10 tips to comply with the U.K.’s new data law

Changes to the U.K.’s privacy regime will immediately affect how companies handle AI-driven decisions, cookie usage, and responses to data subject requests. As a result, experts are warning compliance teams to ensure their organizations take the legislation seriously and make plans to review data governance. 

The U.K.’s new data protection law—the Data (Use and Access) Act (DUAA)—reforms the U.K.’s principal data privacy laws, the U.K. General Data Protection Regulation (GDPR), the Data Protection Act (DPA), and the Privacy and Electronic Communications Regulation (PECR). It does so by setting up frameworks for easier sharing of business and customer data, and introduces a digital identity verification system for people to prove their identities. 

The DUAA gives the government the ability to enable easier data sharing to help businesses, implementing open-banking type data sharing models in sectors such as energy, telecoms, and healthcare, where data sharing has, to date, been limited. The Act also amends the U.K. GDPR to introduce a more flexible regime for automated decision making (ADM), as well as a seemingly more lenient interpretation of the level of data protection necessary for transfers to third countries.