Data (Use and Access) Act — Enactment Impact Assessment (DSIT)
The full impact assessment for the DUAA at enactment, covering costs and benefits of smart data, digital identity, data protection reforms, and adequacy risk, including analysis of UK-EU trade impacts.
▤ Verbatim text from source document
1
Impact Assessment (IA)
Title: Data (Use and Access) Act
IA number: DSIT001(EAND)-24-DTT
RPC reference number: RPC-DSIT-5358(1)
Lead department or agency: Department for Science, Innovation and Technology
Other departments or agencies: Department for Business and Trade, Home Office, Digital
Cabinet Office, Department of Health and Social Care, HM Treasury, Department for Energy
Security and Net Zero, The Information Commissioner’s Office, Ministry of Justice
Date: 30 October 2024
Stage: Enactment
Source of intervention: Domestic
Type of measure: Primary Legislation
Contact for enquiries: datapolicyanalysis@dsit.gov.uk
RPC opinion: N/A
Summary: intervention and options
Cost of preferred (or more likely) option
(in 2024 prices, millions)
Item Cost
Total Net Present Social Value 10,604
Business Net Present Value 4,967
Net cost to business per year -281
Business Impact Target Status Not applicable
What is the problem under consideration? Why is government action or
intervention necessary?
Harnessing the power of data for economic growth, supporting a modern digital government,
and improving people’s lives were key government commitments laid out in the King’s Speech.
The nature of several data-related innovations and complexity of the current regulatory regime
means that firms, public sector organisations and consumers are not able to take full advantage
of the benefits that could be available to them through effective use of data and data sharing. As
2
a result, the market fails and benefits are not realised. It is necessary for Government
intervention to allow for the realisation of all benefits derived from more effective data use.
What are the policy objectives of the action or intervention and the intended
effects?
The proposals aim to:
• Harness the power of data for economic growth by giving a statutory footing to three
innovative uses of data: Smart Data, Digital Verification Services, and the National
Underground Asset Register
• Support a modern digital government by enabling more and better digital public services,
such as an electronic register of births and deaths and applying information standards to
health and care suppliers
• Update the UK's data laws to; help scientists make use of data for research; make public
interest data sharing and re-use easier; support the safe deployment of new technology;
future proof the legislation where appropriate; improve the law enforcement regime -
while maintaining high standards of protection
• Modernise and strengthen the ICO, with a more modern regulatory structure, and new,
stronger powers
• Establish a Data Preservation Process for coroners to support their investigations into
children’s deaths
• Establish a framework for further regulations that will allow researchers access to data
relating to online safety held by tech companies
• Provide Ofgem with greater flexibility in their process for choosing the next holder of the
Smart Meter Communications Licence
What policy options have been considered, including any alternatives to
regulation?
DSIT have considered a total of four policy options, which vary in the degree of change to the
current UK data policy regime, these are outlined below:
Option 0: do nothing
This is the scenario in which no changes are made to the current legislation. All analysis carried
out is compared to this baseline scenario.
Option 1: do minimum
Updating and simplifying the UK’s data protection framework while focusing on protecting
individuals’ data rights and generating societal, scientific, and economic benefits.
Option 2: do intermediate
3
The do intermediate option encapsulates moderate policy changes to the current regime aiming
to resolve most aspects of the market failures. It also incorporates key reforms which aim to
address those set out in the King’s Speech including Smart data, National Underground Asset
Register (NUAR), Digital identity, and the Information Commissioner’s Office (ICO) reforms.
Option 3: do maximum
Those measures in the do intermediate with additional data protection reforms.
Is this measure likely to impact international trade and investment?
Yes
Are any of these organisations in scope?
Micro: Yes
Small: Yes
Medium: Yes
Large: Yes
What is the CO2 equivalent change in greenhouse gas emissions?
(million tonnes C02 equivalent)
Traded: Not applicable
Non-traded: Not applicable
Will the policy by reviewed?
It will be reviewed.
If applicable, set review date: within 5 years
I have read the Impact Assessment, and I am satisfied that, given the available evidence, it
represents a reasonable view of the likely costs, benefits and impact of the leading options.
Signed by the responsible: Alex Rubin
Date: 04/09/2024
Summary: analysis and evidence – policy option 1
Data (Use and Access) Act
Description
To enable new innovative uses of data to be safely developed and deployed; to improve
people’s lives by making public services work better by reforming data sharing and standards;
to help scientists and researchers make more life enhancing discoveries by improving our data
laws; and ensure personal data is well protected by giving the Information Commissioner's
4
Office stronger powers and a more modern structure; and to make targeted updates to data
protection legislation.
