This informal CPD article, ‘Businesses, Archives and the Data (Use & Access) Act 2025‘, has been provided by Jess Pembroke, Director of Information Law Services at Naomi Korn Associates, a UK-based leader specialising in copyright, data protection and licensing.
The Data (Use & Access) Act 2025 (DUAA) is a piece of UK legislation which was designed to amend data protection law and modernise the way organisations handle, preserve and access personal and corporate data. It established clear frameworks for the lawful retention and use of information, particularly where personal data has been collected under consent. The Act aimed to balance the importance of safeguarding corporate memory with rigorous data protection standards, ensuring both transparency and accountability in data management practices.
With Schedule 5 of the Data (Use & Access) Act 2025 (DUAA) now in force, organisations preserving corporate memory from in-house archives teams to collecting institutions have new lawful routes to accept and safeguard personal data originally gathered under consent.
For business archives, whose collections often blend commercial history with identifiable personal information, these changes arrive at precisely the right moment. They support long-term preservation while ensuring transparency, accountability and compliance with modern data protection expectations.
Below is what business archives should be thinking about right now.
1. Reassess Your Lawful Basis for Archival Processing
Business archives frequently hold personnel files, customer data, shareholder information and correspondence.
With Schedule 5 now active, it’s essential to:
- Confirm your lawful basis for archiving; typically, public task (for public corporate bodies) or legitimate interests (for private-sector organisations).
- Map exactly what data you’re processing and why.
- Ensure you can evidence that data held for legacy or research value aligns with DUAA expectations.
This is particularly important for businesses that previously relied on consent to collect personal data; Schedule 5 provides new opportunities.
2. Update and Clarify Your Privacy Notice
Your privacy notice should:
- Explain your organisation’s commitment to archiving in the public interest.
- Set out why personal data is retained long term.
- Describe the provenance of business collections.
- Be accessible, understandable and regularly reviewed.
If business archives want to rely on the strengthened archival exemptions, transparency forms an important part of that.
3. Strengthen Acquisition and Appraisal Processes
Schedule 5 reinforces the need for fair, evidence-based decisions about what business archives acquire and retain.
For in‑house business archives, this means reviewing:
- Retention schedules
- Appraisal guidelines
- Legacy collections that include employee or customer information
- Donation and transfer agreements
Documenting your rationale is key for both compliance and accountability.
4. Review Security, Storage and Third-Party Arrangements
Corporate archives often span everything from underground strongrooms to cloud-hosted repositories.
Now is the right moment to:
- Audit physical storage, access controls and environmental security.
- Review permissions for digital systems and internal users.
- Check contracts with third-party processors, digitisation suppliers or off-site storage providers.
- Refresh breach reporting procedures in line with the DUAA and UK GDPR.
5. Prepare Internal and External Stakeholders
Business archives rely on cooperation across the organisation, including IT, HR, Legal, Governance, Communications, Records Management and senior leadership.
Now is the time to:
- Update internal policies.
- Reassure stakeholders that new, clear standards are emerging.
- Prepare donor bodies, depositors or partner organisations for future changes.
6. Engage with the New Generally Recognised Standards
The sector’s new Generally Recognised Standards for archiving in the public interest drafted and developed with archivists, records managers and organisations including The National Archives, PRONI, NRS, IRMS and others are now published.
These standards:
- Provide the sector-wide baseline for lawful, accountable archiving
- Apply directly to business archives acting in the public interest
- Support consistent, defensible decision-making
Every business archive should now begin aligning their practices with these standards.
We hope this article was helpful. For more information from Naomi Korn Associates, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
