What does the Data (Use and Access) Act 2025 change?
The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, introduces several measures and is set to be implemented in phases over the next year. A provision of the Act which has come into effect immediately is the principle of a ‘reasonable and proportionate search’ when responding to Subject Access Requests (SARs) under Article 15 of the UK GDPR.
While this concept will be familiar to organisations as a long-standing tenet of the Information Commissioner’s Office (ICO) guidance, its inclusion in the Act formally enshrines it in the law. A data controller now has the legislative backing to not search through extensive systems and data where the effort would be disproportionate to the request.
What counts as ‘reasonable and proportionate’?
The Act itself does not define what constitutes a ‘reasonable and proportionate search’; this task will presumably fall to the regulator in due course. However, in the absence of updated guidance from the ICO, existing legal precedent, particularly the ruling in Ashley v HMRC, provides valuable insight. This case examined HMRC’s response to a SAR and established that when determining the scope of a search, controllers can consider the time required for both thorough redaction and the skilled application of exemptions under the Data Protection Act (DPA) 2018. You may give weight to the pain caused by the request beyond simply the time taken to conduct the initial search.
However, Controllers must remember that the court was quite clear in the ruling; the bar to disproportionality is high. The court emphasised that controllers are not absolved of their duties to implement effective SAR procedures. You must be aware that poor file management or complexities around organisation and staffing likely cannot be used as a justification for deeming a search unreasonable.
Can controllers now refuse a SAR?
The reality of the change in the law for controllers is that they may now be capable of declining a SAR if the search (and following redaction and management, if drawing on the ruling in Ashley) is unreasonable and disproportionate to the effort, cost, time, or disruption caused to the organisation. Unfortunately, this is the point that legal advice stops and strategic risk management begins.
It falls on the controller to balance the operational burden against the potential harm to the data subject, and to meticulously justify and document their decision-making process. While most data protection practitioners would advise caution, a formal business decision, signed off at a senior level, now has the legislative armour to refuse a request on the grounds of disproportionality. If faced with a SAR that involves a really impactful cost or resource drain, the organisation can choose to decline, but it must be prepared to thoroughly defend this position to both the individual and the ICO.
How can organisations conduct reasonable searches in practice?
As technology advances, the boundaries of what is considered ‘reasonable’ in actual practice of searching for documentation, are likely to shift. Searching is already easier with the right systems in place, and regulators may expect organisations to make full use of available tools.
For example, consider the following techniques, how they refine the search process, and how they might be incorporated into your SAR procedure:
Search Operators: Utilise boolean operators and other search tools within your systems as much as possible. Use tags, date limiters, and specific keywords to narrow the scope of your searches effectively from the outset. We advocate for solid records management frameworks and policies; they will always make the task of searching far easier.
Specialist software: For organisations that frequently handle large SARs, investing in specialist software can be highly beneficial. These tools offer advanced features like email threading (grouping conversation chains) and de-duplication, which can dramatically reduce the volume of documents needing review. While these solutions can be costly, they can provide a strong return on investment.
Narrow the field: It is likely reasonable to scope your search to specific business areas or date ranges, especially in consultation with the requester. For example, if a requester worked as a field technician, a search of the software development team’s servers would likely be unnecessary.
Seek Specialist Assistance: If your risk managers decide that declining the SAR is too great a risk, but the internal resource cost is too high, consider contracting a third-party specialist. Organisations that specialise in SARs have the software, skills, and experience to handle complex requests efficiently, which can save you money and stress in the long run.
What does this mean for risk strategy going forward?
By placing the principle of “reasonable and proportionate” on a statutory footing, the Act gives organisations more control, but also greater responsibility. Refusing a request is now legally possible, but it must be justified with care and supported by evidence.
For many organisations, the change will be less about whether to refuse and more about how to improve processes so that searches are faster, smarter, and less burdensome. Strong record management, investment in technology, and a clear risk strategy will be essential to navigate this new landscape.
