The Data (Use and Access) Bill has successfully made it through both Houses. On Thursday the 19th of June, it officially received Royal Assent, meaning it is now passed as a law within the UK.
Whilst we still don’t have a definitive date on when the provisions within the law will come into effect, some provisions will come into force two or six months after Royal Assent, and others may take up to 12 months. Let’s dive into some of the commonly asked questions to understand what’s changing.
For more information, you can also watch our Data Use and Access Bill webinar on demand.
Will the DUAA replace the Data Protection Act, the UK GDPR, or the Privacy and Electronic Communications Regulations (PECR)?
No, the DUAA will not be replacing any existing legislation within the UK. Instead they will be updated using the provisions within the DUAA. However, there are some pretty big changes that organisations need to be aware of and plan for.
What are the key changes with the DUAA?
The DUAA is going to support organisations in being more innovative when it comes to how they can use personal data and, in some circumstances, it will also make it easier. However, there are also some new requirements that you need to get ready for.
Using Data for Research Purposes
We have a new definition for ‘Scientific Research’ which expands its scope beyond non-commercial research to include research for commercial purposes. The challenge with research, and why you need to collect explicit consent up-front, is that the research and the purposes you use the data for can change over time.
The DUAA allows you to collect broader consent for multiple types of scientific research, even if you can’t articulate all the purposes at the time of collecting the consent. This allows you to use data for a longer period and for purposes which you may not have considered when the data was originally collected.
Lawful Basis for Automated Decision Making
If you use personal data to carry out automated decision making, you’ll have a larger range of legal bases which you can chose from, including legitimate interests. You still need to have appropriate safeguards in place, such as the ability to object, ensuring transparency through notices, and the ability for individuals to request human intervention. Importantly, this change doesn’t apply if your processing special category or sensitive personal data.
Cookie Rules
When you’re using cookies on your website or mobile apps for things like services usage analytics, emergency alert systems, adjustments for accessibility or improving your website, you’ll no longer need to get consent from visitors and users. This won’t change the need for you to tell individuals about those cookies, so banners and cookie notices are here to stay!
PECR Enforcement
The DUAA aligns the enforcement regime of the UK GDPR, DPA18 and PECR, meaning that the current cap of fines of £500,000 under PECR will now increase to the same level as the GDPR.
Information Commission, not Commissioner
In the UK, we have historically had an ‘Information Commissioner’, one individual who was responsible for regulating Data Protection and Freedom of Information in the UK. The DUAA looks to reform the ICO and instead creates the ‘Information Commission’, which will have a formal Board and CEO like many other organisations.
Recognised Legitimate Interests
The DUAA introduces the ability for ‘Recognised Legitimate Interests’ to be created for activities like protecting public security, public health, and crime prevention, amongst others. Having these means that when you're processing personal data for these recognised purposes, you won’t need to carry out a balancing test, or a ‘Legitimate Interests Assessment’ (LIAs).
Soft Opt-In Extension for Charities
Previously, only commercial organisations had the ability to use the ‘soft opt-in’ under PECR, which allowed organisations to send email and text marketing to individuals if they had previously purchased similar goods or services from them. This will be extended to Charities and Not-For-Profits, if individuals show support, donate or express an interest in the charity, or your work.
Reasonable and Proportionate Searches
This change solidifies advice and guidance provided by the ICO for some time, so it’s positive to see it clarified in law. When it comes to Subject Access Requests (SAR’s), you are only required to make reasonable and proportionate searches when someone asks for their personal data.
Using Children’s Data
The DUAA explicitly requires that when you’re processing children’s personal data, including when you’re providing an online service, you must explicitly take their needs into account. If you’re complying with the ICO’s Age Appropriate Design Code (‘Children’s Code’), then you should be compliant with these new requirements already.
Data Protection Complaints Processes
This is a new, more explicit requirement about how Data Protection complaints should be managed and processed. For example, organisations must take steps to make it easy for individuals to make complaints about data protection, including by providing electronic forms on websites or applications. In addition, organisations will have 30 days to acknowledge a complaint with responses required ‘without undue delay’. We expect some further guidance from the Information Commission on this in due course.
We’re an organisation that operates both in and outside the UK, where do we start?
We recommend understanding the new requirements or changes that are applicable to your organisation, and then working out how you can benefit from some of the changes when you’re processing data of UK citizens. This might mean you have a slightly divergent approach to your Data Privacy Programme for the UK versus the rest of the world. However, if there are changes in the DUAA, that means you can streamline your programme in the UK, such as reducing the number of LIAs you need to complete or using the soft-opt-in if you’re a not-for-profit
Equally, it may be preferable that you take some elements of the DUAA (like the need to have Data Protection Complaints Processes) while continuing to use the EU GDPR as your baseline. Adding in the new requirements gradually as you move towards the DUAA will help keep things simple, yet compliant.
Ultimately, there are lots of ways to manage it, but if you can take positives out of the changes from the new Act, you should try to.
How Can You Prepare for the DUAA?
The first thing that your organisation needs to do is understand the impacts of the DUAA and what they mean to you. You can start by asking yourself the following questions:
- Do we offer or market goods or services to, or monitor the behaviour of, individuals within the UK? If so, you’re caught by the new law.
- If you’re a charity or not-for-profit, do you currently use consent for marketing?
- If you offer an online service to children, can you be sure you’re complying with the ICO’s Children’s Code?
- Do you have a Complaints Procedure to handle Data Protection Complaints, with electronic forms available for individuals to use raise their concerns?
These are just some of the things to consider, and we’d highly recommend that you undertake a gap analysis against the new requirements to ensure that you have the time and resources to embed new processes and procedures into your existing privacy programme.
Want more information?
To keep up to date with the changes and evolving guidance, you can also visit the Information Commissioner’s Office website.
