This informal CPD article, ‘Data Use and Access Bill – What’s Changing in UK Data Protection Law’, has been provided by Jess Pembroke, Director of Information Law Services at Naomi Korn Associates, a UK-based leader specialising in copyright, data protection and licensing.
As of May 2025, the Data Protection and Digital Information Bill is in its final stages in Parliament, currently undergoing Consideration of Amendments. This phase allows both Houses to review and agree on any changes made during the legislative process. Once this stage is complete, the Bill will proceed to Royal Assent, at which point it will become law.
This signals that organisations should begin preparing for implementation, reviewing their data governance frameworks, and ensuring staff are trained and compliant with the upcoming changes.1
1. Automated Decision-Making
Restrictions on automated decisions will now only apply when Special Category Data is involved, enabling broader use of AI and profiling tools.
2. PECR Fines
Fines for breaches of the Privacy and Electronic Communications Regulations (PECR) will increase to £17.5 million or 4% of global turnover, aligning with UK GDPR penalties.
3. Cookie Consent
Cookies used for analytics or automatic updates will no longer require user consent, simplifying compliance for website operators.
4. Digital Identity
A new framework will allow individuals to verify their identity online securely—streamlining processes like job applications or accessing public services.
5. Legitimate Interests
In specific scenarios (e.g., national security, safeguarding), organisations will be exempt from conducting Legitimate Interests Assessments (LIAs).
6. Complaints Handling
Organisations must implement a clear, 30-day complaints process for data concerns and may be required to report complaint volumes to the Information Commissioners Office (ICO).
7. International Data Transfers
A new test will assess whether data protection in a recipient country, or by the international organisation, is not materially lower than UK standards, offering more flexibility for global operations.
8. Smart Data Schemes
Consumers will be able to securely share their data with authorised third parties for services like automated switching and personalised comparisons.
9. Digital Birth and Death Registers
The Bill will digitise the registration of births and deaths in England and Wales, replacing paper-based systems.
10. Online Safety
The Bill will amend the Online Safety Act 2023 so that data can be requested from online platforms in cases involving the death of a child, supporting investigations into online harms.
11. Information Commissioners Office Reform
The ICO will be restructured with a Chair, CEO, and non-executive board, and will operate under a clearer statutory framework with enhanced enforcement powers.
12. Charity Marketing
The Bill will update direct marketing laws meaning charities can rely on exemptions to send marketing for supporter engagement.
Next steps
Engaging in Continuing Professional Development (CPD) is crucial for staying ahead in a rapidly evolving legal landscape. CPD offers a structured approach to learning that helps professionals:
- Improve and update their skills
- Stay informed about legal and technological changes
- Achieve long-term career goals
Take a look at data protection and information law courses to ensure you're fully prepared for these changes.
We hope this article was helpful. For more information from Naomi Korn Associates, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
References:
- https://bills.parliament.uk/bills/3825
