Understanding the Data (Use and Access) Act 2025

After three years of delays and failed Bills resulting in parliamentary purgatory, the Data (Use and Access) Bill (DUA Bill) has successfully cleared its final hurdle in the House of Lords and is scheduled to receive Royal Assent on Thursday, 19 June 2025. Once the Bill is granted Royal Assent, it will be known as the Data (Use & Access) Act 2025. 

The DUA Act will introduce several amendments to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations (PECR).  

The Act introduces several key changes, including limitations to Subject Access Requests (SARs), the introduction of recognised legitimate interests, and modifications to rules relating to automated decision-making (ADM). Other UK GDPR amendments include revisions to international data transfers, purpose limitation, scientific research and enhanced protections concerning children's data. The Act also relaxes rules governing the use of cookies and aligns fines for non-compliance with PECR with those of the UK GDPR. In terms of criminal law enforcement processing under Part 3 of the DPA18, the Act clarifies the definition of consent, aligns response times for data subject rights with those of the UK GDPR and introduces additional requirements to codes of conduct for competent authorities. Meanwhile, the Information Commissioner's Office (ICO) will undergo significant organisational changes and will now be known as the Information Commission.

The UK government believes its legislative amendments will encourage innovation and enhance public trust without jeopardising the UK's vital data adequacy status with the European Union. This assumption has yet to be confirmed. While many of the provisions contained within the DUA Act are technical in nature, they are nonetheless significant in several important areas and require careful consideration.   

This one-day course is designed for experienced UK-based practitioners with a solid understanding of the UK GDPR, DPA18 and PECR, and who are required to maintain their expert knowledge of data protection law. Given that the amendments contained within the DUA Act further diverge the UK from EU standards, practitioners with responsibilities in both legal jurisdictions will find this course particularly beneficial for maintaining compliance with the two separate GDPR frameworks.

Introduction:

• A brief summary of the Data (Use and Access) Act's passage into law
• Expected timeframes before most provisions can take effect 

Changes to the UK GDPR & DPA18:

• Subject Access Requests (SARs)
• Data subject rights' response times (Part 3 DPA18)
• Definition of consent (Part 3 DPA18)
• Recognised legitimate interests
• Automated Decision Making (ADM)
• International data transfers
• Children's data
• Purpose limitation
• Research, archive, and statistical (RAS) purposes
• Codes of conduct for competent authorities (Part 3 DPA18)

Changes to the PECR:

• Low-risk cookies and similar tracking technologies 
• Personal data breach reporting
• Charities' fundraising activities and the soft-opt in
• Codes of Conduct

Changes to the Information Commissioner's Office (ICO):

• Information Commission (IC)
  • New board structure consisting of executive and non-executive members
• Enhanced investigatory powers to:
  • Compel witnesses to attend interviews
  • Require organisations to produce technical reports
•  Powers to issue fines under PECR of up to £17.5 million or 4% of global turnover in line with UK GDPR

Implications for UK Adequacy:

• UK divergence from EU GDPR and Law Enforcement Directive standards
• Upcoming re-evaluation of the UK's two adequacy decisions

Book this 1-day course on understanding the Data (Use and Access) Act 2025:

£395_+VAT

Package includes:

• Short, 1-day live online training course
• 1-day in-company training options 
• Experienced instructor
• eBook course manual (see here for eBook features & print options)
• Full course PowerPoint presentation