Data (Use and Access) Bill
The key points behind the UK Data (Use & Access) Bill. Do the changes affect you?
Data (Use and Access) Bill
The Data (Use and Access) Bill, introduced in the House of Lords on 23 October 2024, represents a significant legislative effort by the UK government to modernise the nation’s data framework, following the introduction of GDPR in 2018.
The Data (Use and Access) Bill is making rapid progress through Parliament and is expected to be passed around Easter time. The renewal of the UK’s adequacy agreement by the European Commission (following Brexit) has been postponed until December 2025 to allow the new legislation to “bed in”. Realistically, however, there are unlikely to be any challenges to this and the UK’s adequacy should be renewed.
If you are a business owner, you may be wondering:
- Why are these changes being made?
- How will the new Data (Use and Access) Bill affect my business?
- What changes will I need to make?
- What advantages will the Data (Use and Access) Bill offer my business?
Whatever concerns you have, at Privacy Helper, we are committed to providing you with the up-to-date information that you need to remain compliant and informed.
Data (Use and Access) Bill Explained
The UK government has described the EU’s GDPR as “highly complex”, stating that it has held back businesses from using data effectively due to “red tape and pointless paperwork”. The aims of the Data (Use and Access) Bill changes are to:
- Grow the economy
- Improve public services
- Improve the lives of citizens
This comprehensive legislation contains modifications to all privacy-related legislation in scope – the UK GDPR, the Data Protection Act 2018 and the Privacy and Communication Regulation, 2003 (PECR).
Modifications are not as severe as those previously proposed by the Conservative Government’s Data Protection and Digital Information Bill (DPDI), so the need for Data Protection Officers (DPO’s) Data Protection Impact Assessments (DPIA’s) and the need to maintain Records of Processing Activities (ROPAs) remain the same.
The main points of this Data (Use and Access) Bill are:
- Complaints to the Information Commissioner’s Office (ICO)
Under the current UK GDPR, people have a right to complain directly to the ICO in relation to the processing of their personal data – irrespective of the severity of the complaint.Under the Data (Use and Access) Bill, individuals will first be required contact an organisation (data controller) regarding their complaint. If they feel the organisation is not taking this complaint seriously, or the organisation fail to respond in a timely manner, then it should be escalated to the ICO.It is hoped this will reduce the number of complaints to the ICO – meaning they only deal with the more severe cases – it will also give organisations the chance to handle any complaints internally.
- How will this impact business owners?
This new process will require business owners to establish new processes to ensure they can respond to any complaints within 30 days. Formal records will need to be kept on the number of privacy-related complaints in a specific time period. Failure to respond in this time frame may result in difficult questions from the regulator – and see an increase in enforcement activity from the ICO.
- Subject Access Requests (SARs)
Organisations (Data Controllers) will be able to “stop the clock” on Subject Access Requests if more information is required, or the identity of the data subject needs verifying.Requests will need to be “reasonable and proportionate”, otherwise they can be declined – it is hoped this will avoid SAR’s being used against an organisation, rather than a genuine request for copies of data. The parameters for “reasonable and proportionate” will need to be set by the ICO.
- Right to Portability
The direct sharing of data between certain organisations or regulated third parties will be permitted. This will facilitate the sharing of data for investigations and where there is concern for an individual, or regulatory (but not legal) investigation.
- Right to be Informed
- Article 13 requires full details of the data controller to be provided to the data subject whenever personal data is being collected – most typically in the form of a privacy notice that is readily available.. and relevant! Many privacy notices contain general processing information, but not necessarily relevant to the specific activity.
- Article 14 requires details on the data controller to be provided to the data subject without undue delay in instances where data is collected by a third party. “Undue delay” is usually interpreted as “within 30 days”. This has always been challenging, especially where large volumes of data are collected for marketing purposes.If either of these involves “disproportionate effort”, the organisation will not be obliged to do provide this.
