The Data (Use and Access) Bill: implications for businesses

The Data (Use and Access) Bill (“Data Bill”) has now completed its passage through the House of Lords and is awaiting a date to start the report stage within the House of Commons.

Provided that there are no unexpected delays, it’s anticipated that the Data Bill will become law later this year.

The Data Bill is intended to amend UK data protection laws, bringing about changes to the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations (“PECR”). In this article, we will explore five key changes as well as what businesses can do to ensure that they remain compliant following the enactment of the Data Bill.

1. Legitimate interests

The Data Bill will seek to include a new list of ‘recognised legitimate interests’, which businesses can rely on as a lawful basis for processing personal data. Importantly, when relying on this lawful basis, businesses won’t be required to carry out a legitimate interest assessment.

Furthermore, the Data Bill will also introduce a non-exhaustive list of processing activities that will fall within the current legitimate interests lawful basis. Examples include processing for the purposes of direct marketing and intra-group transfers for internal administration. These examples are intended to assist businesses when completing a legitimate interest assessment.

Businesses relying on legitimate interests as a lawful basis should check if they can rely on these amendments and if so, consider updating key documents such as privacy notices and records of processing.

2. International transfers

The Government are taking a slightly more relaxed approach to international data transfers. Under the Data Bill, businesses will need to ensure that the data protection standards in the recipient country are “not materially lower” than UK standards. At present, businesses must ensure that the standards are “essentially equivalent” to that under UK law.

Businesses will need to consider the implications of this revised standard when making international transfers and deciding which appropriate safeguards to put in place.

3. PECR fines

The maximum fine for non-compliance of the PECR marketing rules will increase from £500,000 to (i) £17.5m or (ii) 4% of the businesses’ annual worldwide turnover in the preceding financial year, whichever is the higher. As a result, monetary fines for breaches of PECR and the GDPR will now be aligned.

Businesses should review their current policies and procedures to ensure that they are compliant with PECR – in particular, regarding their use of cookies and when undertaking direct marketing.

4. Automated decision-making

At present, under the UK GDPR, businesses can’t – subject to certain exceptions – conduct automated decision making (a decision made without human involvement) that have a legal or similarly significant effect on individuals. However, the Data Bill will seek to relax this restriction so that it only applies to processing special category data e.g. health data. As a result, businesses will have greater flexibility to process personal data by automated means (e.g. in AI systems), subject to putting specific safeguards in place.

Businesses that use automated decision making should consider whether they can rely on these relaxed rules and if so, whether they have appropriate safeguards in place.

5. Subject Access Requests

A new ‘applicable time period’ is to be introduced for responding to data subject access requests. At present, the general rule is that a business must respond to a data subject access request without undue delay and in any event, within one month of receiving the request.

The Data Bill proposes to amend this so that the one month deadline starts from the “relevant time”. The relevant time is defined as the latest of (i) the date the business receives the request; (ii) the date the business has checked and confirmed the identity of the data subject (if applicable); and (iii) the date the business receives the fee (if any) charged in connection with the request.

Businesses will need to ensure that their internal policies for handing data subject access requests are updated in line with the changes implemented by the Data Bill and that appropriate staff members have received up-to-date training.

Looking ahead

So, what’s next? Well, as mentioned above, assuming everything goes to plan, the Data Bill will become law in the next few months.

Following the enactment of the Data Bill, the EU is expected to conduct a formal review of the UK’s data protection framework. This review will determine the ongoing adequacy of the UK’s data protection standards, which currently allow for the free flow of data between the UK and the EU without additional documentation. Originally set to expire on 27th June 2025, the EU’s adequacy decisions have been extended until 27th December 2025 to accommodate the Data Bill’s implementation prior to their assessment.

If you need assistance in reviewing and/or updating your documents or require specialist data protection law advice, please get in touch with our team today.