UK Data Bill becomes law as it receives Royal Assent Today

Today the UK Data Use and Access Bill (DUAB) became the Data (Use and Access) Act 2025 (the Data Act), following much to and fro-ing between Parliament.

Not surprisingly, this to-ing and fro-ing was not without its own controversy! None of which actually centred around data per se but on copyright and AI.  The issue was subsequently postponed by the House of Lords allowing the Bill to pass to Royal Assent on the basis that the Government will produce a report on its copyright and AI proposals, including enforcement and concerns surrounding AI models trained abroad.

The situation is compounded by the fact that we are awaiting the judgment of the High Court matter of Getty Images V Stability AI (adding weight to the government’s argument that decision on the copyright and AI issues should be deferred).  The Government is to produce a report on the matter within nine months, with an interim report to be produced within six months.

Moving onto the Act, there is no need for panic, this is not a revision of GDPR nor a complete overhaul of data protection laws, as many of the more controversial reforms proposed under the previous UK government in its Data Protection and Digital Information (DPDI) Bill were dropped.

Further, organisations have time to prepare – and the usual 12 month lead in timescales are likely to apply to allow organisations to make changes to their policies and procedures and get matters in order – meaning that the changes are likely to be phased in between June 2025 and June 2026.

The Bill does make some changes to the UK GDPR and the Privacy & Electronic Communications Regulations (PECR). The level of impact varies depending on the sector in which you operate and the nature of your data processing activities. Whilst some are significant, there is no need for panic – key data protection principles and fundamental obligations remain unchanged.  The majority of the Act will be brought in by secondary legislation, so it is essentially business as usual whilst these regulations are drafted and introduced.

In terms of practical steps organisations would do well to focus upon the following areas:

Data Subject Access Requests

• The insertion of a new Article 12A into the UK GDPR establishes a more specific outline of time periods for handling a DSAR depending on whether the controller requires confirmation of the requestor’s identity and/or further information about the processing activities under the DSAR.
• Proportionality: controllers should be able to take some comfort as they can now point to the Act rather than guidance from the regulator that confirms that the “data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information”. What that means in practice in up to interpretation – bring on the case law!
• One significant change is that where organisations withhold information based on legal professional privilege or client confidentiality, they must now explicitly inform the data subject about: (i) the specific exemption being applied; and (ii) the reason for applying this exemption. Additionally, data subjects gain a new right to request that the ICO review how any such exemptions have been applied to their case.
• Controllers will have to update template DSAR response letters to include the additional information required to covering privilege or confidentiality exemptions, and develop internal processes to document exemption consideration/balancing, as well as modifying DSAR handling and complaints procedures.
• Another significant change is that organisations will now be required to handle complaints from data subjects in the first instance, required to provide a form and initially address complaints within 30 days, so internal policies and procedures will have to be adapted to take this into consideration.

Cookies and PECR Fines – identify which cookies on your platforms may qualify as “low-risk” and prepare to update cookie notices and banners to provide clear information about usage.

• Organisations will no longer need explicit consent for these low risk cookies, provided they: (i) supply users with clear information about the cookies being used; and (ii) offer a straightforward opt-out mechanism.
• The Act introduces significantly harsher penalties for breaches of the marketing rules. The maximum fine will increase dramatically from the current £500,000 to: £17,500,000, or 4% of the organisation’s total annual worldwide turnover from the preceding financial year, whichever is higher, aligning PECR penalties with the existing UK GDPR framework.

Automated decision-making (ADM)  – review your use of ADM in light of new definitions and permissions, and revise your process and policies accordingly.

• The Data Act introduces a more flexible regime for using ADM with special category data requiring a stricter regime. Also it introduces new terminology such as a “significant decision” and “meaningful human involvement”, with a revised set of safeguards in relation to ADM involving any personal data.

Other areas to watch include:

• Data Transfers –  changes include the ability of the Secretary of State to approve third countries, and the introduction of a data protection test to assess whether the third country or international organisation has a standard of data protection ‘not materially lower’ than that in the UK.

• Organisations carrying out scientific research and looking to use data for further processing should refer to the to the definition of consent and the addition of a new definitions into the UK GDPR.