The DUAA amends, but does not replace, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
The DUAA changes include:
- Research provisions: Clarity on when you can use personal information for the purposes of scientific research, including commercial research. People can give ‘broad consent’ to an area of research.
- Privacy notices: it allows you to re-use people’s personal information for scientific research without giving them a privacy notice. So long as you protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.
- Automated decision-making: it opens up the full range of ‘lawful bases’ that you can rely on when you use people’s personal information to make significant automated decisions about them. This potentially includes allowing you to rely on the legitimate interests lawful basis for this type of processing. This doesn’t apply to special category data which is more protected.
- Cookie rules: it allows you to set some types of cookies without having to get consent, such as those you may use to collect information for statistical purposes and improve the functionality of your website.
The DUAA might make things easier for you in the following ways:
- New ‘recognised legitimate interests’ lawful basis: when you use personal information for certain ‘recognised legitimate interests’, it removes the need for you to balance the impact on the people whose personal information you use, against the benefits arising from that use. For example, when protecting public security.
- Disclosures that help other organisations perform their public tasks: it allows you to give personal information to organisations such as the Police, without having to decide whether that organisation needs the information to perform its public tasks or functions.
- Assumption of compatibility: it allows you to assume that some re-uses of personal information are compatible with the original purpose you collected it for, without having to do a compatibility test.
- Subject access requests (SARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information.
- Clarifies that direct marketing can be a legitimate interest.
If you have any questions or require support, please contact your Data Protection Officer (DPO).