Full economic assessment
Price base
per year PV base year Time period
Net benefit
(present
value (PV))
(£million)
Low
Net benefit
present value
(PV))
(£million)
High
Net benefit
present value
(PV))
(£million)
Best
2024 2024 10 3,170 20,138 10,604
Costs
Estimate
Total transition
(constant price) Years
(£million)
Average annual
(excluding transition)
(constant price)
(£million)
Total cost (present
value) (£million)
Low 765 54 1,208
High 2,501 108 3,267
Best estimate 1,363 76 1,959
Description and scale of key monetised costs by ‘main affected groups’
There will be direct costs to both private and public sector organisations. The assessment
provides monetised estimates for these where evidence is sufficient. These estimates include
the up-front costs of familiarisation for UK businesses and public organisations including the
Information Commissioner's Office. The assessment also estimates the monetised costs for
Law Enforcement Agencies (LEAs) of introducing the ability to actively review automated
decisions. Also included are the estimated costs to asset owners to conduct data transformation
and refresh activities as well as familiarisation and administrative costs to comply with NUAR
legislation. There will also be indirect costs as a result of the primary legislation designed to
increase the interoperability of Digital Identity and Smart Data schemes. As these reforms are
enabling, we have provided an overview of the potential scale of costs and detailed estimates
will follow with secondary legislation. X
Other key non-monetised costs by ‘main affected groups’
A qualitative assessment is provided for both direct and indirect costs where evidence is
currently not available. These include the costs to LEAs of changes to public sector data
handling regulations, the costs to government departments of making data sharing easier and
the costs of improving interoperability of data systems across the NHS. The costs of creating
innovative Smart Data and Digital Identity schemes are also qualitatively assessed. An
assessment on the potential impacts to data subjects trust of the package of reforms has also
been included.
Benefits
Estimate
Total transition
(constant price) Years
(£million)
Average annual
(excluding transition)
(constant price)
(£million)
Total cost (present
value) (£million)
Low 0 796 6,437
High 0 2,973 21,34688
Best estimate 0 1,732 12,562
5
Description and scale of key monetised benefits by ‘main affected groups’
Monetised estimates of direct benefits include the compliance cost savings expected to be
experienced by UK business as a result of changes to compliance activities especially for firms
that carry out research and development and use AI. The monetary benefit of the reforms to the
ICO and LEAs that are currently required to keep logs of the number of processing activities
that they carry out is also estimated. The reforms are also expected to increase data use by UK
businesses which indirectly will have a quantifiable impact on UK firm-level productivity. The
cost savings to owners of underground assets through utility strike avoidance, back office
efficiencies and on site efficiencies of the NUAR proposals are also included.
Other key non-monetised benefits by ‘main affected groups’
Where evidence is currently unavailable, we have provided a qualitative review of other
anticipated benefits of the reforms. These include the benefits to law enforcement and
intelligence services of introducing a ‘legal professional privilege’ exemption and removing the
need to notify the ICO of data transfers. We also qualitatively assess the benefits of the
oversight regime for the police use of biometrics and overt surveillance, the creation of Smart
Data and Digital Identity schemes.
Key assumptions/sensitivities/risks
Discount rate: 3.5%
Where assumptions have been made in the economic modelling, we have made sure to test
these either using a confidence band approach or Monte Carlo analysis.
Business case assessment (Option 1)
Costs (£million) Benefits (£million) Net (£million)
26 307 -281
Score for Business Impact Target (qualifying provisions only)
Not applicable
6
Evidence Base
Contents
1. Executive summary
2. Problem under consideration
3. Rationale for government intervention
4. Rationale and evidence used to justify level of analysis
5. Options under consideration
a. Do nothing
b. Do minimum
c. Do intermediate
d. Do maximum
6. Policy objective
7. Preferred option and plan of implementation
Impact Analysis
8. Assumptions and Methodology
9. Benefits
a. Summary
b. Direct benefits
c. Indirect benefits
10. Costs
a. Summary
b. Direct costs
c. Indirect costs
11. Wider impacts
a. Impact on Competition
b. Impact on Equalities
c. Impact on individuals
d. Environmental impacts
e. National Security impacts
12. Impact on small and micro businesses
13. Impact on medium-sized businesses
14. Sectoral Impacts
15. Potential impact on international trade
a. Changes to UK trade
b. Impacts of changes to Article 27
c. Impacts of ensuring businesses are able to continue to seamlessly use their pre-bill
existing transfer mechanisms
d. EU Adequacy
16. Risks and assumptions
a. Policy assumptions and risks
b. Analytical assumptions and risk
17. Monitoring and Evaluation
18. Annex
7
a. List of all recommended policies
b. Impact of preferred option (2024 prices, 2024 PV)
c. EU Adequacy Monte-Carlo Analysis
d. List of ICO guidance updates
e. Gravity trade modelling
f. List of additional measure in the Do maximum option.
g. Measures added via amendment during passage of the DUA Bill and included in the
Bill at Royal Assent
8
Executive Summary
Context
1. As set out in the Kings Speech, the government has prioritised harnessing the power of data for
economic growth, supporting a modern digital government, and improving people’s lives.
2. This act contains measures that start delivering on the Government’s commitment to better
serve the British public through science and technology.
3. This impact assessment provides:
a. An outline of the existing regulatory framework and market failures
b. The proposed policy options and preferred package of reforms in overcoming these
failures.
c. The cost benefit analysis of the preferred package of reforms, comprising of:
i. Direct costs and benefits
ii. Indirect costs and benefits
iii. Wider impacts
iv. Trade modelling
v. In depth analysis of the impact of these reforms on small and micro businesses and
specific sectors within the UK economy
d. An overview of all risks and assumptions associated with the modelling.
e. An outline of all future monitoring and evaluation activities
4. Many of the policies included in the Act have been designed by other government departments
alongside Department for Science, Innovation and Technology (DSIT), including, Department
for Business and Trade (DBT), Home Office, Department for Energy Security and Net Zero
(DESNZ) and Department of Health and Social Care (DHSC). Where this is the case, analysis
has been provided directly by these departments and has been referenced accordingly. There
are also reforms included in the Act which are enabling secondary legislation impact
assessments. We have highlighted where this is the case and ensured that the analysis
provided is representative of this, in line with Better Regulation Unit (BRU) and Regulatory
Policy Committee (RPC) guidelines.
