UK Prepares Guidance for Companies on New Data Law's Key Provisions
The Information Commissioner's Office (ICO) and data protection attorneys are looking to advise companies on key changes to the U.K.'s privacy landscape as a result of the U.K. Data (Use and Access) Act 2025 (DUAA), in effect as of Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The ICO Thursday launched consultations on draft guidance on DUAA's new provisions on "recognized legitimate interest" and data-protection complaints.
Recognized legitimate interest is a new lawful basis for processing personal data, the ICO noted. It will give companies more confidence to use personal information for certain pre-approved purposes, such as crime prevention, public security, safeguarding and emergencies.
The proposed guidance will make it easier for organizations to use the new legal basis by explaining how it works and giving concrete examples, the watchdog said. Comments are due Oct. 30.
Under the data protection complaints rule, all organizations must have a process to handle data protection complaints by June 2026, the ICO said. Its guidance lays out new requirements about what companies "must, should and could do to comply." Comments are due Oct. 19.
While many of DUAA's changes codify or simplify existing guidance or case law decisions, privacy lawyers are advising clients on several of its key aspects, Eversheds Sutherland cybersecurity and data privacy attorney Paula Barrett emailed us.
The complaints process requirement will be new for many clients, and they'll have to consider how to make it work in practice, Barrett said. That includes determining who will carry it out and how it interacts with other compliance and risk management processes. Companies will also have to recognize the different categories of people who can file a complaint and the contexts in which those complaints could arise.
In a guide published Tuesday for businesses, legal teams and data professionals, Eversheds Suthlerland noted that DUAA "introduces a subtle but significant relaxation" of existing rules around decisions based solely on automated decision-making.
Under the current regime, people in most circumstances have the right not to be subject to a solely automated decision that results in legal or other significant effects, the firm said. Under DUAA, however, significant and solely automated decisions are generally allowed subject to certain safeguards.
One potentially major change in U.K. data law under DUAA is its new legal framework enabling greater access by customers to their data from relevant data holders, Barrett said.
This new legal right will enable data portability, allowing customers, for example, to switch suppliers, Barrett said. Data holders will have new obligations to comply with these customer rights as well as with other provisions relating to their business data, such as making it available to others on request.
"More is to come on this, but it's a potentially significant change in UK data law," Barrett added.
The DUAA provisions now in effect give the "first real sense of how the act will work in practice," privacy lawyer Robert Bateman said in a LinkedIn post Wednesday.