Data (Use and Access) Bill

The Data (Use and Access) Bill was introduced to Parliament on 23 October 2024. It aims to modernise the UK’s approach to data regulation, with a variety of proposed amendments to the existing UK General Data Protection Regulation (GDPR) and the Data Protection Act (2018). 

Sponsored by the Department for Science, Innovation and Technology (DSIT), the Bill focusses on updating the law in key areas, including improving health data standards, refining rules on cookie deployment, and revising the scope of automated decision making. 

DPDI - Data Protection and Digital Information Bill

This page explains the key differences between the UK General Data Protection Regulation (UK GDPR) and the newly proposed UK Data (Use and Access) (DUA) Bill.

From DPDI to DUA: A brief background 

The DUA Bill builds on many of the ideas, provisions, and objectives outlined in the abandoned Data Protection and Digital Information (DPDI) Bill but leaves out the most controversial aspects of the previous proposal. 

Initially proposed as a comprehensive overhaul of the UK’s data protection laws, the DPDI Bill faced much opposition. It was ultimately shelved when Rishi Sunak’s government announced a general election in May 2024.  

Learn more about the abandoned DPDI Bill here 

What are the proposed changes to the current UK data protection laws? 

The Data (Use and Access) Bill introduces several reforms to the UK GDPR. These include a restructure of the Information Commissioner’s Office (ICO), provisions to simplify Data Subject Access Requests (DSARs), changes to automated decision-making, and strengthening data security and data protection in the Health and Care sector. 

A detailed overview of the key data protection changes can be found in the table below. 

Additionally, read our news story on the implications for the Health sector with comments from Lawrence Carter, DPO and Life Sciences Sector Lead. 

UK GDPR VS DUA BILL

Area UK GDPR DUA Bill
Legitimate Interests Requires a balancing test (known as a Legitimate Interest Assessment, or LIA) for all processing under this lawful basis Introduces ‘recognised legitimate interests’ for which no balancing test would be required, including direct marketing and security processing
Scientific research Broad interpretation with examples such as “technological development and demonstration, fundamental research, applied research, and privately funded research” Expands and clarifies the definition of scientific research to explicitly include both commercial and non-commercial research
Further processing of personal data for scientific research purposes Allows for further processing of personal data if it is compatible with the original purpose Updates provisions to make it easier for clinical trial sponsors to obtain broad consent from research participants to reuse their data for scientific research purposes
DSARs Gives individuals the right to access their personal data held by organisations Includes clarifications relating to DSAR responses, such as specificities relating to time limits and reasonable searches
International data transfers Transfers of personal data outside the UK must use appropriate safeguards such as Binding Corporate Rules (BCRs), the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs Codifies a ‘data protection test’ for assessing adequacy – which may result in an easier pathway to future international adequacy decisions made by the Secretary of State
UK Regulator The Information Commissioner’s Office (ICO) is an independent body, established to uphold information rights Restructures the ICO into the Information Commission, including the establishment of a formal Board – intended to improve governance
Automated decision making Article 22 places strict restrictions on solely automated decision-making, including any AI systems that have legal or similarly significant effects on individuals Narrows the scope of restrictions to only explicitly prohibit automated decisions made using special category data
Cookies Except for ‘strictly necessary’ cookies, all cookies require informed consent prior to deployment Aims to reduce the frequency of cookie pop-ups for UK users by removing the cookie consent requirement for specified purposes (e.g. statistical purposes)
PECR fines Current fines under the Privacy and Electronic Communications Regulation (PECR) are capped at £500,000 Maximum fines would be brought in line with the current UK GDPR thresholds (up to £17.5M or 4% of annual turnover of preceding financial year, whichever is higher)

The DPO Centre is monitoring the progress of the Bill and will share updates as soon as new information becomes available.   

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible