The Data (Use and Access) Bill (DUAB) represents a significant update to the UK’s data protection and privacy framework, carrying over many elements from the previous government’s Data Protection and Digital Information Bill. The bill introduces new lawful bases for data processing, broadens access to data for public bodies, relaxes certain privacy restrictions, and modernises the UK’s approach to digital regulation. Businesses must understand these changes to ensure compliance and seize new opportunities.
What are recognised legitimate interests?
One of the core elements of DUAB is the introduction of “recognised legitimate interests” as a lawful basis for data processing. This means that public bodies will be able to request data from private companies to support their work, with limited rights for individuals to object to this data sharing. The bill also clarifies the handling of data subject rights requests, introducing timelines and defining reasonable and proportionate searches for requested data. Organisations will have the ability to ‘stop the clock’ on response times if further information or clarification is required from the individual making the request. These measures aim to reduce the administrative burden on businesses while maintaining individual rights.
Another significant revision concerns the exemption for ‘disproportionate effort or impossibility’ in providing information to individuals whose data was not directly collected from them. This exemption now applies to all types of processing and provides more clarity for organisations. For instance, historical records used for research purposes may not require direct notification if informing each data subject would be unreasonably difficult or impossible.
How are complaints handled under DUAB?
DUAB also introduces procedural changes aimed at resolving data-related complaints more efficiently. Individuals will now need to file complaints directly with the data controller before escalating them to the Information Commissioner’s Office (ICO). This approach is designed to streamline resolutions at the company level and reduce the regulatory workload on the ICO.
What are the changes to marketing and consent?
In the realm of marketing, DUAB relaxes restrictions by allowing third parties to contact individuals using an opt-out approach, rather than requiring explicit consent. This change will likely benefit businesses engaged in direct marketing, but organisations must still conduct a balancing test to ensure that their interests do not override individuals’ rights. Data subjects will retain the right to object to such processing, ensuring some level of control over their personal information.
One of the most impactful changes for businesses relates to data processing beyond its original purpose. DUAB permits further processing if it aligns with the initial reason for data collection, with the government determining what qualifies as “compatible” processing. Additionally, the bill upholds the lawful basis for US law enforcement agencies to access UK telecommunications data in serious crime investigations. This measure ensures that businesses remain compliant when handling cross-border law enforcement requests.
What does DUAB say about AI and automated decision making?
Perhaps the most controversial aspect of DUAB is its approach to automated decision-making and AI-driven data processing. Unlike GDPR, which imposes strict limitations on automated decision-making affecting individuals, DUAB allows broader use of AI and other automated processes for most personal data, with the exception of special category data such as health or biometric information. This shift could enable businesses to implement AI-driven profiling and employment screening but will require safeguards to allow individuals to challenge or appeal decisions made solely by automated systems. While special category data remains subject to stricter rules, the bill signals a more relaxed regulatory approach to AI compared to the European Union.
How is scientific research handled under DUAB?
Scientific research stands to benefit significantly from DUAB, with commercial research now qualifying under the category of “scientific research.” This change means that data subjects’ consent for research purposes can continue as projects evolve, provided that ethical standards are maintained. By expanding the definition of research and easing restrictions, the bill aims to foster innovation while maintaining public trust in data ethics.
What are the data protection rules around neurodata?
A notable new addition in the legislation is the recognition of neurodata as a special category of sensitive data. Neurodata refers to information generated from devices or technologies that interact with the human brain or nervous system, such as smartwatches and neural interfaces. Given the highly personal nature of this data, the ICO has taken a proactive stance in ensuring heightened protections and ethical considerations when processing neurodata.
How is the UK changing ePrivacy regulations?
DUAB also updates the UK’s ePrivacy regulations, modernising rules that originated from the EU’s 2002 ePrivacy Directive. A key update involves the regulation of data collected automatically from user devices, including IP addresses and device identifiers. The revised rules extend to remote data collection techniques such as server-side tracking, aiming to close loopholes that previously allowed tracking without user knowledge or consent.
Further ePrivacy changes introduce new exemptions for certain cookies and tracking technologies. In some cases, explicit user consent will no longer be required, provided that individuals receive clear information and retain the right to object. This includes analytics cookies used for website performance measurement, preference cookies that store user settings, and security-related cookies that detect fraud or enhance network security. The government will have the authority to modify cookie consent exemptions in the future, allowing for regulatory flexibility in response to technological advancements and emerging privacy concerns.
How are enforcement measures changing in the UK?
DUAB significantly strengthens enforcement measures, particularly in direct marketing and cookie-related breaches. While previous fines were capped at £500,000, under the new framework, violations could incur penalties equivalent to those under UK GDPR—up to £17.5 million or 4% of a company’s total worldwide turnover. This increased penalty structure serves as a strong deterrent against unlawful tracking and intrusive marketing practices.
What are Smart Data schemes under DUAB?
The bill also promotes Smart Data schemes, aiming to facilitate controlled and regulated data exchanges between businesses. Similar to the UK’s Open Banking initiative, Smart Data schemes could drive innovation and competition across industries such as energy and telecommunications. By establishing open standards and interoperability, businesses could enhance customer experiences, improve service customisation, and increase efficiency in switching providers. Organisations operating in sectors that may adopt Smart Data schemes should consider how this shift could impact their business models and customer relationships.
Preparing your organisation for the Data (Use and Access) Bill
1. Review data processing policies
Businesses should assess their current data processing practices in light of the new “recognised legitimate interests” basis. This includes reviewing data-sharing agreements, ensuring alignment with the new lawful bases, and updating policies to reflect the clarified exemptions for “disproportionate effort or impossibility.”
2. Update handling of data subject rights requests
With DUAB allowing organisations to ‘stop the clock’ on data subject access requests, businesses should revise internal procedures to ensure efficient responses while leveraging the new flexibility. Training staff on these changes will be critical in maintaining compliance and reducing administrative burdens.
3. Implement internal complaint resolution mechanisms
Since individuals must now raise complaints with businesses before approaching the ICO, organisations should strengthen their internal complaint-handling processes. Establishing clear channels for resolving data-related disputes will help mitigate regulatory scrutiny and potential fines.
4. Revisit marketing strategies and consent management
As DUAB relaxes restrictions on direct marketing with an opt-out approach, businesses should review their marketing strategies and ensure compliance with the new balancing test. Organisations must also implement robust mechanisms for individuals to opt out of marketing communications easily.
5. Evaluate AI and automated decision-making processes
With DUAB expanding the use of AI in automated decision-making, businesses should assess their reliance on AI-driven profiling, hiring, and other processes. Implementing safeguards such as human review mechanisms and appeal options will be essential to avoid compliance risks.
6. Ensure compliance with new ePrivacy regulations
DUAB introduces changes to cookie consent rules and tracking technologies. Businesses should update their website cookie policies, ensure transparency in data collection, and prepare for potential future modifications to consent exemptions.
7. Strengthen data security measures for neurodata
Given the recognition of neurodata as a special category of sensitive data, businesses involved in wearable technology, neural interfaces, or similar fields must implement enhanced security measures and ethical guidelines to handle this data responsibly.
8. Prepare for stricter enforcement measures
With fines for ePrivacy violations now aligning with UK GDPR levels, businesses should review their data protection compliance frameworks to mitigate risks. Conducting internal audits, revising data protection impact assessments (DPIAs), and maintaining accurate documentation will be crucial in avoiding severe financial penalties.
