The Data Use & Access Act (the Act) amended the Data Protection Act and the UK GDPR, and reforms how the UK manages non-personal and personal data. It aims to unlock the secure and effective use of data. The Government says this enables:

  • Growth of digital verification services
  • Smart Data schemes like Open Banking
  • A National Underground Asset Register

What are Smart Data schemes?

Not all parts of the Act are yet in full force as they require secondary legislation. In this article we seek to explain the new ‘Smart Data schemes’. They are all about the secure sharing of data with authorised third parties. They are intended to create trust frameworks which set standards for data sharing, use and protection. The Government hopes they will be useful in a wide range of sectors – from transportation and telecommunications to finance.

Authorised third parties will be permitted to use data to provide individuals with personalised market comparisons and automatic switching services. In July 2025, the Government issued a call for evidence for views on the potential to introduce a Smart Data scheme in digital markets. The Government hopes to see customer and business data shared with third parties to enable ‘innovative services’.

Smart Data scheme requirements include:

  • Demonstrating that standards are met;
  • Publishing information about the rights and obligations under the regulations, such as the rights of customers and information about activities carried out under the regulations; and
  • Having effective procedures for the handling of complaints.

The Act has also introduced mandatory compliance interviews. There are criminal offences for false statements and the option of financial penalties for breaches of the regulations.

The other part of the age of Smart Data is in decision making. Automated decision-making has been something business has lobbied on for some time, often without appreciating it was not illegal; it just required human oversight in some circumstances. We wait to see if the changes are helpful, as the Act replaces Article 22 of the UK GDPR (automated individual decision-making, including profiling) with four new Articles:

  • Article 22A confirms that a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and the use of profiling in the decision-making process must be considered. A ‘significant decision’ is one that produces a legal effect for the data subject or if it has a similarly significant effect for the data subject.
  • Article 22B sets out restrictions on automated decision making. Significant decisions involving special categories of personal data (such as ethnicity, health, political views etc.) processing must meet one of these conditions:
  1. Explicit consent of the data subject.
  2. The decision is necessary for entering into or performing a contract between the data subject and a data controller or is required or authorised by law and Article 9(2)(g) UK GDPR applies.
  • Article 22C requires safeguards for data subjects. Decision makers must provide a data subject with information about decisions, enable them to make representations about such decisions, and enable human intervention on the part of the controller in relation to such decisions. This last point is important; there is still a need to maintain human oversight. Safeguards must also enable a data subject to contest such decisions.
  • Article 22D sets out further provisions about automated decision-making and regulations that the Secretary of State may make.

Failure to implement the required safeguards will amount to a serious breach of the law, and the Information Commissioner’s Office can issue enforcement notices and impose fines of £17.5m or up to 4% of global turnover, whichever is higher.

If you have questions or concerns about Smart Data use, please contact James Tumbridge and Robert Peake.