What privacy professionals should do now

The UK’s Data Use and Access (DUA) Bill is being presented as a modernisation of the country’s data protection framework. Ministers argue it will simplify processes, promote growth and cut unnecessary bureaucracy. But from a European perspective, these reforms could push the UK further from GDPR standards. That is where the risk lies.

The EU has extended the UK’s adequacy decision until December 2025, explicitly to give time to see how the DUA Bill beds in. This was not a signal of comfort. The European Commission and the European Data Protection Board (EDPB) have been clear: if the UK diverges too far, adequacy is at risk.

Why adequacy matters

Adequacy allows personal data to flow freely from the EU to the UK without extra safeguards such as Standard Contractual Clauses (SCCs). It is the foundation for smooth cross-border operations in thousands of organisations. Without it, UK companies will face new paperwork, legal complexity and cost.

If adequacy is lost:

• SCCs or Binding Corporate Rules would be needed for every EU to UK transfer.
• Transfer risk assessments would become mandatory.
• Business partners in the EU may prefer to move data processing to within the EU.
• UK suppliers could become less competitive.

In short, the stakes are high.

Where the concerns lie

Several elements of the DUA Bill are at the heart of EU unease:

• Recognised legitimate interests: The Bill introduces a list of pre-approved interests where organisations would no longer need to carry out a balancing test between their interest and individual rights. This could be seen as weakening protections.
• Automated decision-making: The Bill relaxes restrictions on decisions made solely by automated means. There is more scope for significant decisions without human involvement, provided safeguards are in place. The EU could see this as a step backwards on individual rights.
• Ministerial powers: The Bill gives ministers wide discretion to mandate data reuse through smart data schemes, with few safeguards in the legislation itself. This could be viewed as introducing uncertainty over purpose limitation and fairness.
• Onward transfers: The UK will adopt a softer standard for judging other countries' adequacy, moving from “essential equivalence” to “not materially lower” protection. The EU may see this as opening the door to riskier onward transfers.

These issues come against the backdrop of existing EU concerns about UK surveillance powers. Civil society groups, including Privacy International, EDRi and Statewatch, have written to the EU urging a full reassessment of adequacy. The EDPB has signalled that the December 2025 extension is a one-off.

What privacy professionals should do now

1. Map EU to UK data flows

If adequacy is lost, you will need safeguards for all EU to UK personal data flows. On Monday:

• List where EU data enters your systems.
• Identify which vendors and subprocessors process EU data in the UK.
• Map data flows between your EU and UK offices or teams.

A clear map will help you move quickly if needed.

2. Review contracts

Scan your contracts for reliance on adequacy. Focus on:

• Supplier contracts where EU personal data flows to the UK.
• Customer and partner agreements that reference adequacy.
• Vendor contracts that would need SCCs.

Prepare SCC templates now. Building in fallback clauses where possible will make the transition smoother.

3. Prepare for transfer impact assessments

If you need SCCs, you will also need to assess the risks of UK law from an EU point of view. That includes surveillance and divergence from GDPR.

Review any existing transfer risk assessments. If you do not have a template, create one now. Make sure your team understands the key concerns the EU would expect you to address.

4. Review notices and records

Update privacy notices so they explain cross-border data flows clearly. Review internal records:

• Make sure processing records and DPIAs are up to date.
• Check how you document recognised legitimate interests and automated decision safeguards.
• Strengthen records that could be scrutinised in an audit or regulatory review.

5. Engage stakeholders

Adequacy loss will affect the business beyond privacy compliance. On Monday:

• Brief senior management on the risk, timeline and potential costs.
• Alert legal and procurement to the contracts most at risk.
• Bring product and tech teams into the conversation about technical safeguards or rerouting.

This is not alarmism. It is practical preparation.

6. Monitor developments

Assign a lead to track:

• EU Commission statements on adequacy.
• EDPB guidance.
• ICO advice on adequacy planning.

Add adequacy to your team’s standing meeting agenda. Staying informed will mean fewer surprises.

Final thought

The DUA Bill is designed to give the UK more flexibility. But that flexibility could cost UK organisations dearly if it leads to the loss of EU adequacy. The time to act is now. By mapping flows, preparing contracts and strengthening safeguards, privacy teams can protect their organisations against future disruption. The December 2025 deadline will come quickly. The organisations that plan ahead will be the ones that stay resilient.