UK Data Reform – key changes ahead

March 2025

What data protection teams need to know

Plans to reform the UK’s data laws are making speedy progress through Parliament, with the Data (Use & Access) Bill expected to be passed before or shortly after Easter.

When enacted, the new law will usher in significant amendments to the Data Protection Act 2018, UK GDPR and the Privacy & Electronic Communications Regulations (PECR), as well as measures which go beyond the realms of data protection and ePrivacy.

Controversial plans to amend UK GDPR’s accountability obligations, led by the previous Conservative Government, are not included. So, requirements in relation to Data Protection Officers, Data Protection Impact Assessments and Records of Processing Activities remain the same.

Some new provisions are likely to make data protection compliance efforts slightly easier, although others will impose increased obligations. Here’s our summary of some key changes ahead, with the caveat there’s still time for further amendments.

Individual privacy rights

New right to complain

People will have the right to raise complaints related to use of their personal data. This will require controllers to make sure they have clear procedures to facilitate complaints, for instance, by providing a complaint form. Complaints will require response within 30 days. Alongside this, organisations may also be obligated to notify the ICO of the number of privacy-related complaints they receive during a specified time period.

In practice this means individuals will first have to seek a resolution directly with an organisation, before escalation to the regulator. This is aimed in part at reducing the volume of complaints the ICO receives.
Some sectors, such as financial services and those who receive FOI requests, will already have complaints procedures in place to meet other legal obligations. For others, these procedures will need to be established.

It’s likely privacy notices will need to be updated to reflect this change. If notification to the ICO of complaint volumes is required, this raises questions about how complaints are categorised and what additional records organisations will be required to keep.

Timescales and seeking clarification

Amendments will clarify the time period for compliance with privacy rights requests. The clock does not start until the organisation is satisfied the requestee is who they say they are (i.e. proof of identity has been received). If an organisation reasonably requests further information to clarify a request, the timescale for responding can be paused (i.e. the ‘clock stops’) until this information is provided. These changes are unlikely to have much operational impact, as they simply provide statutory footing to existing ICO guidance on this subject.

Reasonable and proportionate searches

It’s confirmed organisations should conduct a “reasonable and proportionate” search for personal data in responding to Data Subject Access Requests (DSAR). Again, this gives current ICO guidance a statutory footing, and may prove helpful for organisations handling particularly demanding requests.

Court procedures

Where there’s a legal dispute over the information provided (or not provided) in response to a DSAR, a court will be able to request organisations make such information available for the court to inspect and assess. This means organisations will need to make sure they clearly document non-disclosure decisions, including their justifications. This is something we’d strongly advise doing already.

Right to be informed

The obligation to provide privacy information to individuals (i.e. under Article 13 and 14 of UK GDPR) will not apply if providing this information “is impossible or would involve disproportionate effort”. This is most likely to be particularly relevant where organisations have gathered personal data indirectly, i.e. not directly from the individuals. This was a point of contention in the Experian vs ICO case, where Experian argued it would be disproportionate effort to notify and provide privacy information to the millions of people whose data they process from the Edited Electoral Roll.

Legitimate Interests

Direct marketing

Legitimate interests will be confirmed in law as an acceptable lawful basis where necessary for direct marketing purposes. While there are concerns in some quarters this will lead to more ‘spam’ marketing, I’d stress the direct marketing rules under PECR will still apply, so legitimate interests will remain an option only when the law doesn’t require consent.

Recognised legitimate interests

The concept of ‘recognised legitimate interests’ is to be introduced, whereby organisations will not need to conduct a balancing test (i.e. Legitimate Interests Assessment) when relying this lawful basis for certain purposes. The list of recognised legitimate interests includes the following (and may be expanded):
Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function.
Disclosures for national or public security or defence purposes, emergencies,
Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals.

International Data Transfers

There are amendments to risk assessment requirements for international data transfers. Currently, where there’s no ‘adequacy’ decision for the destination country, organisations need to undertake a Transfer Risk Assessment. Moving forward, organisations transferring data overseas will need to “reasonably and proportionately” consider if the data protection standards in the destination country will be materially lower than those in the UK. This gives potential room to streamline assessment procedures, especially to reduce the burden for low-risk transfers.

Reforms to UK data laws will be scrutinised by the EU Commission when it reviews its adequacy decisions for the UK. These currently allow for the free flow of personal data between the EEA and UK, without the need for additional risk assessments or safeguard measures. The EC review of these decisions was due in June this year, but this has been delayed until December. The general consensus is there’s hopefully nothing considered too radical to scare the horses and UK adequacy will be renewed. Nonetheless, this is one to watch.

