Introduction
The Data (Use and Access) Act [2] [4], which received Royal Assent on 19 June 2025, introduces significant changes to the UK GDPR, particularly benefiting businesses by relaxing certain regulations. This legislation enhances the flexibility of organizations in utilizing AI-driven tools and processes. The Information Commissioner’s Office (ICO) has responded with updated guidance and strategies to ensure compliance and address the evolving challenges and opportunities presented by AI technologies.
Description
The Data (Use and Access) Act received Royal Assent on 19 June 2025, prompting a review of existing guidance [2], which may be updated accordingly [2]. This new legislation introduces targeted changes to the UK GDPR aimed at benefiting businesses [4], including the relaxation of certain regulations for decisions that do not involve special category data. This change provides organizations with greater flexibility in utilizing AI-driven tools and processes [3]. In conjunction with this, the ICO has published guidance detailing the implications of the Act for organizations [4], including a new statutory Code of Practice on automated decision-making (ADM) and AI, which will be available by autumn 2025 [1]. This guidance will reflect changes to the Article 22 GDPR provisions concerning ADM and clarify the concepts of ‘meaningful human intervention’ and ‘significant decisions,’ outlining the circumstances under which human oversight is necessary and what constitutes a high-impact decision.
Recent updates to the Guidance on AI and Data Protection have clarified fairness requirements in AI [2], responding to industry requests and aligning with the ICO’s commitment to support organizations in adopting new technologies while safeguarding individuals and vulnerable groups [2]. The ICO’s updated AI and Biometrics Strategy [4], titled “Preventing harm [4], promoting trust,” outlines regulatory priorities for 2025–26, focusing on the lawful and transparent deployment of AI and biometric technologies [4], including facial recognition technology (FRT) and automated decision-making systems.
The ICO is actively engaging with the UK government and the Digital Regulation Cooperation Forum (DRCF) on regulatory reforms to ensure that the UK’s regulatory framework adapts to the evolving challenges and opportunities presented by AI [2]. This engagement will particularly scrutinize major employers and recruitment platforms for transparency, discrimination [1] [2], and redress in their use of ADM [1]. Findings from these investigations will be published, and necessary actions will be taken to address any unlawful uses of AI and biometric technologies.
As part of its action plan for 2025–26, the ICO will update guidance on ADM and profiling, and develop a statutory Code of Practice to aid compliance with data protection principles [4]. Organizations are advised to review their current automated workflows to ensure that mechanisms for human review are well-documented and accountable [3]. Enhanced oversight in high-risk sectors [4], particularly in recruitment processes utilizing ADM [4], is also planned [4]. Developers of AI foundation models will be required to provide assurances on personal data protection [1], with established regulatory expectations [1], particularly concerning the use of special category data under Article 9 GDPR.
The guidance has been restructured to enhance usability [2], with some content moved into new chapters [2]. A standalone chapter on the transparency principle as it relates to AI has been created [2], while statistical accuracy content has been relocated to a chapter focusing on the accuracy principle [2]. Key topics addressed include the distinction between fairness [2], algorithmic fairness [2], bias [2], and discrimination [1] [2], as well as high-level considerations for evaluating fairness and inherent trade-offs [2]. The guidance also covers the processing of personal data for bias mitigation and technical approaches to reduce algorithmic bias [2].
Furthermore, the guidance discusses fairness considerations throughout the AI lifecycle [2], from problem formulation to decommissioning [2], highlighting how various aspects of AI development can impact fairness and outlining potential sources of bias and mitigation strategies [2]. The ICO will also investigate how developers of AI foundation models manage privacy and safety concerns during training [4], and proactively address emerging AI risks [4], focusing on the data protection implications of agentic AI [1] [4]. An updated glossary provides explanations of technical terms relevant to these discussions [2], ensuring clarity and understanding for organizations navigating these complex issues.
Organizations involved in the AI supply chain or deploying facial recognition technologies should prepare for regulatory engagement with the ICO [1], including governance disclosures [1], compliance measures [1], and data protection impact assessments [1]. Adaptations based on ICO feedback may prevent formal actions if improved outcomes are demonstrated [1]. The ICO will conduct consultations [1], and organizations are encouraged to provide evidence of practical challenges and areas needing further guidance [1]. The ICO’s generative AI consultation response in 2024 highlighted valuable insights but left questions regarding special category data [1], joint controller arrangements [1], and transparency measures for model developers using third-party personal data [1].
Conclusion
The Data (Use and Access) Act and the subsequent guidance from the ICO mark a pivotal shift in the regulatory landscape for AI and data protection in the UK. By relaxing certain regulations and providing detailed guidance, the ICO aims to foster innovation while ensuring robust data protection. Organizations are encouraged to adapt to these changes, ensuring compliance and transparency [1] [2] [4] in their AI-driven processes. The ongoing engagement with regulatory bodies and the focus on fairness, transparency, and accountability will be crucial in navigating the complexities of AI technologies and safeguarding individual rights.
References
[1] https://www.lexology.com/library/detail.aspx?g=7802ed5f-ac4b-4ec4-a3a7-a2181a2d69b0
[2] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/
[3] https://www.dpocentre.com/data-use-access-act-2025-overview/
[4] https://www.rpclegal.com/thinking/data-and-privacy/data-dispatch-june-2025/
