The United Kingdom’s Data Use and Access (DUA) Bill was introduced to the UK House of Lords on November 24, 2024, to reform the existing data protection framework, specifically the Data Protection Act, Privacy and Electronic Communications Regulations (PECR), and UK GDPR. The DUA Bill aims to balance data-driven innovation and protect individual privacy rights. However, it has the potential to create conflicting contrasts with the EU data privacy standards, which could impact the UK’s data adequacy status.

What is the DUA Bill?

The Data (Use and Access) Bill is a legislative proposal to establish a framework for digital identification systems and regulating data usage and access within the country. The DUA Bill was published on 24 October 2024 to replace the previous government’s failed Data Protection and Digital Information (DPDI) Bill.

The DUA aims to “unlock the secure and effective use of data for the public interest” while driving economic growth and improving the lives of UK residents. The bill seeks to modernize data practices, promote digital innovation, and ensure robust data protection measures.

Key Reforms Set in the DUA Bill

The DUA Bill substantially impacts UK data protection, focusing on reducing regulatory burdens for small and medium enterprises (SMEs), simplifying data subject access requests (DSARs), and enhancing alignment with EU data policies. These proposed changes have implications and remain crucial for organizations preparing for future legislative developments.

The DUA Bill proposed several significant amendments to the UK’s data protection landscape:

Legitimate Interests and Processing

  • Legitimate Interest: The Bill proposes that controllers won’t need to conduct a Legitimate Interests Assessment (LIA) when processing falls under ‘recognized legitimate interests.’ These include scenarios such as safeguarding national security, protecting the vulnerable, or responding to an emergency.

Additionally, the DUA Bill provides specific examples of processing activities that may qualify as necessary for legitimate interests, which include direct marketing, internal data sharing, and cybersecurity. The Bill provides much-needed clarity, ensuring controllers understand when they can lawfully rely on legitimate interests as a basis for processing data.

  • Further processing of personal data: The Bill strengthens regulations on the further processing of personal data, emphasizing its compatibility with the original collection purpose. Organizations must conduct more rigorous assessments to ensure any new use of personal data remains aligned with its initial intent.

DSARs and Automated Decision-Making

  • DSARs: The DUA Bill refines the handling of Data Subject Access Requests (DSARs), requiring controllers to conduct “reasonable and proportionate” searches, though it does not define these terms explicitly. It introduces exemptions for information protected by legal professional privilege and clarifies response timeframes based on identity verification or additional processing details. Unlike the DPDI Bill, it does not allow controllers to refuse complaint requests but provides statutory backing on search scope limitations, ensuring controllers are only required to provide information based on a reasonable and proportionate effort. This offers greater clarity and legal certainty for organizations managing DSAR compliance.
  • Automated decision-making: The Bill establishes stricter regulations for significant decisions made solely through automated processing, ensuring fairness and transparency in algorithmic decision-making. It narrows the prohibition on automated decision-making to cases that significantly impact data subjects and involve special category data. Additionally, it introduces new data subject rights, including the right to receive information about automated decisions and request human intervention in the decision-making process.
Explore Data Rights Automation with BigID

Consent and Cookies

  • Regulating Cookie Consent: The Bill amends the Privacy and Electronic Communications Regulations (PECR), which aims to reduce cookie pop-ups and banners by allowing certain types of cookies to be placed without explicit user consent. These include cookies used for essential website functionality, security, fraud prevention, and audience measurement. Additionally, the Bill encourages the development of browser-based or device-level settings that allow users to manage their cookie preferences more effectively, reducing the need for repeated consent prompts.
  • Clarifying Consent: The Bill defines ‘freely given consent’ to address concerns about services requiring consent as a condition of access. This change promotes more transparency and overall user-friendly data practices.
  • Scientific Research: The Bill amends the UK GDPR to allow data controllers to process data for scientific research to obtain consent for a specific area of research. This allows data subjects to consent only to certain aspects of the research rather than the entire study.
Download Our Cookie Consent Management Solution Brief

New additions from the DUA Bill

The DUA Bill includes new elements not included in the DPDI Bill, such as:

  • Special Category Data: Under Clause 74, the Secretary of State has the authority to issue regulations expanding the special categories of data under Article 9 of the UK GDPR. These regulations can introduce new data categories, refine applicable conditions, prohibit processing, and add definitions to adapt to technological and societal advancements.
  • Children’s Data: The DUA Bill reinforces the protection of children’s data by requiring the UK Information Commissioner’s Office (ICO) to prioritize children’s vulnerability in data processing when enforcing data protection laws.
  • Complaints by Data Subjects: The DUA Bill requires data subjects to first submit complaints directly to the relevant controller before escalating them to the ICO if unresolved, aiming to reduce the ICO’s caseload. Organizations must establish a formal complaints procedure and maintain a register of data protection complaints, which must be shared with the ICO upon request.
  • International data transfers: The Bill amends the UK GDPR by allowing the Secretary of State to approve data transfers using a new “data protection test,” ensuring that other country’s standards are not significantly lower than those of the UK.
  • Digital verification services: The Bill establishes regulations for digital verification services, including a provider registry and trust framework, which aims to enhance trust in online identity verification.

How BigID Can Help Organizations Align with the DUA Bill

BigID empowers organizations to comply with the new UK Data Use and Access (DUA) Bill by providing advanced data discovery, classification, governance, and AI capabilities. With automated scanning and cataloging, BigID helps organizations identify and manage personal and sensitive data, streamlining compliance with stricter regulations on data processing, legitimate interests, consent, and data subject rights. BigID’s security and compliance monitoring capabilities also help mitigate risks associated with data transfers, automated decision-making, and children’s data protection—aligning organizations with the DUA Bill’s evolving regulatory requirements.

With BigID, organizations can:

  • Gain Data Visibility: Automatically classify, categorize, tag, and label sensitive, personal data accurately, granularly, and scale by person, sensitivity, type, context, & content.
  • Discover Data: Discover and catalog your sensitive data, including structured, semi-structured, and unstructured – in on-prem environments and across the cloud.
  • Minimize Data: Ensure data minimization through duplicate discovery and correlation to automatically remove ROT data and reduce your attack surface.
  • Automate Data Rights Management: Automate individual personal data rights fulfillment requests such as access, updates, appeals, and deletion.
  • Manage Universal Consent & Preferences: Manage and adjust consumer consent and preferences universally and centrally across various channels with ease.
  • Streamline Data Lifecycle Management: Apply a policy-based approach to automate data lifecycle management across collection, retention, and deletion.
  • Monitor Cross-Border Data Transfers: Create policies and assign residency to data sources and individuals’ data to enforce data residency requirements and monitor and alert on data transfers.
  • Assess Privacy Risk: Initiate, manage, document, and complete various assessments, including PIA, DPIA, AI, TIA, LIA, and vendor, to maintain compliance and reduce risk.
  • Achieve Compliance with the DUA Bill: Streamline compliance processes with end-to-end privacy and security capabilities and frameworks to enforce policies, fulfill regulatory requirements, and protect personal, sensitive, and regulated data.

Connect with BigID’s privacy experts to see how to streamline privacy management while strengthening compliance. Schedule your demo today!