Special Category Data

A mechanism is included allowing for future introduction of newly defined special categories of personal data. An example given is ‘neurodata’, which is information gathered from the human brain and/or from the nervous system. As the requirements for processing special category data are restricted under UK GDPR, introducing new types has the potential to lead to significant implications in some sectors.

Automated decision-making

A noteworthy amendment is to be made to Article 22 of UK GDPR which currently places strict restrictions on automated decision-making (including profiling) which results in legal or similar significant effects. This will be relaxed, only applying to automated decisions using special category data. With any other personal data, there will be a requirement to put in place certain safeguards, such as giving individuals the ability to contest decisions and requiring human intervention.

This change will give organisations more flexibility to make automated decisions using ‘normal’ personal data, for example when utilising AI systems. However, there are concerns it could have a negative impact on people’s rights. This also represents a marked distinction between the UK and the EU approaches, which may be a key consideration in the EU’s review UK adequacy.

Steve Wood, Founder of PrivacyX Consulting and former UK Deputy Information Commissioner says: “This creates a real importance on the Code that will be produced by the ICO, covering how the safeguards should be applied in practice. A current priority for the ICO is use of AI in recruitment and this is an emerging area of risk, including the use of AI in fire and hire decisions in the gig economy. Time will tell whether it was premature to remove the precautionary approach of Article 22 when the implications of using AI for automated decision making are still being assessed.”

‘High risk’ AI decisions

People will have the right to request information where a decision is either solely, or in part, based on automated processing including AI and machine learning, and has a legal or similar significant effect on them. Controllers will be required to provide an explanation of the criteria used to reach the decision along with a description of the key factors (or features) which most significantly influenced the decision. Individuals will be able to request human review or details of how to appeal the decision.

Data protection by design to protect children

Amendments to existing law make specific reference to additional protections for children (anyone under the age of 18). When assessing appropriate ‘technical and organisational’ measures in relation to online services likely to be accessed by children, organisations will be legally obliged to take account of how children can best be protected, confirm that children merit additional protection, and have different needs at different ages and stages of development. Such measures strengthen the need to adhere to the UK Children’s Code.

Charities and the marketing ‘soft opt-in’

The use of the ‘soft opt-in’ exemption to consent for electronic marketing is to be extended to charities. This means charities will be able to provide people with an ‘opt-out’ mechanism rather than an ‘opt-in’ to marketing emails (and/or SMS), as long as the following conditions are met:

The sole purpose of the direct marketing is for the charity’s own charitable purpose(s)
Contact details were collected when the individual:
a) expressed an interest in the charity’s purpose(s); or
b) offered or provided support to further the charity’s purpose(s).
An opportunity to refuse/opt-out is given at the point of collection, and in every subsequent communication.

We’ve written about the pros and cons of switching to the ‘soft opt-in’ here.

PECR Fines

Fines for infringements of the Privacy & Electronic Communications Regulations which govern direct marketing and cookies are set to significantly increase. Currently the maximum fine under PECR is currently capped at £500k, but the limits will be brought in line with the much more substantial fines which can be levied under UK GDPR. Reckless disregard for marketing and cookie rules is about to get more costly.

Spam emails and texts

What constitutes ‘spam’ is to be extended to include emails and text messages which are sent, but not received by anyone. This will mean the regulator will be able to consider much larger volumes in any enforcement action, which may result in much higher fines – SPAMMERS BEWARE!

Cookies & similar technologies

Exemptions are set to be introduced from the requirement to collect consent for certain types of cookies and similar technologies, as long as a clear opportunity to opt-out is provided. This will be permitted for purposes such as website analytics and optimising content. I envisage much reconfiguring of the array of website consent management platforms which have been implemented in recent years. But remember, targeting/advertising cookies (including social media targeting pixels) will still need consent.

Alongside these changes the ICO is reviewing PECR consent requirements to “enable a shift towards privacy-preserving advertising models”.  This autumn a statement is expected identifying ‘low-risk’ advertising activities which in the ICO’s view are unlikely to cause harm or trigger enforcement action. You can read more about this in the ICO’s package of measures to drive economic growth.

