The Data (Use and Access) Bill is set to bring significant changes to the UK’s data protection framework. This article explains the main objectives, key modifications, and practical steps organisations in the UK should take to prepare for the Data Use Bill changes.
Data Use Bill Changes: What’s new for the UK?
The Data (Use and Access) Bill aims to streamline data usage across sectors such as healthcare, law enforcement, and digital services in the UK. It will replace the Data Protection and Digital Information Bill (DPDI) and is designed to:
- Enhance public services like the NHS and policing through improved data sharing.
- Simplify data protection requirements to reduce administrative burdens and free up millions of hours for public sector staff.
- Stimulate economic growth, with an expected £10 billion boost to the UK economy over ten years.
A strengthened Information Commissioner’s Office (ICO) will support the Bill, with new enforcement powers and a revised structure.
Key modifications to UK Data Protection
The Bill will modify certain provisions within the UK GDPR and DPA 2018, rather than replace them.
Key Data Use Bill changes include:
- Recognised Legitimate Interests:
The Bill introduces a new legal basis for data processing, allowing certain activities (e.g., fraud prevention, public safety) to be considered legitimate interests by default. - Automated Decision-Making:
Restrictions on automated decision-making will relax for low-risk scenarios, but remain for special category data. - International Data Transfers:
Personal data can flow more easily to countries with equivalent protection, assessed by a new ‘data protection test’. - Cookie Consent Requirements:
Consent will only be needed for fewer low-risk cookies, reducing consent fatigue. This includes cookies for fraud prevention and analytics. - Subject Access Requests (SARs):
Organisations will only need to conduct “reasonable and proportionate” searches, reducing the administrative burden. - Use of Copyrighted Material:
An amendment requiring AI companies to comply with British copyright law was rejected. This means creative industries’ works can be used without permission unless rights owners opt out.
What do the changes mean for UK organisations?
Although the final version is still under consideration, the Bill is expected to receive Royal Assent later this year1. Its provisions will impact a broad range of stakeholders across the UK.
Organisations should consider these actions:
- Review Data Processing Activities: Check if current data uses align with the new ‘recognised legitimate interests’ basis.
- Update Data Protection Policies: Reflect changes in automated decision-making, SAR procedures, and data rights complaints.
- Monitor International Data Transfers: Review data sent outside the UK and stay informed about the new ‘adequacy’ and data protection test.
- Engage with Stakeholders: Businesses in creative industries should engage with policymakers on intellectual property rights.
- Review Cookies: Align cookie collection with the new rules for lower-risk activities.
Final thoughts on the Data Use Bill changes
The Data Use Bill changes will modernise the UK’s data protection framework, making it easier to share data for public benefit while reducing burdens on organisations. By reviewing your processes and updating policies, you can ensure compliance and make the most of the new opportunities.
Ready to prepare for the Data Use Bill changes?
Contact our team for expert guidance on updating your UK data protection strategy.
Contact Us01926 800710
Article by
Kirren Barrie
Risk & Compliance Specialist, Risk Evolves
