatory data protection complaints procedure for every UK organisation processing personal data — and the obligation comes into force on 19 June 2026. UK boards that have treated this legislation as an IT governance update are misreading the accountability exposure. This is a board-level compliance matter with direct implications for operational process, customer trust, and regulatory standing under the Information Commission.

The Act, which received Royal Assent on 19 June 2025, phases its changes across 2025 and 2026. Several significant provisions — including updates to automated decision-making rules and cookie consent requirements — came into force in February 2026. The complaints regime is the next critical milestone. With days to go, many organisations are still treating it as a work-in-progress.

What Does the June 2026 Deadline Actually Require?

From 19 June 2026, every organisation subject to UK GDPR must provide a formal mechanism through which individuals can complain directly about how their personal data has been handled. This is not a best-practice recommendation — it is a statutory obligation, and the Information Commission (the successor body to the ICO, now governed by a board of executive and non-executive members) will be able to assess compliance against it.

The requirements are specific. Organisations must provide a complaint form that can be completed electronically and by other means. They must acknowledge complaints within 30 days, take appropriate steps to resolve the complaint without undue delay, and inform the data subject of both progress and the final outcome. The mechanism by which complaints reach the Information Commission has also changed: individuals can now only escalate to the regulator once they have first complained directly to the controller and are dissatisfied with the response.

For larger organisations — those processing high volumes of personal data across multiple touchpoints — this creates a material operational requirement. Customer service teams, HR functions, and digital product owners all need to know the process exists, where it lives, and how to triage and respond within the 30-day window. That requires governance, not just a form on a webpage.

Executive Action:

• Confirm with your DPO or legal team that an electronic complaints form is live and accessible across all consumer and employee-facing platforms before 19 June 2026.
• Establish a 30-day acknowledgement and response SLA with clear ownership — this should sit with a named function, not default to IT or legal alone.
• Brief your board or audit committee on the new complaints pathway and the reputational implications of systemic non-compliance. Use the INFORMD tools library to run a quick executive readiness check.

How Does the Act Change Automated Decision-Making for AI-Using Organisations?

For organisations deploying AI in decisions that affect individuals — credit assessments, HR screening, insurance pricing, performance management — the Data (Use and Access) Act 2025 has recalibrated the rules. The previous UK GDPR framework placed a near-blanket restriction on solely automated decisions with significant effects on individuals. The new Act introduces a more permissive regime in specified circumstances, while strengthening the transparency and human review obligations that accompany it.

Under the revised framework, organisations can process personal data through automated means in a broader set of situations — provided they implement appropriate safeguards, ensure that individuals can request human review of automated decisions, and make it genuinely possible for those individuals to contest outcomes. The safeguards are not cosmetic: the Information Commission is expected to issue detailed guidance, and the burden of demonstrating compliance will rest with the data controller.

According to research by Logicalis published in May 2026, 87% of UK business IT decision-makers now use agentic AI systems, yet only a quarter have strong governance in place. That gap represents direct legal exposure under the revised automated decision-making provisions — particularly for financial services, HR technology, and insurance sectors where AI-driven individual decisions are most prevalent.

Executive Action:

• Map every AI-driven process in your organisation that makes or influences decisions affecting individual employees, customers, or applicants — and assess whether existing transparency disclosures meet the updated standard.
• Ensure that human review mechanisms are genuinely accessible, not buried in terms and conditions. The Information Commission will look at actual user experience, not just policy language.
• Review your AI governance documentation against the updated UK GDPR requirements — the INFORMD templates library includes a technology strategy review framework relevant to this assessment.

What Is the Information Commission — and Why Does Its New Structure Matter?

The Data (Use and Access) Act 2025 abolishes the single-person Office of the Information Commissioner and replaces it with the Information Commission — a board-governed body corporate with a chair, non-executive members, and executive members including a CEO. This brings the UK’s data regulator in line with the governance structure of major UK financial and communications regulators such as the FCA and Ofcom.

The structural change is not merely administrative. A board-led regulator typically operates with more institutional continuity, clearer published enforcement priorities, and stronger accountability to Parliament. The Information Commission has also been given an explicit statutory duty to consider the desirability of promoting innovation and economic growth — alongside data protection — when exercising its functions. That dual mandate is a deliberate signal from government, and it means enforcement posture may become more calibrated to business context.

