The Data (Use and Access) Bill: Where do we stand right now? (May 2025)

The Data (Use and Access) Bill, introduced in the House of Lords in October 2024, is a new piece of legislation proposed by the government with the aim of cutting out much of the “red tape and pointless paperwork” that they feel are stopping businesses from using data effectively under GDPR.

The primary aims of the bill are to:

Grow the economy: The government estimates that the Data (Use and Access) Bill will bring an estimated £10 billion boost to the UK economy over the next 10 years. This will be partly due to the use of new Smart Data powers and the National Underground Asset Register, which will drive growth by improving the way consumers and businesses can safely share data to help better make informed decisions.

Improve public services: This will be achieved in 2 main ways. First, subject access procedures will be simplified, meaning more time for sectors such as law enforcement will be freed up – an estimated 1.5 million hours per year. Second, by the standardisation of information protocols in the NHS and adult social care sectors. This will result in an overall lower administrative burden and, in turn, improved patient care. It is estimated that this alone will save an additional 140,000 hours per year.

What are the key changes that your business needs to be aware of?

While the Data (Use and Access) Bill is still undergoing parliamentary review, it’s vital that your business is aware of the potential incoming changes and reviews its current procedures to ensure that you’re ready for when the bill comes into effect:

Data subject rights: There are a few changes to specific data subject rights to be aware of:

Right to access: When a Subject Access Request is made, companies have 30 days from confirmation of the request to comply with it. Under the Data (Use and Access) Bill, companies will have the ability to stop the clock on requests if more information is needed. In addition to this, requests can now be denied if they could be considered unreasonable or disproportionate.
Right to data portability: Direct sharing of data between certain organisations or regulated third parties will be permitted. This will facilitate sharing of data for investigations where there is concern for an individual or regulatory investigation.
Right to be informed: Whenever personal data is being collected, the full details of the data controller must be provided. This will most likely come in the form of a privacy notice that is always available. In addition to this, in instances where data is collected by a third party, details on the data controller must be provided to the data subject without undue delay.

Complaints to the Information Commissioner’s Office: Under UK GDPR, data subjects have the right to complain directly to the ICO about the processing of their personal data. Under the Data (Use and Access) Bill, they will now have to complain to the data controller first, and if not satisfied with the response, then complain to the ICO. The aim of this is to reduce the number of complaints the ICO gets, meaning more focus can be put on the most serious complaints.

Organisations will also be required to establish new processes to ensure that they can respond to complaints within 30 days, and all complaints must be kept on record.

In addition to this, there are plans for the ICO to be replaced by an Information Commission, which will function similarly to other regulatory bodies such as OFCOM and the FCA.

Soft opt-in for marketing for charities: Charities will be able to rely on soft opt-in for electronic marketing as long as the following conditions are met:

The data is being used for marketing only by the charity, no third parties.
The data was collected when interest for support was expressed by the individual.
An opt-out mechanism is provided with every marketing communication.

For more information about this and the impact it could have on charities, we have another blog post on this with even more detail.

Legitimate interest and direct marketing: Legitimate interest will be accepted as a lawful basis for direct marketing purposes. In addition to this, there will be certain instances where legitimate interest will be pre-approved, meaning a legitimate interest assessment (LIA) won’t be required. These are:

Disclosures to public bodies where it is believed that personal data is necessary to fill a public function.
Disclosures for national security or defence purposes.
Disclosures for the detection or prevention of crime, or for safeguarding vulnerable individuals

It’s important to keep in mind that despite this, direct marketing laws under the Privacy and Electronic Communications Act still apply. As part of the Data (Use and Access) Bill, there are also increases in the maximum penalties for PECR infringements to match UK GDPR, which is up to £17.5 million or 4% of annual turnover.

Spam emails and text messages: The penalties for sending spam emails and text messages are getting harsher. Enforcement action will now be based on the number of messages sent, rather than how many were successfully delivered. The risk for partaking in unlawful marketing of this nature will be much greater as a result.

Special category data: New types of special category data will be introduced, such as “neurodata”. This is any data gathered from technology that interacts directly with the human brain or nervous system, such as smartwatches. If your organisation processes this type of data, you’ll need to make sure the necessary security provisions are in place for it.

Website cookies: Websites will be permitted to drop cookies without consent if they are for the purpose of site analytics or site optimisation. An opt-out will still need to be provided though. The benefit of this is that website owners will be able to more effectively track user activity to improve the user experience of the site, without the need for consent.

What is the current state of the Data (Use and Access) Bill?

Since being introduced in the House of Lords in October 2024, it has passed through both it and the House of Commons and is now on the amendment stage. This is the final stage before it is sent for royal assent, which will then officially make the Bill an act of Parliament. Right now, it seems that the expectation is for the bill to come into force in early 2026.

The most recent developments are surrounding the use of AI systems and the rights afforded to companies when training AI models. The main source of opposition has come from the creative industry, where artists are worried about how their content may be used to train models. More on this later…

Public response to the Data (Use and Access) Bill

The intentions behind the Data (Use and Access) Bill are clear, however, there has been a reasonable amount of public response and backlash to it, particularly from those in both the privacy industry and in creative industries:

Privacy concerns: Many privacy campaigners have raised concerns about certain provisions that could allow the government to use personal data for political campaigning, which they feel would undermine democratic processes and erode public trust.

While not directly detailed in the Bill, campaigners from the Open Rights Group feel that new laws would give the Secretary of State the ability to determine how personal data was used to target political campaigning, which would give an advantage to the ruling party over opponents. This is because, while at the moment, a risk assessment where the use of personal data is balanced with the rights of individuals would have to be completed, under the Bill, this wouldn’t be required with the appropriate level of parliamentary scrutiny as other legislation.

Creative industry opposition: Many prominent individuals in the creative space, such as Sir Paul McCartney and Sir Elton John have publicly opposed certain provisions in the bill surrounding AI companies, which they feel allows them to use their work to train AI models without proper consent or compensation.

Partially due to this, an amendment was passed in the House of Lords which will require AI companies to disclose their use of copyrighted content, though due to the nature of generative AI systems, how it could theoretically be used in creative spaces, and the impact that would have on individuals, this is something that will always be heavily scrutinised.

Next steps

Ensuring that you handle and process personal data in a way that’s in line with the law is tough, even before you consider potential future legislation that’ll make you have to re-review your processes to be confident that you’re compliant. If you have any concerns, contact PRIVACY HELPER now and let us remove the stress of managing data compliance in your business.

Andy Chesterman

Andy Chesterman is the Managing Director of PRIVACY HELPER. In 2017, Andy co-founded DAMM Solutions Group, a pioneering data protection consultancy aimed at assisting companies in navigating the complexities of compliance with the new data protection legislation. This led to the creation of the Privacy Helper brand in 2019.