UK Data (Use and Access) Act 2025

The UK Data (Use and Access) Act 2025 sets out a new framework for how customer and business data is accessed, used, and regulated. It introduces stronger rights for individuals and companies to access and control their data, enforces standards for digital verification services, and lays out protocols for interface bodies, enforcement authorities, and the role of the Financial Conduct Authority (FCA). It also sets regulations around smart meters, public service data sharing, biometric data retention, and data use in AI development.

For UK-based businesses and regulators, the Act represents a major shift. It gives the government and FCA authority to require standardized interfaces for data access and sharing. Traders must now handle requests for customer data, offer APIs for access, and comply with technical standards. It introduces new compliance costs, new powers for oversight bodies, and clear penalties for non-compliance. The Act also emphasizes innovation and competition, especially in sectors like finance and digital services.

Global Relevance

Internationally, this Act positions the UK as a leader in controlled, rights-driven data ecosystems. It mirrors EU GDPR concepts but moves toward greater central coordination through interface bodies and structured digital verification services. For global firms operating in the UK or transferring data to and from it, compliance with these standards is now a critical consideration. The provisions also open discussions around international data transfers, platform interoperability, and trust frameworks.

Unlocking Customer Data Access Under the UK Data Act

UK New customer data access regulation

The Data (Use and Access) Act 2025 puts “customer data access regulation” front and center. If you’re a business trading in the UK, whether selling goods, offering digital content, or providing services, this law changes how you manage data.

Under Part 1 of the Act, the UK government now has full authority to require businesses to give customers (or their authorized agents) access to their data. This applies to anyone who’s ever bought, used, or received a service from a trader free or paid.

What Counts as Customer Data?

Customer data includes anything a business knows about what it provided to a customer: prices, delivery details, feedback, usage, performance; you name it. That data doesn’t just stay internal anymore. You might be asked to share it through dashboards, APIs, or other electronic services.

And it doesn’t stop at direct access. The act also allows customers to authorize third parties to act on their behalf. These third parties can even request corrections if the data’s wrong. This is a big move toward transparency, but it also means extra responsibility for businesses holding that data.

Why This Matters for UK Businesses

If you run a small business or handle customer data in any form, you’ll need to rethink how you store, organize, and share that data. The law allows regulators to set up standards, systems, and even external “interface bodies” to manage the flow of customer data. These bodies may create dashboards or services that your business must plug into.

You’ll also be expected to handle complaints, manage disputes, and assist customers and their agents—all within rules that can shift depending on your sector. This is more than just tech—it’s legal and operational change baked into your day-to-day work.

Regulating Business Data Sharing in the UK

From Customers to Companies: Business Data Joins the Conversation

The UK isn’t just focused on protecting customers. The customer data access regulation also expands to include business data. That means your company’s info on what you sell, how it performs, where it’s sold, and how customers react can be regulated for access or even public release.

The act allows the Secretary of State or the Treasury to demand that this kind of information be shared not just with customers but with other organizations too—especially where it encourages competition or improves services.

What Does Business Data Include?

Here’s a quick breakdown of what qualifies as “business data” under the law:

• Details on your goods, services, and digital content

• How they’re used, where they’re delivered, and how well they perform

• Customer reviews, feedback, and performance scores

• Information on pricing, delivery terms, or service standards

If this data is in your system or handled by a third party, you’re now considered a “data holder” and may be legally required to share that data in certain ways.

Who Can Ask for Business Data?

Access isn’t just for customers. Regulators can create new categories of “approved recipients.” These could include other businesses, public authorities, or watchdog agencies. To get the data, these recipients must meet specific approval standards, often through a formal decision-making process.

In some cases, even your competitors might be entitled to certain insights, especially if it’s judged to help improve customer options or market fairness. It’s about leveling the playing field but that might feel uncomfortable if you’ve treated your data as a competitive edge.

What Businesses Are Expected to Do

Under the customer data access regulation, if you’re a data holder, you may have to:

• Offer access to your business data regularly or on demand.

• Use APIs, dashboards, or approved digital systems to share it

• Follow technical standards set by regulators or interface bodies

• Handle and log data access requests

• Set up complaint-handling systems and dispute resolution options

You may even be expected to help fund or maintain the systems that make all this work through levies, fees, or financial contributions.

Global Impact and Kenya’s Role in the Data Shift

Why the UK’s Customer Data Access Regulation Matters Beyond Its Borders

The customer data access regulation in the UK isn’t just a domestic policy; it’s a signal to the rest of the world. By mandating structured access to customer and business data, the UK is reshaping how countries approach data rights, digital services, and regulatory cooperation.

For companies working across borders, this new law raises the bar. Data sharing isn’t optional anymore; it’s expected, standardized, and enforceable. That puts pressure on others, especially emerging digital markets, to catch up or risk being left behind.

Kenya’s Data Protection Act and the Global Conversation

Kenya already has its own Data Protection Act, enforced by the Office of the Data Protection Commissioner (ODPC). It emphasizes consent, accountability, and lawful processing—core principles echoed in the UK Act. But the UK takes things further by requiring data portability and regulated third-party access.

That’s where the two laws start to speak to each other.

Kenya’s businesses, especially those dealing with international partners or customers in the UK, now have to think about interoperability. Are your systems ready to provide customer data via APIs? Can authorized third parties access business data securely and with clear logs?

These are no longer hypothetical questions. They’re part of the reality for cross-border trade, finance, and compliance.

Peleza’s Role in Supporting Compliance and Data Readiness

As a compliance-first data company, Peleza is built for this moment. Our services already align with the demands of structured, secure data access. For example:

• Digital identity verification and background checks help ensure that only authorized third parties access sensitive customer data.

• Real-time audit trails and reporting features make it easier to comply with both UK and Kenyan data requirements.

• Custom integration support helps clients connect APIs, dashboards, and data feeds without breaking a sweat—or the law.

So, if you’re a Kenyan business navigating UK partnerships or a global brand operating in East Africa, Peleza gives you the tools to stay compliant and competitive.

Data Rights Are Going Global

The UK’s customer data access regulation is more than just law—it’s a trendsetter. It pushes businesses, governments, and platforms toward more transparent, interoperable, and user-first data systems.

Kenya, with its fast-growing digital economy, is well-positioned to lead in Africa’s response. Peleza in background checks is already showing how local innovation can meet global standards securely, efficiently, and with full regulatory confidence.