The life sciences sector sits at the intersection of scientific innovation, healthcare delivery and large‑scale data use, making the processing of personal data an essential, but highly regulated, activity. Organisations operating in pharmaceuticals, biotechnology, medical devices and clinical research rely heavily on information and data about a broad range of research data subjects. Against this backdrop, the UK’s data protection framework is evolving following the enactment of the Data (Use and Access) Act 2025, which amends the UK GDPR and related legislation with the stated aim of enabling responsible innovation. For life sciences organisations, this creates both new opportunities and continuing compliance challenges.
Personal data and special category data
Personal and special category data is fundamental to modern life sciences activity. Clinical trials require the collection and analysis of detailed health information, diagnostic companies increasingly depend on large datasets to develop and validate products, and pharmaceutical businesses rely on data to monitor safety and effectiveness throughout a product’s lifecycle. Some of this data will be Special category personal data under the UK GDPR (including health and genetic data) and is therefore subject to enhanced legal protection. The scale and sensitivity of the data involved, together with the use cases for that data, means the sector is widely regarded as higher risk from a data protection compliance perspective, particularly when data is reused for research, shared across borders, or processed using advanced analytics and automated tools.
Core UK GDPR compliance challenges in life sciences
For life sciences organisations, the UK GDPR Article 5 principles—particularly purpose limitation and transparency—require organisations to clearly define the purposes of processing and to identify an appropriate lawful basis under Article 6, even where such processing is iterative and long‑running in nature.
Reliance on consent can be problematic given participants have the right to withdraw consent at any time, so controllers frequently consider alternatives such as public task or legitimate interests. Where health, genetic or other special category data is involved, an Article 9 condition must also be met, elevating the compliance threshold. These requirements become most acute where datasets are repurposed (e.g., clinical trial data supporting secondary research or real‑world evidence).
The Data (Use and Access) Act 2025: an innovation‑focused shift?
The Data (Use and Access) Act 2025 (DUAA) does not replace the existing UK GDPR framework. Rather, it introduces targeted amendments intended to facilitate data use and ease certain compliance frictions, while largely maintaining the core structure of existing rights and safeguards.
Expanded flexibility for scientific research
Although the Data Protection Act already contains exemptions for scientific research, including around transparency and purpose limitation, the DUAA seeks to strengthen this position by reinforcing and expanding the scope of those protections. The DUAA clarifies the circumstances in which personal data may be used for scientific research (including, importantly commercial research) and supports the use of broader consent for defined areas of research, rather than consent limited to narrowly specified projects.
It is likely that clinical trials and other life sciences research will involve the use of personal data at various stages of the research lifecycle. Against that backdrop, the DUAA also attempts to relax certain transparency obligations by amending the UK GDPR to allow the re‑use of previously collected personal data for scientific research where compliance with transparency obligations would involve a “disproportionate effort”. This aims to provide life sciences organisations with greater legal certainty and operational flexibility when pursuing long‑term, iterative research programmes.
Automated decision‑making and emerging technologies
The DUAA also adjusts the UK’s approach to automated decision‑making, widening the circumstances in which organisations may engage in this processing activity provided that appropriate safeguards are in place. Under the pre‑existing framework, controllers faced stricter constraints on decisions based solely on automated processing that produced legal or similarly significant effects for an individual. The DUAA moves towards a more permissive baseline. Although Special category data continues to attract heightened protection, these changes are likely to be particularly relevant for life sciences organisations deploying AI‑enabled tools for diagnostics, analytics and operational decision‑making. The reforms seek to introduce more pragmatic approaches to subject access requests and complaint handling, aiming to improve administrative efficiency and address long running critics of the scope and burden of subject access requests, without significantly diluting individual privacy rights.
Some other material changes
Beyond research and automated decision‑making, the DUAA introduces a number of additional changes that may be relevant to life sciences organisations including but not limited to:
- Recognised legitimate interests. A new lawful basis (“recognised legitimate interests”), set out in Annex 1 to the UK GDPR, for specified public‑interest purposes (including safeguarding, crime prevention, emergency response and certain disclosures to support public tasks).
- International data transfers. The DUAA adjusts the UK’s adequacy framework for transfers and the legal test. For international data transfers, this may affect transfer risk assessments and the governance of cross‑border research, pharmacovigilance and vendor arrangements.
Looking ahead
Looking ahead, compliance in the life sciences sector will continue to depend on strong data governance but organisations should look at their existing compliance frameworks, policies and procedures to consider if updates can be made in light of the DUAA.
That said, while the DUAA may signal a more innovation‑friendly direction for UK data protection, life sciences organisations will still need to handle personal data with care, balancing the pursuit of scientific progress against the need to uphold the principles set out in the UK GDPR. In addition, any material divergence from the EU GDPR position could introduce complexity, and global organisations are likely to need to take this into account when considering changes to their wider compliance frameworks.