Rationale and approach
5. The Act will harness the power of data for economic growth. First, it gives a statutory footing to
three innovative uses of data that will accelerate innovation, investment and productivity across
the UK:
a. Smart Data Schemes, which empower customers to make more informed choices and
provide businesses with a greater opportunity to innovate by increasing the portability of
9
their data. Open Banking is the only active example of a regime that is comparable to a
'Smart Data scheme' – but needs a legislative framework to put it on a permanent footing,
from which it can grow and expand.
b. By empowering consumers to access their data within new sectors, the aim is also to
encourage similar economic growth as demonstrated in Open Banking across the
economy. This is crucial in markets where customer engagement is low, or where
businesses hold more information and data than the customer.
c. Digital Verification Services will help people and businesses to make the most of identity-
checking technologies with confidence and peace of mind. Digital verification services will
save people time and money by providing convenient and reliable options to prove things
about themselves as they go about their everyday lives.
d. They will also enable smoother, cheaper and more secure online transactions. Digital
verification services will lessen the everyday burdens on businesses by reducing costs,
time and data leakage.
e. The National Underground Asset Register (NUAR) is a new digital map that is
revolutionising the way we install, maintain, operate and repair the pipes and cables buried
beneath our feet. NUAR gives planners and excavators standardised, secure, instant
access to the data they need, when they need it, to carry out their work efficiently,
effectively and safely.
f. Banning sexually explicit deepfakes includes new offences which criminalise the creating,
or requesting the creation of, a purported intimate image (deepfake) of another person
aged 18 or over without the adult’s consent or reasonable belief in consent of creating or
requesting the creation of a purported intimate image of an adult without consent or
reasonable belief in consent.
g. Producing reports on the use of copyright works in the development of AI systems, and an
impact assessment on the policy options considered in the AI and copyright consultation,
will help inform policy decisions on AI and copyright.
6. The complexity of the current regulatory regime means that businesses and consumers are not
able to take full advantage of the benefits that are available to them through effective use of
data and data sharing. As a result, the market fails, and benefits are not realised. Furthermore,
information asymmetry exists for UK businesses that are unaware of the benefits that increased
data sharing can lead to. Therefore, it is necessary for Government intervention to allow for the
realisation of all benefits that can be derived from more effective data use.
a. DSIT set out many of these areas in the King’s Speech. The reforms aim at achieving the
following objectives: Enabling more market competition and introduction of innovative
services for consumers and firms through Smart Data schemes.
b. Supporting the creation and adoption of secure and trusted digital identity products and
services from certified providers to help with things like moving house, pre-employment
checks, and buying age restricted goods and services.
c. Creating a new digital map to revolutionise the way data can be transmitted through pipes
and cables to allow secure, instant access.
10
d. Help scientists and researchers make more life enhancing discoveries by improving the
UK's data laws.
e. Delivering better public services through better data sharing, including in public health, law
enforcement, and national security
f. Improving regulation through the reform of the Information Commissioner’s Office
g. Maintain high standards of protection while making some data laws clearer and more
conducive to the safe development of new technologies.
h. Establishment of a Data Preservation Process that can allow access to information as part
of investigations into a child's death where needed.
7. From the evidence gathered and in line with analytical guidelines, we shortlisted down to a set
of four options. The three options alongside the status-quo/do nothing option all seek to
harness the power of data for economic growth, support a modern digital government, and
improve people’s lives. The range of options includes continuing with the current data
protection regime, making minor changes to address some market failures, or implementing
more substantial reforms to modernise and digitalise government services. The current
framework has limitations that restrict the potential benefits of data use. The minor changes aim
to resolve specific issues with a generally positive reception from stakeholders, while the more
moderate reforms seek to address a broader range of challenges, incorporating key
recommendations from recent policy discussions.
Findings
8. We estimate the total net present value of the preferred package of reforms to be between £3.2
billion and £18.8 billion over 10 years in 2024 prices.
Table 1: Estimated NPV of preferred option
Estimate Net Benefit (Present Value (PV)) (£million)
Low 3,170.0
High 20,138.3
Best estimate 10,603.9
9. Some of the measures assessed are enabling only and given the uncertainty over the contents
of the secondary legislation, will be assessed more fully at that stage (scenario 2 in the RPC’s
primary legislation guidance). The impacts of these secondary measures are either indirect or
unquantifiable at this stage. Usually where this is the case, an impact assessment would
present two EANDCBs. However, in this case they are the same and therefore the EANDCB
figures presented here cover the set of policies as a whole.
10. The Data (Use and Access) Act is classified as a quantifying regulatory provision. Many of the
reforms included in the Act are pro-competition in nature. However, there are some proposals
that do not qualify under these exemptions including the DHSC and Digital Identity measures. A
breakdown of the competitive nature of the Act can be found later in the Impact Assessment.
11. We have ensured our analysis is robust and proportionate. We have quantified costs and
benefits of the Data (Use and Access) Act where possible, and otherwise provided qualitative
analysis. Any evidence gaps will feature in our monitoring and evaluation plan.
