Having passed its final hurdle in the House of Lords on Wednesday, 11 June 2025, the Data (Use and Access) Bill (DUA Bill) is now cleared to receive Royal Assent and be passed into law. Once enacted, the DUA Bill will be known as the Data (Use and Access) Act 2025 (DUA Act). The DUA Act will make several amendments to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations (PECR).
The Act introduces several key changes, including limitations to Subject Access Requests (SARs), the introduction of recognised legitimate interests, and modifications to rules relating to automated decision-making (ADM). Other UK GDPR amendments include revisions to international data transfers, purpose limitation, scientific research and enhanced protections concerning children's data. The Act also relaxes rules governing the use of cookies and aligns fines for non-compliance with PECR with those of the UK GDPR. In terms of criminal law enforcement processing under Part 3 of the DPA18, the Act clarifies the definition of consent, aligns response times for data subject rights with those of the UK GDPR and introduces additional requirements to codes of conduct for competent authorities. Meanwhile, the Information Commissioner's Office (ICO) will undergo significant organisational changes and will now be known as the Information Commission.
The UK government believes its legislative amendments will encourage innovation and enhance public trust without jeopardising the UK's vital data adequacy status with the European Union. This assumption has yet to be confirmed. While many of the provisions contained within the DUA Act are technical in nature, they are nonetheless significant in several important areas and require careful consideration.
This one-day course is intended for UK-based practitioners who are required to maintain their expert knowledge of data protection law. Considering that the amendments contained within the DUA Act further diverge the UK from EU standards, practitioners with responsibilities in both legal jurisdictions will find this course particularly beneficial for maintaining compliance with the two separate GDPR frameworks.
Note: the Act also introduces several new data-related provisions covering areas such as smart data, digital verification services, and healthcare data. As these new provisions will require secondary legislation, they are not covered in this session.
The course covers:
Introduction:
- A brief summary of the Data (Use and Access) Act's passage into law
- Expected timeframes before most provisions can take effect
Changes to the UK GDPR & DPA18:
- Subject Access Requests (SARs)
- Data subject rights' response times (Part 3 DPA18)
- Definition of consent (Part 3 DPA18)
- Recognised legitimate interests
- Automated Decision Making (ADM)
- International data transfers
- Children's data
- Purpose limitation
- Research, archive, and statistical (RAS) purposes
- Enforcement
- Codes of conduct for competent authorities (Part 3 DPA18)
Changes to the PECR:
- Low-risk cookies and similar tracking technologies
- Personal data breach reporting
- Charities' fundraising activities and the soft-opt in
- Enforcement
- Monetary penalties
- Codes of Conduct
Changes to the Information Commissioner's Office (ICO):
- Information Commission (IC)
- New board structure consisting of executive and non-executive members
Implications for UK Adequacy:
- UK divergence from EU GDPR and Law Enforcement Directive standards
- Upcoming re-evaluation of the UK's two adequacy decisions
