Evolution, not revolution, however, the long-awaited data protection changes are on their way with the introduction of the Data (Use and Access) Act 2025 (“DUAA”) in June 2025. It is time to get your house in order.
However, don’t panic, you haven’t missed the boat yet – most changes are forthcoming … so you still have time to prepare. Save for a few developments (for example, the requirement for Subject Access Requests to be reasonable and proportionate) key changes are on the horizon.
Automated decision making
For many organisations, this will have the biggest potential impact. In summary, save for the use of Special Categories of Personal Data, the automated decision making regime will be subject to a permission based system with certain safeguards (including transparency; human intervention; the ability to contest; and explainability) as opposed to the previous regime of prohibition subject to exceptions. While the definition of solely automated processing is relaxed, potentially permitting additional automated decision making – a boon for many organisations.
Although welcomed by many organisations who will increase their use of automated decision making, watch this space as this departure from the EU position has already raised the eyebrows of privacy campaigners.
Legitimate interests
Although not the panacea many organisations (often erroneously) believed this basis to be, in an attempt to clarify the position, the DUAA has specified a list of ‘recognised legitimate interests’ to assist organisations to justify certain processing of personal data. That said, although the list can be amended from time to time, it is currently limited in scope (for example, national security; emergencies; crime; and safeguarding vulnerable individuals), therefore its impact may not be immediate.
Notwithstanding, the DUAA also helpfully provides examples of legitimate interests and codifies those previously mentioned in UK GDPR Recitals (including direct marketing; intra-group transfers of personal data; and the security of network and information systems). Therefore, in future, organisations may find it easier and more palatable – from a legal and administrative perspective – to relay upon legitimate interests.
e-privacy
Surprisingly, a key change for many organisations from a risk perspective is the fact that maximum fines under the Privacy and Electronic Communications Regulations 2003 (“PECR”) will increase from, in many cases, £500k to £17.5 million or 4% of global annual turnover (whichever is the higher). Nothing focuses the mind more than an increase in potential exposure to this degree!
If your organisation took its responsibilities under PECR (including marketing initiatives) lightly or on a risk based approach – it is time to reassess.
You should also note that cookie consent requirements have been extended to an organisation who “instigates” the storage of data or access to it. However, the DUAA does provide a relaxation in relation to the exemption to cookie consent in the event that such cookie use provides a low risk to the privacy of the user and there is a right to opt-out.
Smart data schemes
The foundations have been set to establish a new framework for sharing customer data (at the customer’s request) with certain authorised third-party vendors to provide services to that customer.
These provisions are intended to go beyond the previous data portability provisions. Only time will tell us what the detail of the framework will be, however, as the intention is to increase competition, innovation, quality and security, organisations should be looking at this key change now to maintain competitive advantage.
As discussed above, although not the ‘Big Bang’ requested in certain quarters, the DUAA will undoubtedly impact your organisations data processing practices. Notwithstanding the fact that certain changes may also impact our EU adequacy position, such changes should form part of your data use considerations now to ensure compliance. Early preparation is key.
Commercial legal advice is key in helping businesses operate across complex commercial and regulatory landscapes. Contact our expert commercial lawyers if you require any assistance.
