The Data (Use and Access) Bill: What it means for UK businesses 

The Data (Use and Access) Bill (DUA Bill) was introduced in October 2024 and marks an important step in the UK government's push to modernise data protection. With this DUA Bill, the government aims to balance innovation and privacy, proposing new standards for how businesses may collect, use, and share data. 

The government’s goal is to create a modern, flexible framework that supports data-driven innovation across the UK while maintaining robust privacy protections. 

This proposed legislation seeks to introduce clearer guidelines on data usage and rights, which could help businesses leverage data more confidently and responsibly. 

Here’s what you need to know about the bill and how it may impact your business. 

What could the DUA Bill mean for your business? 

The King’s Speech in 2024 announced a comprehensive agenda for data reform, leading up to the DUA Bill. This proposed law offers a unique approach to data practices by encouraging streamlined data sharing and stronger data rights.  

The proposed DUA Bill introduces practical frameworks for ‘smart data’ schemes and digital verification services, in addition to several other key changes. These changes proposed by the Bill aim to simplify processes for both businesses and individuals, enhancing convenience and security. 

Importantly, the DUA Bill proposes updates to existing data protection laws in specific ways—including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). 

What are the key changes for businesses? 

While the DUA Bill would bring several changes, here are some key data protection law changes which could impact businesses: 

• How will ‘recognised legitimate interests’ impact business? The DUA Bill introduces a new legal basis for processing data called ‘recognised legitimate interests’. This could simplify compliance by removing the need for a full legitimate interests assessment in certain scenarios. For example, safeguarding vulnerable individuals may no longer require detailed assessments, which could ease processes for some organisations. However, businesses must carefully avoid misapplying the limited scope of these recognised interests, as they have restricted contexts and are likely to be of limited relevance in many cases. 

• How would international data transfer rules change? The DUA Bill establishes a new test for international data transfers. Businesses that operate internationally may need to adapt their compliance practices to meet the new requirements, and international data transfer rules have already seen a lot of changes over the last few years, with more potential changes on the horizon.  

• What about responding to data subject access requests (DSARs)? DSARs (often an administrative headache) may become less burdensome in practice. The DUA Bill will codify the requirement for data controllers to conduct only reasonable and proportionate searches when responding to DSARs, which can help reduce administrative burdens—especially for complex requests. This approach reflects existing Information Commissioner’s Office (ICO) guidance but codifies it into law. 

• How about cookie laws and consent rules? The DUA Bill could eliminate the need for consent for certain non-intrusive cookies and similar technologies. This change could significantly reduce consent popups and improve user experiences. However, businesses must carefully assess the criteria before applying for this exemption as this won’t cover all cookies and there may be a need to reassess cookie compliance measures.  

• How would PECR enforcement and penalties change? Significantly, the DUA Bill proposes aligning penalties PECR with UK GDPR, allowing fines for breaches to increase to as much as £17.5 million, or 4% of global turnover (whichever is higher). Businesses must ensure full compliance with PECR’s rules to avoid these much heavier penalties. 

• What about automated decision-making? The proposed DUA Bill relaxes certain rules around automated decision-making but still imposes strict limitations when special category data is involved. The proposed changes aim to enable broader use of automated processes while retaining safeguards. 

• Will there be more special category data? The DUA Bill empowers the Secretary of State, with Parliament’s approval, to expand the list of special category data and adjust the rules for processing it. These changes could impose stricter protections and increase compliance obligations for businesses. 

• Could the regulator have more powers? The DUA Bill would restructure the Information Commissioner’s Office with a new corporate body called the Information Commission. The Information Commission would exercise enhanced investigatory and information-gathering powers, which would increase its ability to enforce data protection laws. These changes could place greater scrutiny on businesses as the regulator’s powers grow. 

What should your business do now? 

Given the DUA Bill’s scope and potential changes, your business should monitor its progress and start to assess how it could impact you operationally. You may need to adapt quickly to meet new legal requirements. Staying informed and regularly reviewing your current data practices will help you stay ahead and be prepared to accommodate any new rules. 

Our Senior Commercial Technology & Data Protection Solicitor, David Sant, comments:  

As the DUA Bill makes its way forward, businesses should start to think about the potential changes and risks it introduces, e.g., the potential introduction of new special categories of data and the regulator’s increased powers. Whilst some elements of data protection laws might be more relaxed, businesses should pay particular attention to the significant shifts such as increased penalties under PECR (whose rules on cookies and direct marketing catch many businesses). Preparing early can mitigate risk by helping your business plan ahead to adapt effectively, but we are still early in the process and could still see further changes to the proposed law – so keep a close eye and watch this space while we await further developments.

The DUA Bill recently passed its second reading in the House of Lords and will now proceed to the Lord’s Grand Committee which is scheduled to start on 3 December 2024. We will report further on these developments as they unfold. 

Our data protection team can provide more detailed guidance on how to future-proof your data practices ahead of the DUA Bill and its potential changes. We’re here to help you navigate these changes and leverage the power of data responsibly and confidently in your business.