The UK is entering a new era of data protection and privacy laws with the introduction of the Data (Use and Access) Bill (DUAB). This comprehensive reform aims to streamline compliance, support innovation, and modernise the UK's approach to data use and privacy, while maintaining alignment with international standards like the EU's GDPR framework.
These changes are part of the UK’s effort to refine its post-Brexit data landscape while staying aligned with international regulations, particularly the EU’s GDPR framework. By modernising rules for data sharing, strengthening ePrivacy laws, and introducing new tools like recognised legitimate interests, the reforms provide opportunities for businesses to operate more efficiently while addressing risks associated with automation and data misuse.
In this guide, we’ll break down the key changes, explain how they could affect your business, and outline actionable steps to help you prepare and stay compliant.
Starting in 2025, certain data processing activities—like fraud prevention, cybersecurity, and public health initiatives—will be classified as recognised legitimate interests. This means these activities can be conducted without explicit consent or lengthy legitimate interest assessments (LIAs).
What this means for your business: Less admin for common processes, but you must remain transparent and accountable.
Steps to take:
Clearly explain what recognised legitimate interests your business relies on and why.
Keep simple records to show compliance during audits.
Ensure staff understand how to apply the new rules responsibly.
The UK is streamlining international data transfers through tools like the International Data Transfer Agreement (IDTA) and UK Binding Corporate Rules (BCRs). These updates aim to simplify compliance for businesses operating globally.
What this means for your business: You’ll need to ensure that all cross-border transfers use UK-compliant tools.
Steps to take:
Review how and where you send personal data internationally.
Ensure you’re using the appropriate agreements for compliance.
Work with a Data Protection Officer (DPO) or consultant for complex global operations.
New rules reduce paperwork for low-risk data processing while maintaining stricter requirements for high-risk activities, such as handling sensitive health or biometric data.
What this means for your business: Less compliance admin for low-risk processing, but you must still follow core data protection principles.
Steps to take:
Identify if your business handles high-risk data that requires detailed records.
Update your documentation to reflect reduced admin for low-risk activities.
Stay on top of regulatory changes to ensure ongoing compliance.
The DUAB introduces sweeping changes to how data is accessed and shared, aiming to unlock economic potential, enhance public services, and strengthen privacy compliance. One key focus is improving the efficiency of digital processes while ensuring robust privacy safeguards.
The Bill provides a framework for secure, interoperable digital identity systems. This simplifies online identity checks for businesses and public services, reducing fraud and making it easier for users to verify their identities across platforms.
Expanding on the success of open banking, the DUAB proposes to implement smart data schemes in other sectors, allowing businesses to access and share data more easily. This innovation could open new opportunities for services and competition.
By clarifying rules for data access, the DUAB supports sectors like healthcare and law enforcement. For example, the NHS will benefit from real-time data sharing, which could improve patient care and operational efficiency.
What this means for your business: If your business interacts with public services or requires identity verification, these updates can simplify operations and reduce admin, while providing new opportunities for partnerships and innovation.
The DUAB modernises the Privacy and Electronic Communications Regulations (PECR) to align with current technology and user expectations. These changes focus on reducing unnecessary disruptions for users while strengthening enforcement to ensure compliance.
Businesses can now use first-party cookies for website analytics without obtaining prior consent, as long as the cookies don’t track users across different sites. This means fewer annoying pop-ups for UK website visitors.
These tracking technologies, often used by marketers, are now subject to the same rules as cookies, ensuring consistency in data protection.
Penalties for PECR breaches now match GDPR levels, with fines reaching up to £17.5 million or 4% of a company’s global annual turnover for serious violations.
What this means for your business: You can improve user experience by reducing cookie pop-ups for analytics, but you must ensure compliance with broader ePrivacy rules, particularly for third-party trackers and marketing tools.
The DUAB introduces targeted measures to address online safety and data access in critical situations, particularly involving vulnerable users.
Platforms will now be required to retain information related to the deaths of minors using their services. This ensures that families can access crucial data in sensitive situations, such as investigations into cyberbullying or online harassment.
In an effort to improve transparency and safety, researchers will be granted access to platform data to study risks such as misinformation, harmful content, or the impact of algorithms.
What this means for your business: If your platform handles user-generated content or sensitive data, you’ll need to comply with these new requirements by ensuring proper data retention practices and cooperating with researchers where applicable.
Another change introduced by the DUAB is the replacement of the Information Commissioner’s Office (ICO) with a new regulatory body called the Information Commission. This reform aims to modernise the regulator’s structure, responsibilities, and powers to better align with the UK’s evolving data protection and privacy landscape.
The new Information Commission will retain many of the ICO’s existing functions, such as overseeing compliance with data protection laws and handling complaints from individuals. However, it will also introduce several critical updates to its operations and enforcement capabilities:
The Information Commission will be empowered to compel organisations to produce reports, provide detailed data processing information, or attend interviews as part of its investigations.
While the ICO previously had a six-month limit for issuing penalty notices, the Information Commission will be granted more flexibility. It will have the ability to extend investigations beyond six months when necessary, ensuring thorough reviews of complex cases.
The Information Commission will be legally required to consider how its actions promote innovation and competition in the UK. This marks a shift towards a more business-friendly approach, balancing compliance with encouraging economic growth.
Despite its expanded role, the Information Commission is designed to operate independently. Unlike previous proposals under the DPDIB, which raised concerns about government interference, the DUAB ensures the Information Commission retains the necessary autonomy to enforce data protection laws impartially.
What this means for your business: The transition to the Information Commission will bring greater clarity and efficiency to data protection enforcement. However, businesses can also expect increased scrutiny, particularly in complex investigations, and should ensure their data protection practices are robust and well-documented to handle potential inquiries effectively.
Review your data processing practices, including legitimate interests, international transfers, and AI use. Identify compliance gaps and opportunities to leverage new flexibility.
Ensure your privacy notices are clear, transparent, and reflect the latest rules on legitimate interests, international transfers, and data sharing.
Educate employees about the changes, focusing on legitimate interests, complaint handling, and ePrivacy compliance.
With reduced admin for low-risk processing, robust data protection systems are critical to prevent breaches and ensure compliance.
For high-risk or complex operations, work with a DPO or advisor to navigate these changes confidently.