What this means in practice for senior executives is that regulatory engagement should become more structured. Large organisations with complex data processing environments should consider proactive engagement with the Information Commission — particularly on novel AI deployments — rather than waiting for an investigation to begin. Research from the ICO’s published 2025–26 enforcement priorities indicates that automated decision-making and children’s data remain front-of-mind for the regulator.

Executive Action:

• Update your board’s regulatory engagement framework to reflect the new Information Commission structure — including identifying who within your organisation owns the relationship.
• Review your data protection impact assessments (DPIAs) for any AI or automated processing systems introduced since 2024, and confirm they reflect the updated automated decision-making provisions.
• Explore the INFORMD resources library for the latest executive briefings on data regulation and digital governance.

What Else Has Changed — and What Is Still Coming?

Beyond the complaints mechanism and automated decision-making reforms, the Data (Use and Access) Act 2025 introduces a range of targeted changes that UK executives should be aware of. Cookie consent rules have been updated, with limited exemptions introduced for low-risk analytics and functional cookies — reducing friction for web operations while maintaining the fundamental transparency requirement. The Act also introduces new data sharing powers across public services, with potential implications for organisations operating in healthcare, finance, and infrastructure.

The legislative picture continues to evolve. The Act enables additional statutory instruments and regulatory guidance across 2026 and into 2027 — meaning that organisations which treat this as a single compliance event will find themselves managing a rolling programme of updates. According to Clifford Chance’s analysis, organisations should maintain active monitoring of commencement orders and ICO guidance updates, rather than treating the February 2026 implementation as a finalised baseline.

The cumulative effect is a data governance environment that is both more permissive in some areas — particularly around innovation and AI — and more structured in others, especially around individual rights and complaints. For boards and senior executives, the message is consistent: data governance is no longer a compliance function. It is a board accountability.

Executive Action:

• Assign a named executive owner — typically the CEO, CFO, or General Counsel — for Data (Use and Access) Act compliance at board level, with quarterly reporting on progress against the phased implementation timeline.
• Commission an internal audit of cookie consent implementation across all digital properties in light of the updated PECR provisions.
• Brief your board’s risk committee on the second wave of secondary legislation expected later in 2026, and the operational implications for data-sharing arrangements.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

FAQ: When does the Data (Use and Access) Act 2025 complaints requirement come into force?

The obligation for UK organisations to provide a formal data protection complaints mechanism comes into force on 19 June 2026. From that date, controllers subject to UK GDPR must provide an electronic complaint form, acknowledge complaints within 30 days, and inform complainants of progress and outcomes. Individuals may only escalate to the Information Commission after first complaining to the organisation concerned.

FAQ: Does the Data (Use and Access) Act 2025 replace UK GDPR?

No. The Data (Use and Access) Act 2025 amends and builds on UK GDPR and the Data Protection Act 2018 — it does not replace them. UK GDPR remains the primary framework governing how personal data is processed. The Act introduces targeted reforms in specific areas, including automated decision-making, cookie rules, scientific research, and complaints handling, while largely preserving the existing compliance architecture.

FAQ: What is the Information Commission and how does it differ from the ICO?

The Information Commission is the successor body to the Information Commissioner’s Office (ICO), created by the Data (Use and Access) Act 2025. It is structured as a board-led body corporate — with a chair, non-executive members, and executive members including a CEO — rather than a single-person regulator. The Commission has the same core enforcement powers but a broader statutory remit that explicitly includes promoting innovation and economic growth alongside data protection.

FAQ: What do UK boards need to do about AI and automated decision-making under the new Act?

Boards need to ensure that any AI-driven processes affecting individuals — in HR, customer operations, credit, or insurance — are mapped, disclosed, and equipped with genuine human review mechanisms. The Data (Use and Access) Act 2025 relaxes some of the previous restrictions on automated decision-making but significantly raises the bar on transparency and the right to contest outcomes. Boards should request a formal assessment from their DPO or legal team covering all AI deployment affecting personal data decisions.