UK GDPR and PECR – key DUAA reforms take effect
The main amendments to UK GDPR and the Privacy and Electronic Communications Regulations (PECR) under the Data Use and Access Act (DUAA) come into force on Thursday 5th February.
While significant, these changes do not represent a radical overhaul. The fundamental data protection principles and obligations remain unchanged. Most amendments offer potential opportunities some organisations may wish to take advantage of.
The one exception is a new requirement to have a data protection complaints procedure. But this requirement won’t commence until June 2026.
Key changes taking effect on 5th February
■ Recognised Legitimate Interests
This new (seventh) lawful basis for processing provides a list of recognised legitimate interests for which a balancing test is not required. The list includes disclosure to public authorities conducting a public task, processing to detect, investigate or prevent crime, for national security purposes and to safeguard vulnerable individuals.
Although a balancing test (e.g. Legitimate Interests Assessment) will not be required, it would be wise to document any decision to rely on a recognised legitimate interest and update the relevant privacy notices accordingly. What’s a recognised legitimate interest?
■ Soft opt-in for charities
Charities can now rely on the so called ‘soft opt-in’ exemption to consent for direct marketing. This means supporters and donors can be provided with an ‘opt-out’ mechanism rather than an ‘opt-in’, as long as specific conditions are met. The ICO draft guidance on this is nuanced so it’s worth making sure you’re familiar with the regulatory approach. How to use the Charitable purpose soft opt-in
■ Data Subject Access Requests (DSARs)
Minor adjustments give a statutory footing to previous case law and regulatory guidance. It’s confirmed the timescale for responding within one calendar month doesn’t start until you are satisfied the requestee is who they say they are, and when seeking clarification the clock can be paused. Already in effect is a firm clarification that organisations should conduct a ‘reasonable and proportionate’ search for personal data. The ICO has published updated Right of Access Guidance and we’ve taken a look at what’s changed here.
■ New narrow exceptions for cookie consent
Until now organisations needed to collect consent for all but ‘strictly necessary’ cookies and similar technologies. This is expanded to include other specific types of cookies and similar technologies. It’s worth checking if you can take advantage of these but bear in mind the exceptions are quite limited. Five new cookie exceptions
■ Increased PECR fines
This is particularly notable, as the ICO issues more fines for violations of the marketing rules under PECR than UK GDPR. Until now the maximum fine under PECR was capped at £500k, but now the maximum will be significantly raised to meet UK GDPR levels – £17.5 million or 4% of an organisation’s annual global turnover, whichever is higher. In any enforcement action the ICO will also be able to take account of not only the volume of emails received, but also those sent by not received.
■ Broader provisions for using AI and automated decisions
Until now the UK GDPR placed strict rules on automated decision-making (ADM), including profiling, which resulted in ‘legal or similarly significant’ effects. Such ADM required explicit consent or contractual necessity. This is now relaxed so it only applies to automated decisions using special category data. With any non special category data ADM you will be able to rely on other lawful bases, but there will be a requirement to put in place certain safeguards, such as giving individuals the ability to contest decisions, request human intervention and you’ll need to provide ‘meaningful information’ on how a ADM system operates.
This change provides increased flexibility to make automated decisions using personal data (but not special category data). For example, when utilising AI systems. However, if the AI systems is used in the EU as well as UK, organisations will need to consider the EU AI Act and EU GDPR.
■ Broader definition of ‘scientific research’
There are detailed changes in relation to scientific research. To briefly summarise, the definition of ‘scientific research’ is to be clarified and will explicitly state research can be a commercial or non-commercial activity. Purpose limitation and consent for scientific research is adapted, in part driven by a desire to make it easier for personal data collected for specific research to be reused for additional scientific research purposes.
■ Subtle changes for UK data transfers
There are some changes to the terminology in relation to international data transfers with ‘adequacy decision’ being replaced by ‘data protection test’. This is a test of whether the standards of data protection in a destination country are ‘not materially lower’ than the UK and will need to be adopted by organisations looking to export data from the UK.
The ICO has updated its International Data Transfer Guidance, which includes a handy 3-step test to check if a transfer is taking place, which we’ve written about here.
■ Data protection by design to protect children
When assessing appropriate ‘technical and organisational measures’ in relation to online services likely to be accessed by children, organisations are legally obliged to take account of how children can best be protected right from the design phase. Changes essentially strengthen the need for organisations to adhere to the Children’s Code.
Above is just a summary of some of the main changes. The level of impact will very much depend on your sector and your specific processing activities. New investigative and enforcement powers for the ICO also commence on 5th February. The ICO is set to be replaced by an Information Commission, but not just yet!
We anticipate further guidance from the regulator in due course.