The Data (Use and Access) Bill [HL] is currently making its way through Parliament, and it proposes significant changes to data protection in the UK. It’s vital for privacy professionals to start understanding these potential shifts. This is not a simple update; it’s a re-think of fundamental concepts which may have a large impact on how you work. Detailed below are some key changes to keep an eye out for and the potential impact of such changes: 

One significant area is the proposed new definition of 'research'. This could be broader than the current definition, potentially including commercial and private research that is deemed to be in the public interest. Organisations will need to carefully review their activities that could be classed as research and assess them against the new definition. The Information Commissioner has noted the emphasis on ‘public interest’ and will offer guidance on this. 

Automated decision-making (ADM) is another area under scrutiny. The bill, as it stands, removes the general restriction on ADM that has a legal or similarly significant effect, facilitating such processing, subject to specific safeguards. The ICO believes this approach strikes a good balance, but there is an ongoing debate about whether a general restriction should remain. Privacy compliance automation solutions may play a key role in helping organisations adapt to evolving ADM regulations, ensuring that policies remain aligned with new requirements. It's essential to be aware of these discussions and their potential impact on future legislation. 

Proposed changes to data transfers mean that the way you move data outside the UK may also need to change. There is a ‘data protection test’ which will need to be met, and organisations should be prepared to audit their international data flows and make necessary adjustments. This test considers human rights and the rule of law in the recipient country or organisation. Cross-border data transfer compliance frameworks may need updating to reflect these shifts, ensuring businesses remain compliant when operating internationally. 

Data subject rights will likely be affected, with individuals being entitled to information from a "reasonable and proportionate search". Organisations may have to amend their access request policies and be able to justify their actions. Data subject access requests (DSAR) management will be crucial in efficiently responding to these new requirements while maintaining compliance with transparency obligations. The proposed changes also give more scope to limit data access for research and archiving, but this is not an excuse to refuse legitimate requests. 

If your organisation works with children's data, the proposed ‘higher protection matters’ will be key. It's important to consider any new guidelines that come into force. There are also planned changes for charities regarding the use of soft opt-ins for direct marketing. Charities should be aware that relying on legitimate interests will require careful assessment and balancing against individual rights. 

The Information Commissioner's powers and responsibilities are also set to change, with new regulations relating to web crawlers and codes of conduct. The ICO will be required to produce new codes of practice on automated decision-making, AI, and ed-tech. Data governance solutions will play an important role in helping organisations maintain structured compliance as these changes unfold. The Information Commissioner also has an obligation to create a strategy and consult other regulatory bodies. 

Anticipated Actions 

• Monitor: Keep an eye on the progress of the bill through Parliament and be ready for changes. 
• Prepare: Audit your data processes, especially in the areas of research, ADM, international data transfers, and data access. 
• Consult: Engage with government, the ICO, and your own industry bodies to ensure that you are up to date with any new information. 
• Evaluate: Be ready to evaluate your policies and procedures against any new regulations that may arise. Data retention policy management strategies may need revision to align with emerging legal requirements. 
• Document: Ensure you are keeping accurate and up-to-date records to evidence that you comply with current and future regulations. 

The Data (Use and Access) Bill represents a potential change to the data protection laws in the UK, and it’s important to stay informed. It is important to keep ahead of these changes to ensure that your practices align with the proposed rules.