- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
Privacy Puzzle Global Webinar Series 2025: Announcing CRM data retention session
June 3, 2025
The Data (Use and Access) BillA UK legislative reform package to update the UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), aiming to streamline compliance, encourage responsible innovation, and strengthen the UK’s post-Brexit economy. has finally passed to Royal Assent stage, where it will soon be enshrined into law as the Data (Use and Access) Act 2025. Building on the foundations of the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. and the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), this new legislation aims to modernise data governance to better align with the UK’s post-Brexit economy.
UK data reform: Years in the making
The Data (Use and Access) Act marks the culmination of a long and turbulent legislative journey. It began under the Conservative government with the Data Protection and Digital Access (DPDI) Bill, first introduced in 2022, ultimately failing to pass before the 2024 general election.
In October 2024, the incoming Labour government introduced a revised version – the Data (Use and Access) (DUA) Bill. While much of the original content was retained, some of the more controversial provisions were removed or softened to gain wider political support.
Still, the Bill’s journey was far from smooth. It faced extended ‘ping-pong’ between the House of Commons and the House of Lords, with peers challenging the government’s rejection of several key amendments, especially around AI transparency and the use of copyrighted data in model training.
The final compromise
Although most of the Lords’ amendments were overturned by the Commons, a compromise was struck, and the government agreed to publish reports on its AI and copyright proposals within nine months of Royal Assent.
A strategic evolution, not a radical overhaul
Rather than a complete departure from existing frameworks, the DUA Act represents a targeted evolution of the current regime.
Ben Seretny, Head of DPOs and DPO at The DPO Centre shares his perspective:
‘The final version of the DUA Bill feels more like a careful update than a radical overhaul of the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR) frameworks.
‘There are some notable developments, including the introduction of recognised legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle., a broader definition of scientific research, and clearer guidance on further processing. These changes could help organisations find more flexibility in how they use and build value from their data.
‘But while some areas are now clearer, others may introduce uncertainty. In particular, the Bill gives the Secretary of State more power to decide which countries have data protection standards that are not “materially lower” than the UK. This shift in language may concern the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law., which is due to review the UK’s adequacy status later this year.’
Key updates for UK data legislation:
- Expanded scope for data processing under Legitimate Interests, including areas like direct marketing and security processing
- Restructuring the UK’s regulator, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).)
- Streamlining the Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR) processA series of actions or steps taken in order to achieve a particular end. to make it more efficient for individuals and organisations
Read more on the details: UK GDPR versus the DUA Bill
Considerations for businesses
Organisations are advised to take a measured, strategic approach while an enforcement date is confirmed. The DPO Centre recommends avoiding any immediate or rushed changes until the full scope of the legislation is reviewed and official guidance is published.
Advice from The DPO Centre:
- Liaise with your Data Protection Officer (DPO) and monitor for regulatory guidance from the Information Commissioner’s Office (ICO)
- Avoid knee-jerk policy changes and wait for finalised guidance before making any structural adjustments
- Review your current practices and policies to assess how they align with key areas such as legitimate interests, scientific research applications, and DSAR handling
- Use this as an opportunity to strengthen your existing data governance framework
Secure your spot for our live webinar session on the DUA Act.
Join our experienced DPOs as they unpack what this legislative change will likely mean in practice.