11
12. A breakdown of the NPV of the costs and benefits we have monetised can be found in the table
below.
Table 2: Estimated Net Present Value (NPV) of preferred option over 10 years in 2024 prices
(£million)
Net
Estimates Low High Medium
Total NPV 3,170.0 20,138.3 10,603.9
Costs
Estimates Low High Medium
Total transitional 765.1 2,501.0 1,363.3
Average annual 53.9 108.0 76.3
Total cost 1,207.8 3,267.4 1,958.5
Benefits
Estimates Low High Medium
Total transitional 0.0 0.0 0.0
Average annual 795.8 2,973.0.8 1732.3
Total cost 6,437.4 21,346.1 12562.4
13. Where evidence is currently unavailable or where reforms will be followed up with secondary
legislation impact assessments, we have provided detailed non-monetised qualitative analysis
of the expected direct and indirect costs and benefits. These include a deep dive into the
impacts on consumer trust and privacy as well as public sector and law enforcement use of
data.
Impact on Trade
14. It is recognised that there will be some implications on trade as a result of the policy reforms as
part of the act. The below provides a summary of the impacts on trade for the measures in the
Act and further details can be found in the respective impact assessments.
15. Increasing market competition can lead to higher efficiency both domestically and boosted
competitiveness internationally. By furthering the UK’s leading approach towards data
portability with initiatives such as Smart Data, we can expect to see further opportunity to
extend the UK’s tech leadership, and by providing an opportunity for international firms to
12
expand into the UK, attracting further foreign direct investment while increasing competition for
domestic firms with knock-on benefits for customers.
16. Implementation of digital verification schemes is expected to bring beneficial impacts to
international trade through reducing friction by facilitating remote ID verification checks, which is
very commonly required whilst trading internationally, and helping to streamline business
processes. The legal framework will also support the Government’s wider work internationally
to enable identity verification across borders to be secure and trusted.
17. Cross-border data transfers are a key facilitator of international trade, particularly for digitised
services. Transfers underpin business transactions and financial flows. They also help
streamline supply chain management and allow business to scale and trade globally.1 We
have conducted analysis that looks at the potential of the proposed data reforms to enable
more trade between countries. The analysis however includes analytical caveats which mean
that the results should be treated as merely indicative of the range and scale, rather than a
granular and detailed account of the impacts. For this reason, we have decided to report these
results separately to the total NPV of the package of reforms.
18. Moving to a system which allows personal data to be transferred more pragmatically via data
adequacy regulations and alternative transfer mechanisms (ATMs) is expected to lower
transaction costs and increase cross-border data flows. Using a business-level approach that
assesses the direct cost of using standard contractual clauses (SCCs) we estimate the trade
that is currently suppressed, due to this cost acting as a non-tariff barrier between UK
businesses and the Rest of the World. This benefit is estimated to have an annual benefit of
between £51m and £100m.
19. EU Adequacy decisions are adopted through a unilateral, EU process managed by the
European Commission. EU Adequacy decisions do not require an ‘adequate’ country to have
the same rules, and the Government’s position is that the proposals within the Act are aligned
with the EU’s criteria to allow the UK to preserve its adequacy status allowing the free flow of
personal data from Europe to the UK.
20. It is recognised that data transfers are integral for EU and UK organisations and if an EU
Adequacy decision was not available, EU businesses would have to implement and comply
with alternative transfer mechanisms to transfer personal data to the UK. Therefore, we have
estimated the economic impact that UK businesses would face if Adequacy with the EU was to
be discontinued or suspended as a result of this Act. We have updated our modelling
assumptions and estimations of any changes to this agreement. As a result, we estimate the
impact of Adequacy with the EU being lost on top of these measures to be between £190 and
£460 million in one-off SCC costs and an annual cost of between £210 million and £420
million in lost export revenue when taking a micro approach to modelling. The analysis does not
attempt to assign probabilities but simply estimates the impact in the event of loss of EU
Adequacy. The trade impacts are the direct reduction in UK-EU trade and the impact may be
larger when accounting for interactions with onward supply chains with trade with third
countries. As there is uncertainty in both the likelihood and timing of any decision, the impact is
not included in the net present value or other measures in the summary of the IA. The impacts
1International data transfers: building trust, delivering growth and firing up innovation, DSIT, 2021
13
have been uprated and discounted as if the decision was made presently, a conservative
assumption. The impacts are presented for the purposes of transparency.
21. We do not anticipate there being any direct implications for trade. NUAR will primarily change
the costs for domestic activities. However, as the reforms will directly benefit owners of
underground assets through reduced utility strikes, back office efficiencies and enabling better
data sharing, it could over time make the utility and telecoms sector in the UK a more attractive
place for inward investment, compared to other economies which have not yet taken action to
improve data sharing in this manner. This could include the attractiveness of investing in new
developments or major projects given the data contained and made available in NUAR will help
reduce risk of project overruns and delays. As these benefits are speculative at this stage, they
have not been quantified.
