This 3-hour course is for data protection leads and senior managers who need to understand the benefits on offer and understand, better, if they need to make changes to organisational procedures to capitalise on the Act. 

The Data (Use and Access) Act 2025 reforms how the UK manages personal and non-personal data.  It changes existing data laws in order to promote innovation and economic growth.  In simple terms it offers opportunities to reduce data protection and make things easier for organisations and business. 

It is a wide-ranging Act that introduces several amendments to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy & Electronic Communications Regulations (PECR).

Key changes include: –

• Limitations to Subject Access Requests (SARs)
• Introduction of recognised legitimate interests
• Modifications to rules relating to automated decision-making (ADM).

Other UK GDPR amendments include revisions to international data transfers, purpose limitation, scientific research and enhanced protections concerning children’s data.

The new law also relaxes rules governing the use of cookies and aligns fines for non-compliance with PECR with those of the UK GDPR.

In terms of criminal law enforcement processing, the Act clarifies the definition of consent, aligns response times for data subject rights with those of the UK GDPR and introduces additional requirements to codes of conduct for competent authorities.

Finally, the Information Commissioner’s Office (ICO) will undergo significant organisational changes and will now be known as the Information Commission

For Whom
This short course is designed for data protection leads and senior managers who need to understand the benefits on offer and understand, better, if they need to make changes to organisational procedures to capitalise on the Act.   The course also helps data processors at all levels understand the very latest requirements.   Participants need working knowledge of previous legislative definitions, terms and scope.   

Course Content

The course commences with a short reminder of the existing legislation and then explores, step by step, what is actually changing under, The Data (Use and Access) Act 2025 (DUAA).  The course is accompanied with case studies and checklists for policy and procedural content.

1. Short Introduction:

• A brief summary of the rationale and basis for UK Data Protection Reform
• Refresher on key legal and technical terms encountered in previous training.
• Expected times before most DUAA provisions can take effect. 

2. Changes to the PECR:

• Low-risk cookies and similar tracking technologies 
• Personal data breach reporting
• Charities’ fundraising activities and the soft-opt in
• Codes of Conduct

3. Changes to the UK GDPR & Data Protection Act 2018

• Subject Access Requests (SARs)
• Data subject rights’ response times
• Definition of consent
• Recognised legitimate interests.
• Automated Decision Making
• International data transfers
• Children’s data
• Purpose limitation
• Research, archive, and statistical (RAS) purposes.
• Codes of conduct for competent authorities

4. Changes to the Information Commissioner’s Office (ICO):

• Information Commission (IC) -New board structure
• Enhanced investigatory powers to:

• • Compel witnesses to attend interviews.
  • Require organisations to produce technical reports.
• Power to issue increased fines and penalties for PECR breaches
  • £17.5M or 4& global turnover
  • More fines and penalties, by quantity, are issued for PECR breaches that GDPR breaches