The UK’s Data Use and Access (DUA) Bill (The Bill) is heading for royal assent and with it comes the most significant overhaul of UK privacy law since the introduction of the GDPR. While ministers frame it as simplification and growth-friendly, privacy professionals will need to adjust how they handle data rights, automation, and risk.

Here are the four key changes and what you’ll need to do about them.

1. New legal bases: “Recognised legitimate interests”

The Bill introduces a pre-approved list of “recognised legitimate interests”, including fraud prevention, national security, and safeguarding the economy. If your processing fall one of these categories, you will no longer required to carry out a legitimate interest balancing test.

This might sound like a shortcut, but it's not a free pass. Core principles such as transparency, fairness, and purpose limitation still apply. If you have been relying on consent or contract for certain processing because legitimate interest seemed too risky, it may now worth reassessing that approach.

Review your privacy notices. You may need to reword or restructure parts that explain your legal basis. Revisit your Data Protection Impact Assessments and processing records to ensure they reflect the changes.

2. DSARs: More flexibility, but higher scrutiny

One of the most operationally useful changes is around Data Subject Access Requests (DSARs). The Bill introduces a less strict threshold for refusing or delaying responses. Instead of needing to prove a request is "manifestly unfounded or excessive", you may now reject or extend timelines if it’s deemed “vexatious or excessive”.

This will help with repeated or abusive requests. It also allows more time for complex cases. However, it comes with a catch. These terms are not clearly defined yet, and the ICO is expected to issue issue guidance soon. In meantime, some uncertainty is inevitable.

If your organisation plans to use this flexibility, it will be important to:

• Document your rationale
• Train your staff to apply the threshold consistently
• Maintain records of refusals and extensions in case of audit

This is not a blank cheque to shut down DSARs. If challenged, you will need to show you acted reasonably.

3. Automated decisions: Fewer restrictions, more responsibility

The Bill eases the restrictions on decisions made solely by automated means. Under the current UK GDPR, individuals have the right not to be subject to decisions made without human involvement if those decisions have legal or significant effects.

The updated Bill removes this barrier. Organisations will be able to carry out automated decision-making provided that:

• There is a lawful basis for processing
• Individuals are informed
• Suitable safeguards are in place

This could pave the door to broader AI usage, especially in areas like recruitment, credit scoring, and insurance. But those safeguards matter. You will need to define what counts as a “safeguard” in your context, whether it’s the ability to appeal, meaningful human review, or explanations about how the decision was made.

If your organisation uses profiling or automated tools, now is the time to:

• Revisit your lawful basis
• Update impact assessments
• Make sure your documentation explains your safeguards clearly

4. Cookie rules and PECR penalties

The Bill also tweaks the Privacy and Electronic Communications Regulations (PECR), which govern cookies and direct marketing. Two major changes are worth noting.

First, the Bill allows certain non-essential cookies to be set without consent. This includes those used to improve website functionality or security, although the exact scope will need clarifying. Second, PECR fines are set to rise, aligning with UK GDPR levels. That means breaches could now attract penalties of up to £17.5 million or 4 percent of global turnover whichever is higher.

For most organisations, this means:

• Re-auditing your cookie usage
• Reworking consent banners and user options
• Making sure analytics and tracking are categorised correctly

With increased enforcement risk, especially as the ICO steps up cookie monitoring, even small errors could become expensive.

Final thought

The Bill is more than a regulatory update-it signals a shift the tone of UK privacy law toward use, speed, and innovation. But that does not mean trust, fairness, and accountability can fall by the wayside.

As a privacy professional, your role is about to get more nuanced. You may have more room to move, but also more pressure to show your working. Your records, impact assessments, and training will need tightening. And your comms will need to be sharper, especially when explaining rights to the public.

Now is the time to get ahead of these changes. Review your processing activities. Refresh your notices. Get your DSAR playbook in order. Because once the Bill becomes law, the organisations who have done the groundwork will be the ones who stay out of trouble.