14
Summary of costs and benefits
Benefits
Benefits Monetised/ non-monetised Direct/ Indirect
Compliance cost savings Monetised Direct
Reform of the ICO Monetised Direct
Productivity benefits Monetised Indirect
Creation of innovative and secure Smart
Data Schemes (DBT) Non-Monetised Indirect
Increased Interoperability and Trust of
Digital Identity Systems
Monetised for four example
use cases Indirect
Increased Interoperability and Trust of
Digital Identity Systems  Indirect
Privacy, trust and individual data rights Non-Monetised Indirect
Delivery of better public services Non-Monetised Indirect
Improved Customer Outcomes Non-Monetised Indirect
Improved Interoperability across Health
and Social Care Systems Non-Monetised Indirect
Improved Interoperability across Health
and Social Care Systems Non-Monetised Direct
Improved Interoperability across Health
and Social Care Systems Monetised Indirect
Improved Interoperability across Health
and Social Care Systems Monetised Direct
Enhance the work of the UK intelligence
services and Law Enforcement Agencies
(HO)
Monetised Direct
Enhance the work of the UK intelligence
services and Law Enforcement Agencies
(HO)
Non-Monetised Direct
Enhance the work of the UK intelligence
services and Law Enforcement Agencies
(HO)
Non-Monetised Indirect
Operationalise the National Underground
Asset register Monetised Direct
Operationalise the National Underground
Asset register Monetised Indirect
Operationalise the National Underground
Asset register Non-Monetised Indirect
Facilitate Researchers’ Access to Online
Safety Data Non-Monetised Indirect
Direct marketing Monetised Direct
Direct marketing Non-Monetised Direct
Strengthen the Criminal Law Non-Monetised Direct
Producing reports and an IA on AI
Copyright Non-monetised Indirect
15
Costs
Costs Monetised/ non-
monetised Direct/ Indirect
Familiarisation costs Monetised Direct
Reform of the ICO Monetised Direct
Enhance the work of the UK intelligence services
and Law Enforcement Agencies in the interest of
public security (HO)
Monetised but not
included in calcs Direct
Enhance the work of the UK intelligence services
and Law Enforcement Agencies in the interest of
public security (HO)
Monetised Indirect
Enhance the work of the UK intelligence services
and Law Enforcement Agencies in the interest of
public security (HO)
Non-monetised Direct
Creation of innovative and secure Smart Data
Schemes (DBT) Non-Monetised Indirect
Increased Interoperability and Trust of Digital
Identity Systems
Monetised for four
example use cases Indirect
Increased Interoperability and Trust of Digital
Identity Systems Non-Monetised
Delivery of better public services Non-Monetised Indirect
Improved Interoperability across Health and
Social Care Systems Non-Monetised Indirect
Improved Interoperability across Health and
Social Care Systems Monetised Direct
Operationalise the National Underground Asset
Register Monetised Direct
Operationalise the National Underground Asset
Register Monetised Indirect
Operationalise the National Underground Asset
Register Non-Monetised Indirect
Facilitate Researchers’ Access to Online Safety
Data Non-Monetised Direct
Increased flows throughout the Criminal Justice
System Monetised Direct
Producing reports and an IA on AI Copyright Non-monetised Direct
Wider impacts
Wider impacts Monetised/ non-monetised Direct/ Indirect
Impact on Competition Non-Monetised Indirect
Impact on Equalities Non-Monetised Indirect
Impact on Individuals Non-Monetised Indirect
Environmental Impacts Non-Monetised Indirect
National Security Impacts Non-Monetised Indirect
Differential impact by sector and organisation size
22. Our modelling confirms that benefits and costs from these reforms will not fall equally across
the economy and society. A breakdown of how the NUAR2, Smart Data3, Digital Identity4 and
2 DSIT: NUAR Impact Assessment, 2024
3 DBT: Regulatory Powers for Smart Data Impact Assessment, 2024
4 DSIT: Digital Identities De Minimis Assessment, 2024
16
Interoperability of Health Care Systems5 measures are expected to impact different sectors and
organisation sizes can be found in their respective impact assessments.
23. Small and Micro Firms (SMFs) are included in the legislation for mandatory participation in
Smart Data schemes to ensure the schemes' effectiveness across various sectors. Exempting
SMFs could undermine the objectives of future schemes, such as providing comprehensive
consumer information, as seen in the example of fuel pricing. However, the legislation requires
consideration of the potential impact on SMFs, with options to mitigate disproportionate risks,
such as third-party data collection or fee adjustments. The specific participation requirements
and thresholds will be determined during the secondary legislation stage, with smaller
businesses expected to participate voluntarily if benefits outweigh costs.
24. We expect the data protection reforms to have asymmetric distributional impacts on different
organisations/ sectors as a result of differing levels and types of data use6, while in the case of
several non-data protection measures, other differences including for example, firms in some
sectors are more likely to have processes and privacy frameworks in place already than others.
25. Where we have been able to provide monetised estimates, the analysis is detailed and robust
however some assumptions have had to have been made in areas where evidence is lacking.
We have therefore ensured that we have carried out sufficient sensitivity analysis and testing to
make sure that we accounted for these potential risks.
26. Given the estimated scale and scope of the project we intend to complete a Post
Implementation Review (PIR),7 within 5 years of implementation. This will provide us with the
opportunity to review whether the Act has met the intended objectives highlighted in this impact
assessment. In order to be able to successfully measure these impacts we will also ensure that
we invest in the monitoring of all key statistics that have fed into this IA with focus on the
evidence gaps we have identified.
