The UK’s Data (Use and Access) Bill (DUA Bill) is in its final stage before becoming law. Once passed, it will bring targeted changes to UK data protection rules, affecting how businesses collect, use, and share personal data.
For businesses in the screen industries, this means updating internal policies around marketing, audience data, AI use, and research practices. The changes are evolutionary, not radical, but they matter.
The Data (Use and Access) Bill amends three key pieces of UK legislation: the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). The Bill is structured across eight Parts and 16 Schedules and introduces changes in several important areas, including:
Scientific research and consent
→ Part 5, Clause 41 and Schedule 4, Paragraph 1
Updates the definition of "scientific research" in UK GDPR and simplifies consent requirements for research purposes, aligning the law more closely with existing ICO guidance and Recital 159 of the EU GDPR.
Recognised legitimate interests and lawful bases for processing
→ Part 5, Clause 41 and Schedule 4, Paragraphs 2–3
Adds a new lawful basis under Article 6(1)(ea) and provides a non-exhaustive list of recognised legitimate interests, such as public interest tasks, safeguarding, and crime prevention, listed in Annex 1 of Schedule 4.
Direct marketing and cookies under PECR
→ Part 6, Clauses 60–63
Expands cookie exemptions (e.g. for statistical or functional purposes), permits the use of soft opt-in for charities, and aligns the maximum PECR fines with those under UK GDPR (up to £17.5 million or 4% of global turnover).
Automated decision-making (ADM)
→ Part 5, Clause 41 and Schedule 4, Paragraph 5
Clarifies what constitutes an automated decision under Article 22, introduces the concept of "meaningful human involvement," and limits the use of special category data in fully automated decisions.
Subject access rights and proportionality
→ Part 5, Clause 41 and Schedule 4, Paragraph 6
Updates how organisations must respond to subject access requests, allowing them to pause deadlines while waiting for ID or further information, and requiring only a "reasonable and proportionate" search.
International data transfers and adequacy
→ Part 5, Clause 41 and Schedule 4, Paragraph 9
Replaces Chapter V of UK GDPR with a new risk-based approach to adequacy decisions and data transfers, giving the Secretary of State discretion to determine whether a third country’s protections are “not materially lower” than the UK’s.
Marketing and Audience Engagement
Higher fines for non-compliance with PECR rules mean that cookie practices and marketing consents will need closer attention.
Some cookie uses (e.g. for performance or geolocation in emergencies) may no longer require consent, but most other cookies used for advertising or personalisation will still require it.
If your business runs mailing lists, promotions, or online ads, review consent processes and cookie banners before the new rules take effect.
AI and Automated Decision-Making
The Bill confirms that decisions made without meaningful human involvement count as fully automated. This aligns with Article 22 of the UK GDPR, which restricts the use of fully automated decisions that have legal or similarly significant effects on individuals.
The updated provisions clarify that profiling also counts as automated decision-making when used to make such impactful decisions.
The concept of “meaningful human involvement” means a real, active role in reviewing the decision, not just passive approval or automated flagging.
Where decisions involve special category data (e.g. biometric, health, ethnicity), they are only allowed in limited circumstances, such as with explicit consent, where required by law, or where necessary for a contract.
If you use AI-powered tools such as platforms that assist with casting, audience targeting, automated hiring, or content moderation, these systems may fall within the scope of the updated rules on automated decision-making.
You’ll need to:
Ensure that a genuine human review is involved before acting on significant AI-generated decisions.
Avoid relying on AI for decisions involving sensitive data unless you meet one of the limited legal exceptions.
Be ready to explain these processes to individuals and offer a route for human challenge or review.
The Bill introduces a broader definition of “scientific research,” which could benefit businesses conducting audience analysis, archive work, or programme development.
Consent rules for research are simplified, but transparency, purpose limitation and data minimisation still apply.
You may now pause the response clock when more information or ID is needed from the requester.
Only a “reasonable and proportionate” search will be required, easing pressure on small businesses.
The proposal to reject requests as “vexatious” has been dropped, so refusals must still be based on being manifestly unfounded or excessive
The Bill introduces a risk-based framework for international data transfers.
The UK is expected to maintain its EU adequacy decision (allowing EU–UK data flows), but businesses should still review overseas data sharing practices.
Action Points for Screen Sector Businesses
Review your marketing, consent, and cookie practices, especially if you use email lists or advertising platforms.
Audit AI and automation tools for any decision-making functions; human involvement may need to be more clearly documented.
Prepare for more manageable access requests, particularly from freelance contributors, performers, or audience participants.
Keep an eye on implementation, most provisions won’t come into force immediately, but changes will roll out via regulations.
While the DUA Bill won’t overhaul the UK data landscape, it introduces meaningful updates, particularly around compliance risks in marketing, AI, and cookie use. For screen sector businesses that handle creative content and audience data every day, now is a good time to check your processes align with the evolving rules.
Further updates will follow once implementation timelines and guidance are confirmed.