Research

Purpose limitation and provision of privacy information

Currently, UK GDPR makes it tricky to reuse personal data for new purposes, yet research projects can often move into areas which weren’t anticipated when data was originally collected. A new exemption is to be introduced, in relation to the provision of privacy information. Amendments are also set to be made to the purpose limitation principle to make further ‘RAS purposes’ compatible with the processing. Both these changes are subject to ‘appropriate safeguards’. (‘RAS purposes’ covers processing for scientific and historic research, and archiving in the public interests, and statistical purposes).

Scientific research

The definition of ‘scientific research’ is to be clarified and will explicitly state research can be a commercial or non-commercial activity. Consent for scientific research is to be adapted, in part driven by a desire to make it easier for personal data collected for specific research to be reused for other scientific research purposes.

Commenting on these changes Ellie Blore, Data Protection Officer at Best Companies says; “The aims are to provide greater flexibility for commercial research and innovation. It expands the definition of ‘Scientific Research’ to include certain privately funded and commercial research activities, meaning that some private AI training and research will now be classified under Scientific Research. Furthermore, secondary processing of data for Scientific Research and Development purposes will be considered compatible with the original purpose of data collection, provided the appropriate safeguards are in place. There are exemptions added here, and this will undoubtedly be an area to watch as the Secretary of State will have the power to further vary those safeguards.”

Smart data schemes

Provisions are being introduced to support the growth of new ‘smart data schemes’. The right to portability under UK GDPR currently allows individuals to obtain and reuse their personal data. Moving forward, this will be expanded to allow consumers to request their data is directly shared with authorised and regulated third parties. This will be underpinned by a framework with data security at its core. It’s hoped this will allow for the growth of smart data schemes, enabling data sharing in areas such as energy, telecoms, mortgages and insurance.

Healthcare information

Ever been to hospital and found your GP has no record of your treatment, or the hospital can’t access your GP’s notes? The government is hoping data reform will pave the way for a more consistent approach to information standards and technology infrastructure, so systems can ‘talk’ to each other. For example, allowing hospitals, GP surgeries, social care services, and ambulance services to have real-time access to information such as patient appointments, tests, and pre-existing conditions.

Department Board Appointments

A new measure is to be introduced requiring digital leaders to be represented at executive level within Government departments and other bodies, such as NHS Trusts. At least one of the following roles will need to be appointed to a departmental board or equivalent body; a Chief Information Officer, Chief Technology Officer, Chief Digital Information Officer, Service Transformation Leader or other equivalent role.

Digital verification services

The aim is to create a framework for trusted digital verification services, moving the country away from paper-based and in-person tasks. For example, proposals allow for digital verification services aimed at simplifying processes such as registering births and deaths, starting a new job and renting a home.

New Information Commission

The Information Commissioner’s Office is set to be replaced by an Information Commission. This is to be structured in a similar way to the FCA, OFCOM and the CMA, as a body corporate with an appointed Chief Executive. There’s also provision for the Government to have considerable influence over the operations of the new Commission.

In summary, reform of UK data law has its critics. Among other matters they fear a watering down of people’s rights and an increased ability for personal data to be shared, perhaps recklessly, with and within the public sector. However, the changes are not overly radical, having varying degrees of impact depending on your sector and organisation’s core activities.

Chris Combemale, Director of Policy and Public Affairs at the Data & Marketing Association, welcomes the changes ahead; “The DMA strongly supports the DUA Bill and has worked tirelessly for almost five years to achieve reforms that balance innovation and privacy in accordance with the principles laid out in recital 4 of GDPR. We particularly welcome the greater certainty on the use of legitimate interests as a lawful basis for direct marketing, the extension of the email soft opt-in to charities, exemptions to consent for some types of cookies, greater clarity in Article 22 for automated decision making and the obligation for the ICO to consider innovation and competition alongside privacy.”

Privacy X Consulting’s Steve Wood doesn’t believe the impact will be hugely significant; “The DUA Bill represents an evolution of UK GDPR that should not drive many changes for multi-national companies’ DP governance, which is likely to remain focused around the EU GDPR standard. The more interesting opportunities may lie in the confidence that is provided to the take up of federated digital identity by the statutory underpinning for the Trust Framework and opportunities for data intermediary businesses in relation to the Smart Data provisions.”

UPCOMING ONLINE EVENT – UNWRAPPING UK DATA REFORM

Join a great line up of speakers on 29 April who’ll be discussing the changes under the DUA Bill and taking your questionsBOOK YOUR PLACE