The Data Act of 2025, and the Year It Takes Hold
The UK has rewritten part of its data protection rulebook. The Data (Use and Access) Act, which received royal assent in June 2025, keeps the core rights intact, access, correction, erasure and objection, while changing how organisations must handle requests and complaints, with most provisions phasing in across 2026.
Two changes matter for a private person. A subject access request now only requires a reasonable and proportionate search, and an organisation can pause the clock while it asks a broad request to be narrowed. And from June 2026, an individual gains the right to complain directly to the organisation that holds their data, before going to the regulator.
The regulator itself is renamed and given a clearer footing. None of this weakens the underlying right to know what an organisation holds about you; it formalises the process around it.
For someone mapping their own exposure, the practical point is that these are the levers, the request, the correction, the complaint, that turn a vague concern into a documented answer and, where it applies, a removal.
The new data act tightens the process without removing the rights, and adds a direct route to complain from June 2026. We treat the request, the correction and the complaint as instruments, used in the right order and at the right organisations, to find what is held, fix what is wrong, and remove what should not be there. The law sets the rules; knowing where to point them is the work.
Get in touch