UK Data Protection Reform Bill Nears Royal Assent: What You Need to Know 2025
The UK’s Data Protection and Digital Information (No. 2) Bill, commonly called the Data Use and Access (DUA) Bill, has cleared Parliament and now awaits Royal Assent. Once approved by the King, it will become law, introducing the most substantial changes to UK data protection since Brexit.
This bill aims to make data regulation more innovation-friendly while maintaining privacy standards that align with GDPR principles — a critical balance as the UK’s EU adequacy status (which allows free data flow from the EU) is reviewed later this year.
Key Provisions of the Bill
1. Smart Data and Data Portability
The bill enables new “Smart Data” schemes, giving individuals greater control over their personal data. Consumers can direct organizations (e.g., banks, telecoms) to securely share their data with third parties in real time. This expands on concepts like Open Banking and may soon apply to other sectors.
2. Scientific Research Exemptions
The bill broadens the definition of scientific research and allows reuse of personal data without requiring fresh privacy notices — provided proper safeguards are in place. Individuals can also give “broad consent” for future, not-yet-defined research uses. These changes aim to support academic and commercial research while maintaining protections.
3. ICO Becomes the Information Commission
The Information Commissioner’s Office (ICO) will transition to a board-led “Information Commission”. The new body will include executive and non-executive members, increasing transparency and governance. Organizations must also implement processes to handle complaints before individuals can approach the Commission — a shift toward internal resolution.
4. Clarified DSAR Rules
Subject Access Requests (DSARs) can now be handled using a “reasonable and proportionate” approach. Controllers can extend response timelines for complex requests, reducing the compliance burden. This clarification supports efficiency while maintaining data subject rights.
5. Cookie and Marketing Changes
Consent for certain non-intrusive cookies (like analytics) will no longer be required, reducing banner fatigue for users. However, fines under the Privacy and Electronic Communications Regulations (PECR) will rise to GDPR levels, signaling stricter enforcement.
What This Means for Privacy Professionals and Students
For privacy students, the bill serves as a key illustration of how the UK is diverging from, though not abandoning, the EU GDPR. While the core principles remain aligned, the UK is adopting a more tailored approach that includes simplified compliance for research purposes, enhanced consumer control, and a modernized regulatory structure. Important study points include understanding the new smart data portability rights, expanded exemptions for scientific research, changes to the structure and powers of the Information Commission, and updates to DSAR and cookie rules. Although the final text and effective dates of the law will be confirmed after Royal Assent, privacy professionals should start preparing now by updating privacy notices, complaint procedures, and compliance documentation.
