The DUA Bill: What It Means for UK Businesses

The Data (Use and Access) Bill (DUA Bill) is the UK government’s latest step in reforming data protection law. Replacing the shelved DPDI Bill, the DUA Bill is expected to become law in 2025 and will bring targeted updates to the UK GDPR and PECR, without replacing the current framework.

Its aim is to simplify compliance, support innovation, and ensure personal data remains protected. Here’s what businesses need to know.

Key Changes Introduced by the DUA Bill

Legitimate Interests

Recognised categories like safeguarding, fraud prevention, and system security will no longer need a balancing test. Common activities such as direct marketing and internal admin are also clarified as legitimate interests.

Automated Decision-Making & AI

The existing ban on solely automated decision-making producing legal or similarly significant effects is relaxed under the Bill for non-sensitive personal data. Organisations may use AI tools to make such decisions, provided individuals are:

• informed that an automated process is being used, and
• given the opportunity to request human intervention or challenge the outcome.

Additional safeguards remain in place for decisions involving special category (sensitive) data or those with significant legal impact.

Subject Access Requests (SARs)

Controllers can pause the response clock while awaiting clarification and are only required to carry out reasonable and proportionate searches. Refusals must still meet the ‘manifestly unfounded or excessive’ threshold.

Cookies & PECR Reform

No consent needed for low-risk cookies like analytics and personalisation. Marketing cookies still require opt-in. Fines for PECR breaches will rise to GDPR levels.

Internal Complaints Process

All organisations must implement a formal process to handle data complaints. Acknowledgment must be issued within 30 days before an issue can be escalated to the ICO.

ICO Restructure

The ICO will become a multi-member Commission with stronger enforcement powers, including mandatory interviews and the ability to demand compliance reports.

Smart Data Schemes

Expect sector-specific rules that allow consumers to securely share data between providers, starting with regulated sectors like energy and finance.

Digital Identity Services

A framework for certified digital ID providers will be introduced, with a new government trustmark to improve adoption and public confidence.

What You Should Do Now

• Review Your Legal Bases: Check if your data use fits a recognised legitimate interest. Update your privacy notices and documentation accordingly.
• Simplify Cookie Consent: Prepare to remove banners for analytics cookies and update your cookie policy to reflect the new opt-out model.
• Update SAR Handling: Ensure your team understands the new rules around response deadlines and proportionate searches. Explore SAR Support.
• Set Up a Complaints Process: Build a clear internal pathway for privacy complaints and train staff on how to escalate them.
• Review Use of AI and Automation: Add transparency statements and human review options where decisions affect individuals significantly.
• Refresh Training: Brief your team on what’s changing. Focus on marketing, data requests, cookie practices and AI tools. Book Training.
• Stay Informed: The DUA Bill is likely to become law this year. Subscribe to ICO updates and be ready to act when commencement dates are confirmed.

Frequently Asked Questions (FAQs) about the DUA Bill

What is the DUA Bill?

The DUA Bill is a UK data reform law updating parts of UK GDPR and PECR to support innovation while maintaining privacy protections.

How does the DUA Bill affect businesses?

It reduces admin burdens (e.g. SAR handling, cookie consent) while introducing new duties like internal complaints processes and stronger ICO powers.

Will GDPR be replaced?

No. The DUA Bill updates the existing framework. UK GDPR and the Data Protection Act 2018 remain in place.

Do I still need consent for analytics cookies?

No, consent won’t be required for low-risk cookies under the DUA Bill. You must still inform users and allow opt-outs.

Do I still need a DPO?

Yes, if your organisation already requires one under UK GDPR, the DPO requirement remains. Read more about our DPO Services.

When will the DUA Bill take effect?

It is expected to pass into law in 2025. Provisions will come into force gradually, so businesses should begin preparations now.

Need help preparing for the DUA Bill?

Our team at Data Protection People supports organisations across all sectors. Whether you need help updating your policies, reviewing your SAR process, or preparing your staff, we’re here to guide you through the changes.