Table of Contents
In Short
- The Data (Use and Access) Bill aims to modernise UK data protection laws, with changes that may simplify compliance or increase risks for businesses, such as higher fines for breaches.
- Key changes include clarification on legitimate interests, automated decision-making, and international data transfers, along with increased enforcement under PECR.
- To stay compliant, businesses must monitor legislative updates, follow ICO guidance, and seek legal advice to adapt to new obligations.
Tips for Businesses
Stay up to date with potential changes in data protection law by following ICO updates, monitoring government announcements, and seeking legal advice. Ensure your business complies with current data protection regulations and prepares for the upcoming changes in the Data (Use and Access) Bill. This proactive approach helps minimise risks and avoid penalties.
Data protection laws can change quickly, and the UK has seen significant changes since the introduction of the GDPR – with further developments following Brexit. To remain compliant and avoid risk, your business should stay updated with changing data privacy laws and adapt its processes and procedures accordingly. Legal changes can impact your obligations and may also increase regulatory risks. One key current development is ‘the Data (Use and Access) Bill’, which aims to modernise UK data protection laws. If your business processes personal data, you must understand what this bill may mean and how its potential changes could affect your compliance obligations. This article explores the importance of data protection law compliance, some key changes under the bill, and how your business can stay informed and on top of changes in data protection law rules.
What is the UK’s Current Data Protection Law Regime?
UK GDPR and the Data Protection Act 2018 form the key legal framework for businesses processing personal data. These laws set out mandatory compliance requirements – which may vary depending on your data processing activities.
Your business should map its data flows and conduct a data audit or gap analysis to determine which legal rules apply. Compliance requirements depend on factors such as whether your company acts as a data controller or processor, the nature and sensitivity of the data it processes, and the level of risk involved. A data protection lawyer can assess your business’s processing activities and provide tailored legal guidance on what your business needs to do to comply.
This factsheet sets out how your business can become GDPR compliant.
If your business fails to comply, the consequences can be severe. The Information Commissioner’s Office (ICO) enforces these laws and has various powers (e.g., to investigate breaches, issue fines, and impose enforcement notices). For example, the ICO can impose fines of up to £17.5 million or four per cent of global turnover, whichever is higher, for the most serious breaches. Non-compliance can also result in complaints, legal claims, and reputational damage. Therefore – prioritising compliance is essential to avoid risk and build strong and responsible data practices.
What is the Data (Use and Access) Bill?
The UK government introduced this bill in 2024 to help modernise data protection laws and promote responsible data use. The bill builds on but does not replace the UK GDPR and the Data Protection Act 2018. Yet, it introduces key provisions and reforms that aim to balance innovation and privacy protections so businesses can use data effectively and maintain legal safeguards.
Potential Changes
A summary of some potential changes which may be relevant to small businesses includes:
- Legitimate Interests: The bill clarifies specific activities that may automatically constitute a legitimate interest, e.g. direct marketing;
- Recognised Legitimate Interest: Certain processing activities will be classed as ‘recognised legitimate interests’ under the bill, e.g. safeguarding national security. This means a full legitimate interests balancing test will not need to be undertaken;
- Data Subject Access Requests (DSARs): When responding to DSARs, controllers must conduct searches that are reasonable and proportionate;
- Cookies: The bill proposes limited exceptions to the rules around consent in certain cases for particular types of cookies;
- PECR Enforcement: Significantly, the bill would align PECR’s enforcement regime with UK GDPR, increasing the maximum fines the ICO can issue for breaches to up to £17.5 million or 4% of global turnover. This is a significant change and a considerable risk for businesses that fall into breach of PECR;
- Automated Decision-Making: The bill relaxes some restrictions on automated decision-making, which may help businesses deploying AI;
- Complaints Process: There are new rules around individuals having rights to complain and controllers facilitating them;
- International Data Transfers: The bill introduces a data protection test for assessing the adequacy of data protection in third countries. This new test provides a more flexible framework for international data transfers but could impact the UK’s EU adequacy decision in 2025; and
- Soft Opt-In for Charities: The bill would extend the soft opt-in exemption to charities in certain cases, a welcome development for the charity sector.
The bill is progressing quickly through parliament, and its progress and latest position can be tracked on the UK Parliament website.
Businesses should take the time to understand the potential changes so that, if implemented, they can quickly adapt their compliance to any changed obligations.
Continue reading this article below the formHow Can Your Business Stay Update on Data Protection Law Changes?
Your business should aim to keep up with changes in data protection law to remain compliant with its legal obligations. Failing to do so could result in various adverse consequences and penalties.
While rules may seem daunting for a small business, there are various ways you can keep on top of data protection laws and changes :
- Follow ICO Guidance: The ICO regularly publishes compliance updates, guidance enforcement decisions, helpful resources, and news. The resources can be handy for small businesses. Signing up to and reviewing reputable legal updates from law firms can also help;
- Monitor Government Announcements: Legislative changes may change before becoming law. Monitoring parliamentary updates can help your business stay informed about changes in law that may impact your operations; and
- Seek Legal Advice: The most effective way to stay ahead and compliant is to seek advice from a data protection lawyer. A data protection lawyer will guide your business on forthcoming legal changes, how they impact your business, and what steps you need to take to comply.
Key Takeaways
Businesses should seek to keep updated with changes in data protection law rules to avoid non-compliance risks. The bill has proposed introducing various changes to the UK’s data protection laws. Some proposed modifications might simplify compliance – but others would increase financial penalties. Your business must continue complying with UK GDPR and DPA 2018. These laws set out current mandatory rules, and failure to comply could lead to consequences, including fines and reputational harm. In the meantime, keep an eye out for potential legislative changes to understand the possible implications and be well-informed and prepared for any changes you may need to make.
If you need help understanding your data protection obligations, our experienced data, privacy, and IT lawyers are here to help. As part of our LegalVision membership, you can access lawyers who can answer your questions and review your documents for a low monthly fee. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
UK GDPR is a mandatory law that intends to help protect personal data. Your business must comply if you process personal data; otherwise, you could face various negative implications, such as enforcement action and fines.
Data protection laws can change, and failing to comply could result in various risks for your business, such as enforcement action, fines, and reputational damage. By staying informed about upcoming changes, your business can quickly adapt to new legal requirements and reduce non-compliance risks.
We appreciate your feedback – your submission has been successfully received.
