Following Brexit, the European General Data Protection Regulation (EU GDPR) was placed into the Data Protection Act 2018 (DPA 2018) domestic legislation and renamed the UK GDPR.
Application in day-to-day professional life requires clarification of two terms that can confuse:
- An Article of the UK GDPR is the formal legislative clause; and
- Recitals are the notes that accompany the Article and explain what they set out to achieve
It is hugely complicated, for example, Article 1 – ‘Subject-matter and objectives’ is covered by accompany notes in Recitals 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13. Even though the Articles are contained in the domestic DPA 2018, the EU Recitals are still applicable as the UK-GDPR varied little from the EU-GDPR. That is until the Royal Assent of the Data (Use and Access) Act 2025 (DUAA) on 19 June 2025. This does make changes to the DPA 2018 in which the UK-GDPR is housed however, many of the changes insert the Recitals into legislation. So, prior to the DUAA we had guidance, now we have legislative clauses.
However, there are some changes to highlight, although the UK Government has not announced when the provisions in the Act will come into force. In its update ‘The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations?’ the Information Commissioner’s Office (ICO) states that the changes will be introduced on a phased basis between June 2025 and June 2026:
- The Information Commissioner’s Office (ICO): Is renamed the ‘Information Commission’. This change is intended to give the regulator a more modern structure as well as enhanced investigatory and enforcement powers;
- Automated Decision-Making (ADM): this is possibly where the UK-GDPR diverges most from the EU-GDPR. The DUAA says the prohibition on ADM only applies where the automated decision is based entirely or partly on ‘special category data’, for example personal data held by an employer which reveals an individual’s racial or ethnic origin, political opinions and religious or philosophical beliefs. However, the safeguards (human oversight, explicit authorisation etc) will continue to be required for all solely automated decisions;
- Changes to the lawful basis for processing: The DUAA identifies legitimate interests, such as safeguarding vulnerable individuals or crime prevention. It also cites intra-group employee data transfers for administrative purposes as legitimate. This removes the need to balance employer interests against data subject rights and freedoms.;
- Further processing of personal data: The Act provides that further processing of personal data will be lawful in certain circumstances, if the new processing purpose is compatible with the original purpose for which the data was processed;
- Subject Access Requests: Data controllers will be obligated to conduct reasonable and proportionate searches, with the response period commencing only after the data subject has verified their identity.
- Data protection complaints: The DUAA specifies how controllers must deal with complaints about data protection, including the need to have a complaints process, acknowledging the complaint within 30 days; and providing a response ‘without undue delay’. Complaints must be made to the data controller prior to being submitted to the Information Commission
For Bookkeepers
Like the EU-GDPR, the UK-GDPR is complicated and we will rely on updated guidance from the Information Commission. As stated, changes will come in over a period and ICB will keep you updated.
The Automated Decision Making (ADM) changes do seem to open a range of reasons (‘lawful bases’) we can rely on when using individuals’ personal information to make significant automated decisions about them. This is as long as appropriate safeguards are applied. In turn, this does seem to open the progression of Artificial Intelligence (AI) in payroll.
