The Data (Use and Access) Bill (the “DUA Bill”) was introduced on 23 October 2024 and if enacted, is set to implement one of the most substantial shake-ups the UK has seen in recent years in terms of the use of, access to, and safeguarding of, data and data assets.

The DUA Bill follows on from the previous iteration of the Data Protection and Digital Information Bill of the former government and has implications for a variety of businesses across the public and private sectors, with particular focus on financial services. In this blog, we take a look at some of the key objectives behind the DUA Bill, and how it might impact data use in the future if enacted.

Much of the provisions of the DUA Bill retains the new digital services first introduced by the previous Data Protection and Digital Information (No.2) Bill in substantively the same form, including the digital verification services, the national underground asset register and the digital registration of births and deaths.

The Bill also seeks to update the current data privacy regime under the UK GDPR. Some of these changes have been inherited from the previous bill, but others are new. Some key points to note for data protection practitioners include:

• Fines for breaches of the e-marketing and cookies rules under the Privacy and Electronic Communications (EC Directive) Regulations 2003 are still going up to the same level as fines for breaches of the UK GDPR.
• However, there are no changes to the accountability requirements, which means the role of the Data Protection Officer and requirements for records of processing activities and data protection impact assessments will stay at the status quo.
• The concept of a vexatious DSAR has been dropped, but the Bill does seek to codify some useful practical points which are typically adopted in practice in any event (such as the requirement to conduct “reasonable and proportionate” searches).
• There are some key changes made to the structure of the ICO, which will instead be an Information Commission with a CEO and Board instead of a public officer.

The progression of the Bill through Parliament will have a direct bearing on how the European Commission assesses the UK as part of its adequacy findings. Maintaining a finding of adequacy ensures the continued free flow of data to the UK from European organisations, and while there are no immediate concerns being voiced in this regard, much will depend on the final form of the legislation that is enacted following the Bill (which may come into force around the same time the current EU-UK adequacy decision expires – in Spring / Summer 2025).

At a more practical level, business will need to be alert to how many of these changes may impact on how they currently process and respond to requests regarding personal data. Some of the changes certainly represent a decreased burden on businesses but for those who worked through the previous data protection reform to update internal governance and processes, this will feel like familiar territory.

If you’d like to discuss how the Bill might impact your organisation please get in touch with a member of our data privacy team.

Related News, Insights & Events