The new Data Use and Access Bill: What it means for your business

The UK is entering a new era of data protection and privacy laws with the introduction of the Data (Use and Access) Bill (DUAB). This comprehensive reform aims to streamline compliance, support innovation, and modernise the UK's approach to data use and privacy, while maintaining alignment with international standards like the EU's GDPR framework.

These changes are part of the UK’s effort to refine its post-Brexit data landscape while staying aligned with international regulations, particularly the EU’s GDPR framework. By modernising rules for data sharing, strengthening ePrivacy laws, and introducing new tools like recognised legitimate interests, the reforms provide opportunities for businesses to operate more efficiently while addressing risks associated with automation and data misuse.

In this guide, we’ll break down the key changes, explain how they could affect your business, and outline actionable steps to help you prepare and stay compliant.

What’s new with the 2025 GDPR changes?

1. Recognised legitimate interests

Starting in 2025, certain data processing activities—like fraud prevention, cybersecurity, and public health initiatives—will be classified as recognised legitimate interests. This means these activities can be conducted without explicit consent or lengthy legitimate interest assessments (LIAs).

What this means for your business: Less admin for common processes, but you must remain transparent and accountable.

Steps to take:

• Update privacy notices

Clearly explain what recognised legitimate interests your business relies on and why.

• Document data processing

Keep simple records to show compliance during audits.

• Train your team

Ensure staff understand how to apply the new rules responsibly.

2. Simplified international data transfers

The UK is streamlining international data transfers through tools like the International Data Transfer Agreement (IDTA) and UK Binding Corporate Rules (BCRs). These updates aim to simplify compliance for businesses operating globally.

What this means for your business: You’ll need to ensure that all cross-border transfers use UK-compliant tools.

Steps to take:

• Audit your transfers

Review how and where you send personal data internationally.

• Update contracts

Ensure you’re using the appropriate agreements for compliance.

• Seek expert advice

Work with a Data Protection Officer (DPO) or consultant for complex global operations.

3. Easier compliance for low-risk activities

New rules reduce paperwork for low-risk data processing while maintaining stricter requirements for high-risk activities, such as handling sensitive health or biometric data.

What this means for your business: Less compliance admin for low-risk processing, but you must still follow core data protection principles.

Steps to take:

• Review your activities

Identify if your business handles high-risk data that requires detailed records.

• Simplify policies

Update your documentation to reflect reduced admin for low-risk activities.

• Monitor updates

Stay on top of regulatory changes to ensure ongoing compliance.

How will the Data (Use and Access) Bill impact your business?

1. Modernising data use and access

The DUAB introduces sweeping changes to how data is accessed and shared, aiming to unlock economic potential, enhance public services, and strengthen privacy compliance. One key focus is improving the efficiency of digital processes while ensuring robust privacy safeguards.

• Digital identity and verification

The Bill provides a framework for secure, interoperable digital identity systems. This simplifies online identity checks for businesses and public services, reducing fraud and making it easier for users to verify their identities across platforms.

• Smart data schemes

Expanding on the success of open banking, the DUAB proposes to implement smart data schemes in other sectors, allowing businesses to access and share data more easily. This innovation could open new opportunities for services and competition.

• Easier data sharing for public services

By clarifying rules for data access, the DUAB supports sectors like healthcare and law enforcement. For example, the NHS will benefit from real-time data sharing, which could improve patient care and operational efficiency.

What this means for your business: If your business interacts with public services or requires identity verification, these updates can simplify operations and reduce admin, while providing new opportunities for partnerships and innovation.

2. Updates to ePrivacy laws

The DUAB modernises the Privacy and Electronic Communications Regulations (PECR) to align with current technology and user expectations. These changes focus on reducing unnecessary disruptions for users while strengthening enforcement to ensure compliance.

• Consent-free analytics cookies

Businesses can now use first-party cookies for website analytics without obtaining prior consent, as long as the cookies don’t track users across different sites. This means fewer annoying pop-ups for UK website visitors.

• Regulating pixel tracking and device fingerprinting

These tracking technologies, often used by marketers, are now subject to the same rules as cookies, ensuring consistency in data protection.

• Stronger enforcement powers

Penalties for PECR breaches now match GDPR levels, with fines reaching up to £17.5 million or 4% of a company’s global annual turnover for serious violations.

What this means for your business: You can improve user experience by reducing cookie pop-ups for analytics, but you must ensure compliance with broader ePrivacy rules, particularly for third-party trackers and marketing tools.

3. Addressing online risks

The DUAB introduces targeted measures to address online safety and data access in critical situations, particularly involving vulnerable users.

• Retaining data related to minors

Platforms will now be required to retain information related to the deaths of minors using their services. This ensures that families can access crucial data in sensitive situations, such as investigations into cyberbullying or online harassment.

• Researcher access to platform data

In an effort to improve transparency and safety, researchers will be granted access to platform data to study risks such as misinformation, harmful content, or the impact of algorithms.

What this means for your business: If your platform handles user-generated content or sensitive data, you’ll need to comply with these new requirements by ensuring proper data retention practices and cooperating with researchers where applicable.

4. Reforming the Information Commissioner’s Office (ICO)

Another change introduced by the DUAB is the replacement of the Information Commissioner’s Office (ICO) with a new regulatory body called the Information Commission. This reform aims to modernise the regulator’s structure, responsibilities, and powers to better align with the UK’s evolving data protection and privacy landscape.

The new Information Commission will retain many of the ICO’s existing functions, such as overseeing compliance with data protection laws and handling complaints from individuals. However, it will also introduce several critical updates to its operations and enforcement capabilities:

• Stronger investigative powers

The Information Commission will be empowered to compel organisations to produce reports, provide detailed data processing information, or attend interviews as part of its investigations.

• Extended investigation timelines

While the ICO previously had a six-month limit for issuing penalty notices, the Information Commission will be granted more flexibility. It will have the ability to extend investigations beyond six months when necessary, ensuring thorough reviews of complex cases.

• Promoting innovation and competition

The Information Commission will be legally required to consider how its actions promote innovation and competition in the UK. This marks a shift towards a more business-friendly approach, balancing compliance with encouraging economic growth.

• Maintaining independence

Despite its expanded role, the Information Commission is designed to operate independently. Unlike previous proposals under the DPDIB, which raised concerns about government interference, the DUAB ensures the Information Commission retains the necessary autonomy to enforce data protection laws impartially.

What this means for your business: The transition to the Information Commission will bring greater clarity and efficiency to data protection enforcement. However, businesses can also expect increased scrutiny, particularly in complex investigations, and should ensure their data protection practices are robust and well-documented to handle potential inquiries effectively.

Five steps to prepare for the changes

• Audit your data activities

Review your data processing practices, including legitimate interests, international transfers, and AI use. Identify compliance gaps and opportunities to leverage new flexibility.

• Update your privacy notices

Ensure your privacy notices are clear, transparent, and reflect the latest rules on legitimate interests, international transfers, and data sharing.

• Train your team

Educate employees about the changes, focusing on legitimate interests, complaint handling, and ePrivacy compliance.

• Strengthen your cybersecurity

With reduced admin for low-risk processing, robust data protection systems are critical to prevent breaches and ensure compliance.

• Consult a privacy expert

For high-risk or complex operations, work with a DPO or advisor to navigate these changes confidently.