Yesterday, the Data Use and Access Bill officially became law after receiving Royal Assent. And while it’s not quite the seismic data reform that’ll have compliance teams scrambling, there are a few bits worth knowing - especially if you’re already juggling UK GDPR, DPA 2018, and PECR compliance.
Here’s our take on what’s changed and why it matters (even if just a little), especially if you're keeping an eye on UK data protection law changes in 2025:
The fines under PECR (that’s the one that deals with marketing and cookies) are now aligned with the UK GDPR. That means significantly larger potential penalties of up to £17.5 million or 4% of global turnover.
Why does this matter? Because there’s often more enforcement activity under PECR marketing rules than under UK GDPR compliance, especially when it comes to cookie consent and marketing campaigns. If you’re cutting corners on consent or cookies, this is your gentle nudge to revisit those practices.
A handful of processing activities are now officially classed as recognised legitimate interests, which means you no longer need to go through a full Legitimate Interests Assessment (LIA) for them. That’s one less form to fill in, but only if you were doing it by the book to begin with.
If you’ve ever asked “Do I still need to complete LIAs in 2025?” this change is for you.
Unless your automated decision-making involves special category data (think health, religion, etc.), you’re no longer caught by the same restrictions. Most businesses won’t notice the difference, but it simplifies things slightly for those using automation in decision-making flows.
This aligns the UK slightly differently from GDPR automated decision-making rules still enforced across the EU.
The updates here are subtle but helpful:
It’s a small but meaningful update for organisations that regularly deal with Subject Access Requests (DSARs) in the UK.
The Bill introduces some minor exceptions for low-risk cookies i.e., those that aren’t intrusive. But don’t bin your cookie banners just yet as cookie consent UK 2025 rules still expect transparency and an easy opt-out.
Another nudge to stay on top of your PECR compliance checklist.
This one’s niche -unless you’re a research-heavy org or handling data for academic projects, it likely won’t move the needle for you. But if it does apply, it's a welcome bit of clarity for the scientific research provisions in UK data law.
Honestly, the Bill itself isn’t a game-changer. But its passing is part of the UK’s ongoing attempt to “evolve” its post-Brexit UK data privacy law without jeopardising its adequacy decision with the EU. And with side-eyes already being cast over things like the UK’s interest in encrypted communications (cough Apple cough), we’ll be keeping an eye on how these developments sit with our friends in Brussels.
If you’re wondering “Does the new data law affect GDPR compliance?” - it probably doesn’t, drastically. But it’s another piece of the puzzle. And if you’re dealing with PECR, DSARs, or legitimate interest-based processing, it’s worth a second glance.
We’ve got you. Whether it’s UK GDPR compliance, marketing campaign reviews, or making sense of the latest UK data protection law updates you can contact us here.