Key UK Data Act Rules May Come Into Force in 6 Months, Government Says
With substantive data-protection provisions of the U.K. Data Use (and Access) Act 2025 (DUAA) beginning to apply near year's end, organizations should start monitoring new guidance from the Information Commissioner's Office (ICO), Robin Edwards, a member of the government's Department for Science, Innovation and Technology, said Wednesday during an IAPP webinar.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Among many other provisions, DUAA makes key changes to the U.K. Data Protection Act, General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulation (PECR), Edwards added.
One major change is the introduction of a lawful basis for processing personal data: when the processing is necessary for a recognized legitimate interest. Legitimate interests will be presented in a new annex to the U.K. GDPR and will include such things as safeguarding children and national security, and helping public authorities deliver public services authorized by law.
The government wants to encourage responsible data-sharing by public authorities without having to meet the legitimate-interest balancing test, Edward said. Nevertheless, the processing must still be necessary and special category data safeguards will apply. The new legal basis doesn't apply to private organizations, he added.
Another big change is around automated decision-making. The new provisions broaden the lawful grounds on which companies can make solely automated decisions without having to seek consent from data subjects. This is intended to avoid hindering economic growth.
DUAA isn't "going to be a fond farewell to the cookie consent banner," Edwards said. Banners are strictly necessary under PECR rules to make websites work, but DUAA removes the need to seek consent for non-intrusive cookies for things like measurements.
Another major change is a restructuring of the ICO. The Information Commission will have a modern board structure with a chair and directors to strengthen internal scrutiny, Edwards said.
In addition, updated enforcement powers will allow the ICO to compel witnesses to attend interviews about alleged data breaches, Edwards said. It can impose higher fines for PECR violations, and organizations must have a complaint system to handle concerns before they reach the ICO, he said.
On Tuesday, the European Commission published a draft adequacy decision for the U.K. (see 2507220030). The government designed its legislative changes to maintain its adequacy, and is awaiting a final EC decision by Dec. 27, Edwards said.
DUAA will also materially revamp the U.K.'s approach to international data transfers, a Squire Patton Boggs blog noted Wednesday.
Rather than requiring an "essentially equivalent" standard, as the EU does, the U.K. will assess whether a country offers protections that aren't "materially lower" than the U.K. baseline, the law firm wrote.
Under the changes, the Secretary of State can establish blacklists of prohibited data destinations and introduce statutory contractual clauses that will automatically satisfy the requirement for appropriate safeguards, removing the need for transfer risk assessments entirely, the firm added.
Although the potential introduction of risk-assessment-free standard contractual clauses "would undoubtedly be welcomed by all involved in carrying out restricted international transfers under the UK GDPR," organizations that also transfer personal data subject to the EU GDPR won't likely see any significant benefit, the firm wrote.