Katherine Evans | Senior Partner

The UK’s data protection landscape is undergoing significant transformation with the progression of the Data (Use and Access) Bill through Parliament. Officially titled the Data Protection and Digital Information Bill, this legislation is increasingly referred to as the Data (Use and Access) Bill to reflect its evolving scope.

The third reading in the House of Lords in February 2025 introduced notable amendments:

• Children’s Data Protection: A government amendment was agreed upon to enhance protections for children’s personal data, ensuring online services likely to be accessed by children are designed with their safety and privacy in mind.
  
  
• Deepfake Offences: An amendment introduced offences related to the creation and solicitation of non-consensual intimate deepfake images, reflecting growing concerns over digital impersonation and privacy violations.

Following these developments, the bill proceeded to the House of Commons, where further scrutiny and amendments occurred. Some of the non-government amendments made in the Lords were overturned, while others, particularly those concerning deepfake images, were retained with modifications.

At present, the bill is in the ‘ping pong’ phase, with the House of Lords considering amendments made by the Commons. This stage involves both Houses negotiating to reach consensus on the bill’s final content.

While the bill is still under parliamentary consideration, it’s a good time for businesses to understand what’s likely to change – and what isn’t:

• Data Governance: The bill proposes reforms to streamline data use for businesses while maintaining privacy standards.

One of the bill’s goals is to reduce what the government sees as unnecessary “box-ticking” for organisations, particularly SMEs. This includes provisions to remove or simplify certain record-keeping and impact assessment requirements for low-risk processing. While the overall intention is to cut red tape, it’s still essential that businesses maintain good internal data governance practices – especially when handling sensitive or high-volume data – to avoid compliance risks as enforcement practices evolve. In particular, organisations should ensure that any simplifications to reporting don’t lead to a weakening of accountability mechanisms internally.

• Digital Identity: It introduces a trust framework for digital identity verification, aiming to standardise and facilitate secure online interactions.

For businesses that rely on verifying customer identities, such as in financial services, legal tech, and e-commerce, the proposed digital identity framework may help reduce friction in onboarding processes. By establishing a government-backed trust framework, the bill seeks to encourage wider adoption of secure, privacy-respecting digital identity solutions, potentially lowering costs and improving user experience.

• Regulatory Oversight: The establishment of a new Information Commission is proposed to replace the current Information Commissioner’s Office, aiming for a more modern structure with clearer strategic objectives.

The proposal to replace the Information Commissioner’s Office with a statutory Information Commission aims to streamline governance and improve accountability. While the proposed structure promises clearer objectives and more strategic oversight, it has also raised questions about independence and effectiveness. Businesses should be aware that this change may affect how data issues are investigated and enforced in the future, particularly in cross-border contexts.

It’s important to note that until the bill receives Royal Assent, existing data protection laws, including the UK GDPR and the Data Protection Act 2018, remain in force. Businesses should continue to adhere to current regulations and monitor the bill’s progress for any changes that may require adjustments to compliance strategies.

The finalisation of the Data (Use and Access) Bill will mark a significant step in the UK’s post-Brexit data protection regime. Businesses should stay informed about the bill’s progression and be prepared to adapt to the new legal landscape once enacted.

Although the Bill introduces a distinctly UK-centred approach to data protection post-Brexit, much of the substance remains aligned with key international principles, including those of the EU GDPR. For businesses operating internationally, this continuity helps reduce legal uncertainty. The UK Government has indicated its commitment to maintaining data adequacy with the EU, which remains vital for companies transferring data cross-border.

For further information, please don’t hesitate to get in touch at katherine@mirkwoodevansvincent.com.