Search

How can we help?

Icon

Data Use and Access Bill – how will it impact businesses and their dealings with Data Protection?

In our article: data protection expectations for 2024, we hoped to see the Data Protection and Digital Information Bill (DPDIB) being granted Royal Ascent and therefore an Act of Parliament. However, due to the change in government as a result of the general election, parliament was dissolved and DPDIB shelved for the time being. Now, the Labour government have introduced their own new data protection bill – the Data (Use and Access) Bill (DUAB) – which is currently making its way through parliament.

What are the DUAB’s proposals?

The DUAB seeks to simplify data protection law in the UK. It elaborates on some previous proposals provided for by the DPDIB, removes some controversial features, and introduces new provisions.

The key proposals include:

  • relaxing existing rules in relation to automated decision making regarding personal data (it is not expected that there will be any impact on the rules for special category data);
  • creating a new lawful basis for processing personal data titled a “recognised legitimate interest”;
  • bringing the Privacy and Electronic Communications Regulations (PECR) enforcement regime in line with that of the General Data Protection Regulation (GDPR); and
  • reforming the constitution of the Information Commissioner’s Office (ICO).

How will the DUAB change existing data protection legislation?

1. Smart Data Schemes

Part 1 of the DUAB focuses on the sharing of customer and business data. This will enable businesses to share information with one another, provided the customer has given their consent; this builds upon previous consultations which were carried out when the Conservatives were in government.  The UK currently has a similar scheme in place with Open Banking but this new scheme will extend the ability for organisations to share personal data with one another in new and additional sectors such as utilities. If these schemes are put in place, consumers will find it easier to switch providers and should benefit from competitive prices.

3. Digital Verification Services

Digital Verification Services (DVS) are those services which are able to identify a person’s identity and are often used by various businesses and institutions. Part 2 of the DUAB provides that the Secretary of State will prepare a trust framework of rules regarding the use and provision of DVS. The services will need to be verified and will be provided a relevant trade mark to signify they are certified. These certified services will be featured on a publicly available register providing some comfort to data subjects whose personal data will be processed by businesses using such services.

Jordan Masters

Trainee Solicitor

View profile

+44 118 960 4662

The DUAB will also increase fines for any breaches of the PECR which cover areas like marketing and cookies. These fines would now be similar to those imposed under the GDPR.

3. Privacy

Part 5 of the DUAB looks to make the most changes to the data protection legislation and frameworks we are familiar with. Definitions within the GDPR will be amended so that data can be more easily used for research purposes and specific articles relating to the use of automated processing and decision making will be tweaked so as to relax restrictions (unless dealing with special category data as mentioned above). It’s also proposed that a new “recognised legitimate interest” will be introduced which will cover legitimate interests such as disclosure to a person carrying out a public interest task, safeguarding national security, protecting public security and defence purposes, and in response to an emergency as defined in the Civil Contingences Act 2004. This list will also be able to be expanded by the Secretary of State via further regulations.

The DUAB will also increase fines for any breaches of the PECR which cover areas like marketing and cookies. These fines would now be similar to those imposed under the GDPR.

4. Information Commissioner

Part 6 of the DUAB proposes changes to the ICO. Instead of the corporation-like body we currently have in place, the DUAB proposes that a new statutory body corporate known as the “Information Commission” be introduced. The DUAB also proposes changes to the way in which the ICO exercises its powers. the ICO has published a response to the draft DUAB, agreeing with its reforms, and stating they believe it will enhance regulatory effectiveness.

The above provides a brief summary of some of the key changes we expect to impact ordinary businesses and their use of data. However, the DUAB is wide-ranging and also includes proposals regarding updating the register of births and deaths so it is solely electronic and upgrading the safety and efficiency of underground electrical assets. It’s worth noting that the DUAB  has so far had a favourable reception.

When will we see the changes come into effect?

The DUAB has received its second reading within the House of Lords and is now at the first committee stage. We still have a bit of a wait it becomes law, if it succeeds in doing so.

Our data protection team will continue to monitor the DUAB’s progress and provide updates on any major changes.

If you would like to learn more about how data protection has changed in 2024 and our expectations for 2025, along with further information regarding the DUAB, please contact us.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jordan Masters

Trainee Solicitor

View profile

+44 118 960 4662

About this article

Read, listen and watch our latest insights

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 January 2025
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 06 January 2025
  • Privacy and Data Protection

WhatsApp in the Workplace

This article explores the potential risks of using WhatsApp for workplace communications, the implications for GDPR compliance and under UK legislation, and provides practical tips for employers to mitigate these risks.

art
  • 16 December 2024
  • Privacy and Data Protection

Recognising DSARs: top tips for organisations

The UK GDPR grants Data Subjects, who are the individuals to whom the personal data relates, rights over their personal data, including the rights of access, correction and erasure.

art
  • 10 December 2024
  • Corporate and M&A

The value of cyber security for mergers and acquisitions

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.