The UK government is introducing significant changes to UK GDPR under the new Data User & Access Act (DUAA), which will affect all organisations.
Headline changes Under DUAA:
Privacy & Electronic Communication Regulation (PECR) including direct marketing.
- Penalties increased to £17.5m or 4% of global turnover (aligned with UK GDPR)
- Low-risk cookies (e.g. for statistics/functionality) now exempt.
- Notifications to the ICO for Breaches extended from 24 hours to 72 hours to bring in line with UK GDPR.
- Charities will now be able to use the soft opt-in for unsolicited direct marketing.
UK General Data Protection Regulation (UK GDPR)
- Some relaxed restrictions for Automated Decision-Making (unless using special category data).
- Restructure of the Information Commissioner’s Office (ICO) but enhanced enforcement powers for audits, appeals and decision making.
- New ‘Stop the Clock’ rules and searches need only be ‘reasonable and proportionate for Subject Access Requests’.
- Broader consent for commercial Research such as scientific & statistics
- A new ‘Lawful Basis’ for ‘Recognised Legitimate Interests’ particularly around safeguards.
- Changes to International Data Transfers with adequacy standards changing to ‘not materially lower’ following a Data Protection test.
- A New ‘Individual Right’ in the form of the Right to Complain about the use of Personal Data to include new policies, procedures and on-line forms.
- Data Protection by design: Children’s higher protection matters – specific new rules around design of child-accessible online services.
- New clarification on Purpose Limitation where ‘further processing’ or ‘data reuse’ is compatible with the original purpose.
Other Updates:
Clarifications on Digital Verification Services and Smart Data frameworks (may not apply to all organisations)
The ICO is not expected to publish formal guidance on most of these changes until later in 2025 or early 2026. That said, if your business hasn’t undergone a GDPR review in the past couple of years, now is a good time to ensure you are prepared.
If you would like to discuss these changes further and how they might affect your business or just want some more information about UK GDPR, please do contact Julianne Green at JXG Management Solutions julianne@jxgmanagementsolutions.co.uk.