5 DHSC: Open Data Architecture Information Standards Impact Assessment, 2024
6 Different sectors use data differently, e.g. in 2024, the sector most likely to say they share personal data with other organisations
was Finance and Insurance (41%). DSIT: UK Business Data Survey (2024)
7 Producing post-implementation reviews: principles of best practice, BEIS (2021)
17
Problem under consideration and the issue being addressed
27. The current UK General Data Protection Regulation (UK GDPR) provides an important
regulatory framework for access, use and re-use of personal data that protects the rights of
individuals. It also provides rules that facilitate data sharing in ways that are accountable,
lawful, fair and secure. The government is committed to maintaining high standards of data
protection so that people have confidence in the use of their personal data.
28. Smart Data could address various market issues, but current incentives and powers are
inadequate to implement it effectively. The UK GDPR provides data portability rights but lacks
the robust standards and secure sharing needed for Smart Data. Low consumer engagement
across markets leads to problems like the 'loyalty penalty', low switching rates, poor
satisfaction, and subscription traps, especially for vulnerable consumers. Trust in using
personal data is also low, and some consumers use insecure methods like 'screen scraping',
which poses risks. Restricted data access is increasingly seen as a barrier to market entry,
making intervention necessary to address these challenges.
29. Identity proofing methods that rely on physical documents are costly, inefficient, and prone to
fraud. Digital identities could improve and streamline this process, but the current system is
inadequate. There is a gap in communication between digital identity providers and users, with
a lack of standards for interoperability and insufficient trust. In the 2019 Call for Evidence,
respondents highlighted the need for government intervention to establish these standards,
create mechanisms for organisations to demonstrate compliance, and enable verification
against government-held data.
30. Data access and availability can also support industry in other ways. Over 4 million kilometres
of underground energy, water, and telecoms infrastructure suffer around 60,000 accidental
strikes each year, costing industry and government £2.4 billion annually (2021 prices). Current
legislation requires asset owners to share data with excavators but doesn’t specify how, leading
to inefficiencies. With over 700 asset owners, this results in repeated requests and inconsistent
data formats. Government intervention is needed to reform legislation and establish a
sustainable data sharing service that ensures secure, efficient access to underground asset
data while managing commercial interests and legal liabilities.
31. In the health sector, despite 2012 legislation for data standards, adoption is low (around 42%)
and not keeping up with necessary changes. Health and social care providers struggle to
access or share care information in real-time. The Health and Care Act 2022 made compliance
with information standards mandatory for providers, aiming to improve interoperability.
However, current powers don't compel IT suppliers to adopt these standards. This act seeks to
address this by requiring IT suppliers in England's health and care system to meet specified
information standards. Helping the adoption of digital identities, enabling economic gains in the
digital economy while protecting against harms and enhancing privacy.
32. While the Online Safety Act 2023 (OSA) will improve the availability of data for researchers
through transparency reporting in particular, in the absence of this legislation there are no
provisions to provide researchers with direct access to data. This data could significantly
enhance research that benefits society, such as improving public understanding of online safety
18
and reducing online harm in the UK. However, since platforms are not currently required to
share this data, there is a clear need for government intervention to address this issue and
ensure that data protection laws facilitate access to valuable information for scientific research.
33. Some businesses also view data as a liability, particularly where personal data is concerned,
and take steps to curtail access and usage, implying a level of strategic over-compliance arising
from uncertainty. This may come at significant opportunity cost. For example, 92% of UK
businesses do not transfer data internationally, of which 10% of businesses give concerns
around legal risks and uncertainty as a reason.8 Alongside this, fewer than 10% of UK
businesses use customer relationship management software to collect, store, and share
customer information within their businesses,9 meaning that most businesses do not have an
easy way of using data to gain customer insights.
34. From an international perspective, “uncertainty regarding legal privacy regimes” was listed
across 19 OECD countries as a main barrier to transborder data flows, followed by
“Incompatibility of legal regimes” by 16 countries10 and the overall estimated compliance cost to
UK businesses of using transfer mechanisms inherited from the EU for rest of world personal
data transfers is estimated at about £360m annually.11
35. The OECD12 highlights that achieving the benefits available from data use requires employing
data-governance frameworks that incorporate whole-of-government approaches and are
coherent across areas, sectors and ideally countries. Work by Frontier Economics which was
published in March 202113 identified a number of interrelated barriers to greater use and
sharing of data in the economy, including a lack of knowledge (about potential uses of, and
benefits from, data), high perceived risks (regulatory, commercial reputational), high upfront
costs and misaligned incentives.
36. UK businesses identify many benefits of the UK GDPR14 and the Data Protection Act 2018
(DPA 2018) for example in 2021, of the businesses that were shown to collect digitised
personal data, 58% agreed that the introduction of the GDPR had led to increased awareness
of data protection at a senior level.15 However, the current regime can also be complex to
interpret and apply, especially for small and medium businesses.16 The 2024 UK Business Data
Survey found that smaller businesses were less likely than large businesses to have someone
whose role includes leading on data protection, and were less likely to say they find the
regulatory guidance published by the ICO clear and easy to understand17. Such complexity is
understood to be a barrier to compliance and lead to uncertainty, and potential over- or under-
compliance (through strategy or error).18 There is also evidence that the current regime may
8 UK Business Data Survey (2024)
9 ONS (2018) E-commerce and ICT activity Statistical bulletins, Table 25; this is even lower for micro-sized firms.
10 OECD: Digital Economy Outlook 2020, fig 6.4
11Published DSIT estimate, from RoW Adequacy Umbrella IA.
