The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
In Brief:
- The DUAA is a new Act of Parliament that updates some laws about digital information matters.
- It changes data protection laws in order to make things easier for organisations, whilst it still protects people and their rights.
- Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.
- The changes will be phased in between June 2025 and June 2026.
How might the DUAA make things easier?
The DUAA might make things easier for you in the following ways:
New ‘recognised legitimate interests’ lawful basis: when you use personal information for certain ‘recognised legitimate interests’, it removes the need for you to balance the impact on the people whose personal information you use, against the benefits arising from that use.
Disclosures that help other organisations perform their public tasks: it allows you to give personal information to organisations such as the police, without having to decide whether that organisation needs the information to perform its public tasks or functions. Instead, the organisation making the request is responsible for this decision.
Assumption of compatibility: it allows you to assume that some re-uses of personal information are compatible with the original purpose you collected it for, without having to do a compatibility test. This includes disclosing personal information for the purposes of archiving in the public interest, even if you originally only got consent for a different purpose.
‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail marketing to people whose personal information you collect when they support, or express an interest in, your work, unless they object.
Subject access requests (SARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information.
Making things clearer: it improves the way the law is written and structured to make it easier for you to follow and apply, but without materially changing how you can use personal information. For example:
- it clarifies that direct marketing can be a legitimate interest; and
- it rewords the test you need to apply when transferring personal information outside the UK.
Are there any new requirements for you to meet?
Children and online services: if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO’s Age appropriate design code (AADC).
Data protection complaints: if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’.
If you have any questions or queries on the DUAA or any other aspect of Data Protection laws, don’t hesitate to contact the Corporate and Commercial team.