Zero-fuss GDPR compliance from the UK’s best
- Legitimate Interest as a Lawful Basis
Legitimate interest will be accepted as a lawful basis for direct marketing purposes. The direct marketing laws under PECR (Privacy and Communication Regulation 2003) will still apply, so this doesn’t mean this lawful basis can be used as a default.This will not be a free-for-all… Fines under PECR also stand to increase substantially – more on that later. - Soft opt-in for marketing to charities
Charities will now be able to rely on the soft opt-in when signing people up to electronic marketing.As long as the following conditions are met, people can be presented with an “opt-out” mechanism, instead of “opt-in” or consent for emails and SMS communications:- The data is only being used for marketing by the charity – no third parties or other causes are in scope of the processing.
- Data was collected when the person expressed an interest in the charity and/or offered to support the charity.
- Opt-out is offered at every opportunity.
- Recognised Legitimate Interests
There will be certain instances that legitimate interest will be pre-approved and a legitimate interest assessment (LIA) is not required. Currently these are:- Disclosures to public bodies where it is believed personal data is necessary to fill a public function.
- Disclosures for national or public security or defence purposes, emergencies.
- Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals.
- Privacy and Electronic Communication Regulation, 2003 (PECR) Fines
Monetary penalties for infringements of the PECR legislation that governs direct marketing and the use of cookies in the UK will increase from £500,000 to being in line with UK GDPR – so up to £17.5m, or 4% of annual turnover.
- Spam Emails and Text Messages
The definition of spam emails and text messages are being redefined. They will now be based on the SENDING of messages, rather than the successful DELIVERY of them. This is likely to result in much higher fines for organisations responsible for sending spam messages.
- Special Category Data
New categories are introduced, such as “neurodata”.
- Cookies
It will be permissible to drop cookies and similar technologies on websites for the purposes of analytics and optimising content – but an opt-out must be provided.
This will allow owners of websites to track users and their activity in order to improve the experience and success of the site, without the need for consent.
- Information Commissioner
The Information Commissioner’s Office (ICO) is set to be replaced by an Information Commission and it will be run in similar fashion to other regulatory bodies such as the FCA and OFCOM.
Privacy Helper can support your organisation in your interpretation of the Data (Use and Access) Bill – we’ll explain what you can and can’t do.
Our pro-business, zero fuss approach will help you to do more with data… compliantly!
How can ensure my business benefits from the Data (Use and Access) Bill?
We will need to discuss your current procedures and ask questions about how you handle data and why. We will need to speak to members of your organisation who are involved in data collection. We will be able to discuss costs, work schedules and length of time necessary to complete the audit.
What to do next:
- Please contact us now and let us remove the stress of managing data compliance in your business.
- We handle the complete scope of any data privacy requirement
Clear, Transparent Pricing
Just like the GDPR demands your processing be transparent at all times, our fees are also transparent – there are NO hidden, or unexpected costs. Everything is explained clearly to you in advance, ensuring you never exceed your budget.
GDPR Gap Analysis
A detailed comparison between your current data protection practices and requirements of the GDPR
£150 per hour + VAT
Project price based on project scope
- GDPR Gap Analysis
- Compliance and risk analysis
- Document review
- RAG report
- Compliance action plan
GDPR Compliance
Create an effective Data Protection Framework by addressing identified areas of non-compliance
£150 per hour + VAT
Project price based on project scope
- Create or update relevant policies
- Define and implement processes
- Train on record management
- Support 'Data Protection Culture'
- Guide on compliance and risk
Outsourced DPO
Managing your Data Protection Compliance Framework and upholding obligations
From £595 +VAT per month
Available from ½ day per month
- Designated qualified DPO
- Interacting with the ICO
- Supporting DSARs & DPIAs
- Conducting Due Dilligence
- Guiding on compliance and risk
GDPR Training
Training portal available as part of a package or as a standalone service
Online training
From £2.50 +VAT
per user per month
E-learning platform
- GDPR/Privacy training
- Supports Compliance Framework
- Bespoke training programmes
- In-person training for key staff
Free PRIVACY HELPER GDPR / Cyber Security training starter pack available with any new project - terms apply.
How much will this cost?
Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.
What next?
Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.
Other services you may be interested in from PRIVACY HELPER
GDPR Consultancy
Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.
GDPR Training Courses
An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.
