The future of UK data privacy: A DPO’s perspective on the Data Use and Access Bill

The UK's Data Use and Access Bill focuses on digitisation and business growth over data protection. DPO Dom Newton breaks down what’s changing, including relaxed marketing rules and ICO restructuring. While still underway, businesses should start preparing now.

Published: 
March 19, 2025
Gry Josefine Løvgren
Content Specialist

Read more about the author

“It's a data use and access bill – it's not a data protection bill.  It is about promoting the use of data and almost getting data protection slightly out of the way so we can deploy AI and new technologies. The mood music on this is very much about growth and much less about data protection”.

These words from DPO Dom Newton from The DPO Centre set the scene in our recently held webinar about the Data Use and Access Bill – the UK's latest attempt of a data law. 

It is successor to the Data Protection and Digital Information Bill (DPDI), which never went into effect. 

We invited Dom for a chat because we wanted an explanation of the bill from a DPO, who has seen more than a few privacy programmes, and is experienced in advising UK based businesses across industries on data protection. 

The bill primarily focuses on greater digitisation of society and doesn’t introduce significant practical changes to the daily tasks of data protection practitioners, explains Dom. However, it does propose some changes that are worth discussing – the most significant being the change of the Information Commisioners Office (ICO) into an Information Commissioner, who would have to give more regard to the UK government's growth strategy. 

“That could give cause for concern and of course questions the regulator's independence,” he says.  

Marketing’s free pass?

Dom mentions three other changes that could impact the work of privacy professionals.

- Fewer restrictions on the use of automated decision making 

- Broadened scope of what will be seen as legitimate interests for processing personal data, where for instance direct marketing to a larger degree will be seen as a legitimate interest.

- Broader scope for secondary data processing, giving businesses more freedom to repurpose data for different uses.

Dom especially highlights the changed terms for marketing as something to keep an eye on.

“ I think it's going to lead to an impression of there being an open season for marketing teams to potentially run campaigns that we would have frowned on before. Anytime there is a perception of a diminution of privacy protections for customers, there is a risk that businesses think they can do what they like. And that isn't the case even with the new bill.  So there is still going to be a need to have difficult conversations and we are going to be challenged and sometimes people aren't going to listen to us. But hey –  that's the job.” 

How to prepare for the law: Three suggestions

Even though the bill is not yet passed, it is not too soon to prepare for it. Dom shares three pieces of advice for how businesses can prepare. 

“Start having conversations with the marketing team and set expectations,” he says. If marketing is going to send out more emails, then it becomes even more important to make sure that the marketing lists are healthy.

The legislation gives clearer guidance on how to repurpose data. And that is an opportunity to give the records of processing activities a closer look, and make sure they are compatible with the new guidance, he explains.

Last but not least, Dom emphasises that having access to practical, well-rounded advice is essential.

“This is going to be a moveable feast for a period of time, so it's important that you get good professional advice to support you in that journey and don't just try and do it all”.

System upgrades long overdue

According to Dom there is an eagerness to digitise and not necessarily a due regard to the long term privacy consequences. However, he does believe the bill will come with some positive changes.  Especially to the NHS.

“For anybody who's experienced the NHS in the last 15 years, I'll say that it is overdue. Systems need to talk to each other. They need to be better protected. You don't do that in creaking systems that are still potentially running on Windows XP. So there are things in the bill, which will hopefully be a net positive”.

On a final note, Dom says:

“Building a compliant data protection program is still a must. It is not an option extra. It drives customer trust as well as meeting compliance and regulatory obligations“.

The bill is expected to be passed around Easter.

Watch the full interview with Dom Newton here


Watch now

Want more articles likes this?

Sign up for our monthly newsletter, where we provide insights from experts, discuss the latest trends, learnings, and advice within the field of compliance. We also explore how we can reshape the way we think and organise around compliance, in order to pave a sustainable and viable path for processes.

Sign up here