UK Data (Use & Access) Bill Passes, Now Awaits Royal Assent, Signalling Shifts for UK GDPR

London, UK – The Data (Use and Access) (DUA) Bill has successfully navigated both Houses of Parliament and now stands on the precipice of becoming law, awaiting Royal Assent. The Bill was passed on 11 June 2025 signalling a potential evolution in the UK’s post-Brexit data protection landscape, building upon the foundations of the UK GDPR while introducing new nuances, particularly concerning international data transfers and organisational compliance.

For small business owners, freelancers, digital marketers, and website operators across the UK, the Data (Use and Access) Bill represents the government’s continued commitment to forging an independent data protection regime. This regime is distinct from the EU GDPR. While the core principles of data protection remain steadfast, the anticipated Act aims to streamline processes, foster innovation, and clarify requirements. It offers both opportunities and new considerations for compliance.

A New Chapter for International Data Transfers

One of the most keenly anticipated areas of change under the proposed Data (Use and Access) Act is the framework for international data transfers. Since Brexit, UK organisations have navigated the complexities of cross-border data flows under the UK GDPR. These largely mirrored the EU’s mechanisms. The Data (Use and Access) Bill is expected to introduce a more distinctly UK-centric approach. It aims for greater flexibility without compromising data security.

The fundamental principle of ensuring adequate protection for personal data transferred outside the UK will remain. However, the Data (Use and Access) Act could streamline the process for assessing destination countries. This might involve a more risk-based approach to determining ‘adequacy’ for certain jurisdictions or specific data flows. It could potentially reduce the administrative burden for some transfers.

Furthermore, the Act is expected to clarify and potentially expand the use of alternative transfer mechanisms. Examples include revised Standard Contractual Clauses (SCCs) tailored specifically for the UK, or new mechanisms designed to facilitate transfers to a wider range of countries under appropriate safeguards. For UK businesses engaged in global trade, using cloud services hosted abroad, or collaborating with international partners, these changes could lead to a more predictable and perhaps less onerous compliance pathway. However, due diligence on destination country laws must still be robustly conducted.

New Requirements for UK Organisations

Beyond international transfers, the Data (Use and Access) Bill is anticipated to introduce other updates designed to refine UK data protection practices:

• Refined Accountability Frameworks: The Act may offer clearer guidance or more proportionate measures for demonstrating accountability. The requirement to implement appropriate technical and organisational measures will persist. However, the Data (Use and Access) could provide more tailored approaches for small and medium-sized enterprises (SMEs). This could help them meet these obligations without disproportionate burdens.
• Streamlined ICO Powers and Enforcement: The Information Commissioner’s Office (ICO) remains the UK’s independent supervisory authority for data protection. The Data (Use and Access) Act is expected to clarify the ICO’s powers. It could potentially enhance its ability to issue guidance and promote compliance. It also aims to ensure a balanced approach to enforcement.
• Emphasis on a Risk-Based Approach: A core tenet of modern data protection, the Data (Use and Access) is likely to reinforce a truly risk-based approach to compliance. This means organisations will be encouraged to focus their resources on the greatest data protection risks, rather than a rigid tick-box exercise. For freelancers and small businesses, this could mean more intuitive compliance strategies. Yet, it also places a greater emphasis on understanding their specific data processing activities and associated risks.
• Clarity on Data Subject Rights (Potentially): Fundamental data subject rights (such as the right to access, rectification, erasure, and objection) are unlikely to be fundamentally altered. However, the Act might offer clarifications on their exercise or the procedures organisations must follow when responding to such requests.

Impact on Your UK Business

For small businesses, sole traders, and freelancers, the Data (Use and Access) Act presents a call to action. While it doesn’t dismantle the UK GDPR, it necessitates a review of existing data protection policies. This is especially true for those related to international data transfers.

• Review Your Data Flows: Understand where your data is stored and processed, especially if it leaves the UK. If you use international cloud providers or process data via partners outside the UK, assess how the new transfer mechanisms apply to your operations.
• Update Policies and Notices: Be prepared to update your privacy notices, internal data protection policies, and terms of service. These updates should reflect any new requirements under the Data (Use and Access) Act once it receives Royal Assent and comes into force.
• Stay Informed on ICO Guidance: The ICO will undoubtedly issue updated guidance following the Act’s enactment. Staying abreast of these publications will be crucial for interpreting the new requirements. This helps ensure continued compliance.
• Maintain Accountability: Continue to document your data processing activities. Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. Ensure robust security measures are in place. The Data (Use and Access) is likely to reinforce these core principles.

Digital marketers and website operators, in particular, should pay close attention to any implications for online tracking, analytics, and cross-border data sharing for advertising purposes. While the Data (Use and Access) is not expected to radically alter consent requirements for cookies, any changes to transfer mechanisms could affect how international advertising technology (AdTech) providers operate.

UK GDPR Jurisdiction: A Clear Distinction

It is vital to reiterate that the Data (Use and Access) Act is a piece of UK law, applying within the UK’s jurisdiction. It marks a further divergence from the EU GDPR, highlighting the UK’s ability to set its own standards post-Brexit while maintaining high levels of data protection. This Act aims to ensure the UK remains a trusted jurisdiction for data. It balances robust safeguards with an environment conducive to innovation and international trade.

As the Data (Use and Access) Bill awaits Royal Assent, organisations should begin to prepare for these anticipated changes. The focus remains on proactive compliance. Understand the new landscape and adapt data protection practices to align with the evolving legal framework. Staying informed will be your best defence against non-compliance. It is also your key to leveraging any new flexibilities the Act may introduce.