The new Data (Use and Access) Bill is pitched as a smarter, slimmer take on the UK GDPR, one that champions innovation and trims the bureaucratic fat. It promises a more agile approach to data use, especially across public services and the digital economy.
This bill replaces the withdrawn Data Protection and Digital Information (No.2) Bill, carrying forward many ideas with some fresh additions. While ministers claim it enables smarter data use, privacy experts remain cautious, with some outright critical.
There’s potential here: faster collaboration, streamlined compliance, and better data outcomes. But the risks are real and demand attention.
The cost of making data easier to share
The bill aims to make it easier for organizations to legally access and share data, particularly for public services, research, or societal benefit.
It proposes:
- Recognized data intermediaries: Organizations that act as certified go-betweens to help share data securely and lawfully.
- Simplified rules for research: A more straightforward legal basis for scientific and tech-based data processing, even for private sector work.
This opens the door for local authorities, health bodies, and researchers to collaborate more effectively, but only if the right guardrails exist, which arguably currently don't.
Privacy advocates are already raising red flags. With broader sharing powers and fuzzier legal definitions, there's a risk of mission creep, where data ends up used for purposes far removed from what individuals originally consented to.
Rights versus responsibilities: Who gains?
The bill tweaks how organizations respond to individual rights under data protection law. Two big changes are:
- Tightening Data Subject Access Requests (DSARs): Organizations could refuse or limit responses to DSARs deemed "vexatious" or "excessive."
- More transparent data sharing: A push for clearer public disclosures about when, why, and how organizations share personal data.
For smaller organizations, this could ease the compliance burden, but critics warn it may tip the scales too far in favour of data controllers, especially if individuals struggle to assert their rights or get transparency around how data is used.
One thorny proposal is the potential rollback of protections against fully automated decision-making. If Article 22 safeguards disappear, individuals could be on the receiving end of high-impact decisions, like credit rejections or job screening, with no way to contest them. That should be a major concern for anyone worried about bias, transparency, or accountability in AI-driven systems.
Cutting red tape but not corners
The UK government isn't alone in trying to lighten the load. The European Commission recently confirmed it will propose GDPR simplification measures for SMEs by June 2025, as part of its push to reduce red tape across Europe.
The bill proposes making it optional, in some cases, for organizations to:
- Maintain records of processing activities (ROPAs).
- Conduct data protection impact assessments (DPIAs).
It doesn't scrap the need for a data protection officer (DPO) where already required and avoids previous attempts to rename the role.
While fewer forms might seem like a relief for privacy teams, treating this as permission to downplay governance would be risky. Both DPIAs and ROPAs remain among the best tools for spotting risks and managing data practices.
The smart move? Keep using them, but make sure they’re integrated into day-to-day operations.
Four flashpoints to watch
The bill has triggered debate for good reason. The areas generating the most concern are:
- Expanded ministerial powers: The Secretary of State would gain sweeping powers to rewrite core parts of data law via secondary legislation without full parliamentary debate. Some experts are calling this a "Henry VIII clause," warning it sidelines democratic scrutiny.
- Public sector data sharing: The bill appears to loosen restrictions on how public bodies share data, potentially bypassing GDPR-style compatibility assessments. Without robust checks, trust in government data use could quickly erode.
- EU adequacy at risk: The bill's divergence from GDPR principles could endanger the UK's data adequacy status with the EU. If revoked, UK organizations would need Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to maintain EU-UK data flows. The European Commission has extended adequacy until December 2025, buying time but not certainty.
- The algorithm question: As mentioned earlier, rolling back protections on automated decision-making is particularly contentious. These safeguards ensure human intervention in high-stakes decisions. Weakening them threatens fairness and individual agency in an increasingly automated world.
What should you be doing now
The bill is at the Report stage in the House of Commons (as of April 10, 2025). But you don’t need to wait for Royal Assent to start preparing. Here’s what makes sense right now:
- Keep running DPIAs and maintaining ROPAs even if they’re no longer mandatory. They’re still best practice and may be your best defence.
- Review your DSAR handling processes, particularly your definitions of “vexatious” or “excessive,” to make sure they’re fair and justifiable.
- Map your data-sharing arrangements, especially with public bodies, to anticipate any shifts in legal basis or documentation.
- Stay plugged into UK-EU adequacy discussions and build contingency plans in case the current data transfer status changes.
- Upskill your teams on what’s coming. Make sure your privacy champions, legal teams, and tech stakeholders understand the implications and aren’t caught off guard.
The Data (Use and Access) Bill signals a new direction in the UK's digital agenda, prioritizing speed, flexibility, and economic growth, but that shift brings trade-offs. With final stages underway, the window for influencing this bill is closing rapidly. Organizations that act early will navigate what's ahead. Those that wait risk falling behind.
Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a roundup of the latest thought leadership content: Digital trust, EHS, supply chain.
