The Data (Use and Access) Bill or the DUA Bill for short, was introduced in October 2024. Its aims are to grow the economy; improve public service and make life easier.
To achieve these objectives, the DUA Bill contains modifications to UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. B P Collins’ corporate and commercial team explores some of the main points in the Bill.
- “Legitimate interests” is one of the legal bases under UK GDPR that organisations can rely on to justify their data processing activities. Currently organisations must carry out and document a formal assessment for each case when relying on this basis. However, the new legislation will soften this requirement by allowing exemptions in certain circumstances if the purpose for processing data is included on the new legitimate interest list. Some examples include intra-group transmissions (including employee and client data) for internal administration purposes and for ensuring security of IT systems.
- A new ‘applicable time period’ and procedure would be introduced for responding to data subject access requests, which is the right individuals have, to ask an organisation if they are using or storing their data and to request copies of it. If the organisation is unable to respond until further information is provided, the timeframe can be paused until the information is given.
- The DUA Bill reflects case law specifying that organisations are only required to conduct reasonable and proportional searches of their systems when handling requests for information.
- The DUA Bill will also require a complaint to be made to the organisation or controller in the first instance, which can then be escalated to the Information Commissioner’s Office (ICO).
Data Protection (Charges and Information) (Amendment) Regulations 2025
Another key change took effect on 17 February 2025, with the implementation of the Data Protection (Charges and Information) (Amendment) Regulations 2025. This change introducesan increase to the charges payable to the ICO for organisations that process personal data and are not exempt.
The new data protection fees will be:
- Tier 1 (micro-organisations): £52 (previously this was £40).
- Tier 2 (small and medium organisations): £78 (previously this was £60)
- Tier 3 (large organisations): £3,763 (previously this was £2,900).
EU Adequacy Decision
Looking ahead, the EU’s adequacy decisions— which confirm that the UK has ‘essentially equivalent’ levels of data protection to the EU and allow for the free flow of data between the two regions without requiring additional documentation—are set to expire on 27 June 2025. It is hoped that a decision confirming a four-year renewal will be announced soon.
If you would like any assistance relating to data protection, please contact B P Collins’ corporate and commercial team at enquiries@bpcollins.co.uk or call 01753 889995.
