The Data (Use and Access) Bill: Key Points for UK Businesses

The Data (Use and Access) Bill: Key Points for UK Businesses

The European Data Protection Board clarifies main establishment

On 23 October, the UK government introduced the Data (Use and Access) Bill to boost the economy by £10bn and free up millions of police and NHS staff hours. Here are the main points:

Key amendments to the UK General Data Protection Regulation (GDPR) and Data Protection Act (DPA)

  • Accountability measures: Requirements for Records of Processing Activities (ROPA), Data Protection Impact Assessments (DPIA), and Data Protection Officers (DPOs) remain unchanged.
  • Data Subject Access Requests (DSARs): Controllers need only comply with data subject requests based on a reasonable and proportionate search.
  • Complaints process: The Bill introduces a statutory right for individuals to make complaints to data controllers, who must respond within set timeframes.
  • Automated decision making: Only automated decision-making using special category data is automatically prohibited.
  • International data transfers: Introduces a risk-based approach and new criteria for assessing adequacy of non-UK countries’ data protection laws.
  • Reforming the Information Commissioner’s Office (ICO): Renamed to Information Commission with new duties and powers, including promoting innovation and competition.

Proposed amendments to the Privacy and Electronic Communications Regulations (PECR)

  • Increased fines: Aligns maximum fines with the UK GDPR and DPA, up to £17.5m or 4% of annual worldwide turnover.
  • Analytics cookies: First-party analytics cookies can be deployed without prior user consent.
  • Data breach reporting: Reporting timeframe extended from 24 to 72 hours for public electronic communications network providers.

Impact on UK businesses

  • Limited changes: Most businesses complying with the UK GDPR, DPA and PECR will only need minor adjustments.
  • New burdens: Higher fines for PECR breaches and new enforcement powers for the ICO. Given that the majority of ICO enforcement is currently under the £500k cap in the PECRs, this may be significant.
  • Maintaining parity: The Bill aims to keep parity with the EU GDPR, and this may assist the UK in maintaining its adequacy status.

The Bill is likely to proceed given the government’s majority, so businesses should start preparing for these changes.

Contact our experts for further advice

View profile for Beverley FlynnBeverley Flynn
, View profile for Sinead HughesSinead Hughes

Search our site