12 Enhancing access to and sharing of data: Reconciling risks and benefits for data re-use across societies, OECD (2019)
13 Increasing access to data held across the economy , Frontier Economics, 2021
14 Until the end of 2020 the EU GDPR applied in the UK. Since then, the applicable legislation in the UK has been the UK GDPR.
For simplicity we typically refer to the UK GDPR throughout, but where evidence relates to the earlier GDPR we refer to this as the
GDPR.
15 UK Business Data Survey (2021)
16 The European Commission’s (2020) evaluation of the GDPR identified challenges for organisations, in particular SMEs.
17 UK Business Data Survey (2024)
18 Christensen et al.(2013) The Impact of the Data Protection Regulation in the E.U. To note, this is a forecast of the proposed
GDPR rather than an ex-post impact evaluation.
19
reduce firm-level innovation, business creation and employment,19 decrease investment in
emerging technology firms,20 and negatively impact data-driven industries.
37. Regulation 22 of the PEC Regulations prohibits the transmission, by means of electronic mail,
of unsolicited communications to individual subscribers. Currently regulation 22 of the PEC
Regulations provides for one exception. It allows anyone (companies, charities, or other
organisations) to send electronic marketing communications to an individual (recipient) without
their explicit consent, if their contact details were collected during the sale of a product or
service, or negotiations of a sale. The direct marketing materials benefiting from this exception
may only concern similar products and services and the individual recipient must be offered a
simple means of opting out of receiving marketing communications, both at the time the contact
details are collected and in all subsequent communication sent. Both safeguards are aimed at
limiting an individual’s exposure to spam and nuisance communications. This exception is
commonly known as the ‘soft opt-in'.
38. This measure creates an exception from the prohibition for direct marketing carried out by a
charity for charitable purposes. The current exception does not enable charities to send direct
marketing messages to individuals in order to fundraise or promote campaigns, which is a core
activity for some charities in helping them to deliver their charitable purpose(s). The
government engaged with stakeholders, listening to the concerns raised by the sector over the
difficulties it has experienced through covid and cost of living situation and has taken steps to
support charities resilience.
39. There has been a significant rise in the ease in the accessibility of technology used to create
purported intimate images (“intimate deepfakes”), and in their prevalence online without the
consent of the person depicted. A purported intimate image could include a photo or video (or
any hyper-realistic image) of someone engaged in sexual acts, or where the most intimate parts
of the body are exposed or covered with underwear, or where the person is using the toilet, as
defined in section 66D (5) to 66D (9) in the Sexual Offences Act 2003.
a. Under section 66B of the Sexual Offences Act 2003, the law already captures situations
where intimate images including deepfakes are shared without consent or reasonable
belief in consent. Likewise, the criminal law already covers the creation of intimate images
of children as this it already captures the making of indecent images. This includes making
deepfake images of children (i.e. those under the age of 18) in section 1 of the Protection
of Children Act, 1978.
b. However, there is currently no criminal offence banning the creating or requesting of
intimate image deepfakes of an adult without consent or reasonable belief in consent. This
behaviour can cause harm to the individuals depicted and forms part of a wider harmful
and misogynistic behaviour.
c. The Government committed in its manifesto to banning sexually explicit deepfakes. The
measure assessed in this IA will fulfil that commitment by introducing the new offences of
19 Christensen et al.(2013) The Impact of the Data Protection Regulation in the E.U.
20 Jia et al. (2018) found that GDPR negatively affected venture capital investment in digital technology firms.
20
creating or requesting the creation of a purported intimate image of an adult without
consent or reasonable belief in consent.
40. Producing reports on the use of copyright works in the development of AI systems, and an
impact assessment on the policy options considered in the AI and copyright consultation, will
help inform policy decisions on AI and copyright.
21
Rationale for intervention
41. The complexity of the current regulatory regime means that firms and consumers are not able
to take full advantage of the benefits that are available to them through effective use of data
and data sharing. There are six market failures across different sectors of the economy that
have been identified as a result of the complexity of the UK’s current data regime.
a. Externalities occur when the production or consumption of a good incurs costs or benefits
on a third-party outside of the transaction. A data externality is an effect that arises from the
disclosure of personal data.21 In the data market, a negative externality occurs when the
disclosure of personal data by some consumers leads to an excessive privacy loss for other
consumers. The use of the disclosed personal data by businesses or organisations for
activities such as targeted advertising, leads to a loss of privacy for those who consider the
data to be private information. A positive externality can occur when data collected by one
party is freely accessed by others and this generates positive external benefits for re-
users.22
b. Public goods, where the delivery and efficiency of public services is inefficient as a result of
limited data sharing. The complexity of the regulation delays the sharing of data between
public services. Also, public sector services lack the necessary framework to use data
efficiently and this leads to public goods being under-utilised. The government can create
open access data to provide the right framework to help improve the utilisation of public
goods. 23
c. Information asymmetry refers to when one party in a transaction has more information
than the other. In the data market, businesses such as online platforms that provide search
engines or targeted advertising, have better and more information on the services markets
they cover compared to the users of the platforms. The consumers are unaware of whether
the platforms use the information to maximise social welfare via increased efficiency or to
maximise their own profits.
d. Imperfect information, where UK businesses have incomplete information regarding the
regulations around data sharing and therefore choose not to share data to minimise risk. A
further example is when consumers are unaware of how much personal data businesses
collect and how businesses process personal data. Also includes areas where better
sharing of data enables efficiencies.
