Adapting your compliance programme to the UK Data (Use and Access) Act: What you need to know

Once given Royal Assent, the Act will bring in targeted changes to UK data protection affecting the whole suite of existing laws in this area – the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 

There are also provisions for digital verification and smart data schemes. For changes which impact copyright and AI, see UK Data (Use and Access) Bill: copyright clauses finally agreed. 

Although some changes are technical, or simply reflect existing regulatory guidance, some may have a greater impact on data protection compliance programmes, particularly for organisations who have already aligned their compliance programmes to the EU GDPR. In this article, we focus on the five which we think will have the greatest impact.

1. International Data Transfers: To transfer or not to transfer, that is the question 

The overall structure of the approach to data transfers remains broadly the same as under the UK GPDR, with one notable change. 

The Act creates a ‘data protection test’ which will be used by the Secretary of State to assess whether a third country or international organisation has a standard of data protection “not materially lower” than that in the UK. This could lead to a situation where the UK and the EU apply different standards for their respective adequacy decisions, which in itself could then have a knock on effect of how they regard each other’s frameworks. But in practice, adequacy decisions by both the UK and the EU are likely to remain aligned. 

2. Cookie Changes: More than just crumbs 

Organisations would be wise to bring cookie and direct marketing rules back to the top of their agenda (and not only in the UK – see our podcast here on the global challenges). 

No longer will the maximum fine be £500,000. Fines under PECR will increase to align with UK GDPR levels – up to £17.5m or 4% of annual worldwide turnover (whichever is greater). 

While that will encourage organisations to turn up the heat on these parts of their compliance programmes, at least Parliament saw fit to leave us with a few sweet treats. The Act introduces exemptions from the cookie consent requirement where the deployment and use of cookies poses a low risk to user privacy. These include circumstances where cookies are deposited solely for statistical purposes (e.g. analytics), where they are strictly necessary to ensure security, and to prevent or detect fraud. 

Another helpful change is that the reporting timeframe for personal data breaches for service providers under PECR has also been extended from the rather impractical 24 hours, to the more reasonable (and at least aligned to UK GDPR) deadline of 72 hours. 

3. Automated Decision Making: Rules get reprogrammed 

The UK’s rules on automated decision making will now diverge from those in the EU. The prohibition and associated exemptions on solely automated decisions that have legal or similarly significant effect have been relaxed so that they only apply when using special category data. However, even those organisations not using special category data should note that some safeguards remain – transparency and the ability to contest the decision remain key. With these changes, which are possibly the boldest from a drafting perspective, the UK is seeking to recognise the mainstream nature of automated decision making and sharpen its risk-based approach to such practices.

4. The IC – new name, new powers

We will leave readers to decide how they want to abbreviate the Information Commission’s new and shorter name (“I-see” presumably being more palatable than the alternative, “Ick”) but one thing is certain: their enforcement team is going to need new jackets! 

Speaking of enforcement, the IC will have new powers to require the preparation of expert reports, which the IC can dictate regarding form and content, and which the processor/controller must pay for. It will also have the power to issue interview notices, which may be issued to anyone in the organisation, as well as current and former employees, with no time limits as to how long ago a person may have been employed by the relevant organisation. 

In addition, it will be an offence to make a knowingly false statement in response to an interview, and the IC will have the power to impose a penalty notice for failure to comply with an interview notice. 

The result is that organisations may need to plough more resources into investigations and, give even more careful consideration than ever to how they respond to questions and handle interview preparation. 

5. The Right to Complain: Don’t byte your tongue

There are several changes to data protection rights, but for the most part these merely codify existing regulatory guidance. For example, the Act makes it clear that the “clock is stopped” when a controller asks for clarity on the scope of a subject access request, and controllers only need to comply with DSAR’s based on a ‘reasonable and proportionate’ searches. 

One point to note is that the Act introduces a new ‘right to complain’ – a statutory right for individuals to file UK GDPR-related complaints with data controllers, who must respond within the specified timeframes. The most immediate impact of this new right is that controllers should now mention it in their privacy notices and make means available for complaints to be made. 

And what about Legitimate Interest Assessments?

Some will ask why we have not listed the changes to legitimate interests assessments in our top 5. The creation of a new Article 6 UK GDPR legal basis of “recognised legitimate interests” was supposed to bring some simplicity to compliance by introducing a list of legitimate interests for which no balancing test is required. Whilst it is correct that no LIA would need to be completed for “prevention and detection of crime” and “safeguarding vulnerable individuals” (among others), ultimately, this represents a fairly narrow set of cases and reliance on this legal basis will not absolve the controller from considering wider principles and the UK GDPR as a whole. For example, where a controller relies on legitimate interests to protect children online, it must still ensure the processing is lawful (in the broader sense), fair, transparent, and respects purpose limitation, data minimisation, data subject rights etc in respect of the personal data of its users more broadly. 

Conclusion

Having patiently witnessed the evolution of this legislative process, what it really shows is that the appetite for wholesale or radical changes to the UK data protection framework just seven years after the GDPR is simply not there. This is partly due to the fact that the ‘Brussels effect’ is still present when it comes to mature data protection laws – not least in the form of a much covered adequacy by the European Commission – and partly due to the fact that the GDPR is in fact an evolving law that, when properly interpreted, is perfectly compatible with technological innovation and economic growth. 

As we approach the second half of 2025 and the provisions of the Act start to take effect through ministerial statutory instruments, the European Commission will need to take a view on whether the changes introduced have any effect on its renewal of the UK adequacy decision, while those tasked with ensuring compliance will focus on how to adapt their practices and programmes to the subtle nuances of the new regime. 

Authored by Eduardo Ustaran, Robert Fett and Ciara Monaghan. 

here