e. Market power refers to when the power is concentrated into too few businesses or
organisations. In data markets that lack competition the complexity of the regulation deters
new entrants and limits firms with relatively less power from achieving the additional benefits
of effective data use. Firms with market dominance can expand into complementary data
markets, at a relatively low marginal cost rather than share data with complementary firms,
this may deter new entrants into complementary markets.
f. Network failure refers to when a good or service whose value increases as the number of
users increases fails to raise its value due to a lack of users. The data network effect is
21 The Economics of Privacy: A Primer Especially for Policymakers, Bank of Japan, 2021
22 Business-to-Business data sharing: An Economic and Legal Analysis, JRC Digital Economy Working Paper, 2020
23 “Creating and governing social value from data” - Diane Coyle and Stephanie Diepeveen, 2021
22
when a product's value grows as a result of more usage via the accretion of data.24 In terms
of data network failure, the complexity of the regulations has resulted in insufficient
cooperation between UK businesses to combine datasets through data sharing and benefit
from economies of scope.
42. The table below highlights the specific market failures that are present in certain parts of the
UK’s data processes, policies and current protection regime.
Table 3: Summary of the market failures in data markets
24 https://www.nfx.com/post/truth-about-data-network-effects
23
Market Externalities Public
goods
Information
asymmetry
Imperfect
information
Market
power
Network
Failure
Smart Data25 ✓ ✓ ✓ ✓
Digital Identity
Schemes26 ✓ ✓
The National
Underground Asset
Register (NUAR)27
✓ ✓ ✓
Using data to improve
public services
(including DHSC
CDDO and HO
initiatives)
✓ ✓ ✓ ✓
Data use for science
and research
(including AI)
✓ ✓ ✓
Online Safety:
Researcher Access to
Data28
✓ ✓
Processing/ Re-use of
data ✓ ✓
Privacy and Electronic
communications ✓
Data subject rights ✓ ✓
International data
transfers ✓ ✓
The Information
Commissioner's Office
(ICO)
✓
Smart meter data
(DESNZ) ✓
Direct marketing ✓ ✓
Copyright works and
artificial intelligence
systems
✓
43. The market currently fails at different levels of the data value chain. The table above explores
where the market failures exist.
44. Government intervention in the form of new legislation or changes to existing legislation will
help overcome these market failures. Reform options have been designed specifically to
25 More information on the rationale for intervention in the Smart Data market can be found in the Smart Data final Impact
Assessment 2024 - DBT
26 More information on the rationale for intervention in the Digital Identity market can be found in the Digital Identity De Minimis
Assessment - DSIT, 2024
27 More information on the NUAR measures can be found in the NUAR final Impact Assessment 2024
28 DSIT: Researchers’ Access to Data Impact Assessment, 2024
24
remedy market failure in specific industries and sectors as well as UK data policy more
generally. These areas have been set out in the King’s Speech29
a. Smart Data initiatives, there is a failure of existing regulation to enable easy and secure
data mobility. Many markets currently face low levels of consumer engagement.
Consumers are unable to navigate these markets easily resulting in negative outcomes
such as the ‘loyalty penalty’, low switching rates, poor satisfaction. These negative
outcomes are further exacerbated for vulnerable consumers who may have further
inabilities to access and engage. Alongside low consumer engagement is a lack of trust
and empowerment to utilise their own data in markets, increasing their cost of informed
decision making. While already sharing data, some customers are currently using less
secure methods, such as ‘screen scraping’, which can lead to direct harm if this data is
mishandled. Evidence also shows that in digital markets there is increasing concern that
access to data is a significant barrier to entry. Intervention is therefore necessary to help
address the issues arising in these markets and to alleviate wider market failures. The
Smart Data amendments in the House of Commons were intended to ensure that Smart
Data schemes function optimally, and to ensure the Part 1 regulation-making powers are
as clear as possible. This will further assist in addressing the market failures mentioned
above. The section 11 amendments specifically allow for regulations to provide for a
greater range of Smart Data scheme models regarding fee charging. This means Smart
Data schemes can be designed with a fee structure that is tailored to the needs of the
markets corresponding to each sector. More detail can be found on Smart Data rationales
in the Smart Data Impact Assessment.30
b. An emergent marketplace in Digital Identities already exists, with more and more
businesses and citizens preferring to verify information about themselves without needing
paper documents. However, current identity proofing methods can be expensive,
inefficient, and vulnerable to fraud. Digital identities can strengthen and simplify the
process, however, the current landscape lacks standards which will enable interoperability
and does not yet command trust. In the 2019 Digital Identity Call for Evidence,31
respondents noted that the market required the government to step in and set these
standards, create mechanisms to allow organisations to prove they follow them, and to
enable checks against government-held data. More information on this market failure can
be found in the Digital identity and attributes De Minimis Assessment.32
c. Currently, there are over 4 million kilometres of underground energy, water, and telecoms
pipes and cables, suffering approximately 60,000 accidental strikes each year, costing the
industry and government £2.4 Billion annually (2021 prices). Establishing a new
sustainable data-sharing service, National Underground Asset Register (NUAR), is
necessary to provide secure and efficient access to underground asset data, balance
commercial interests, and manage legal liabilities. Existing laws require asset owners to
share data on these assets with excavators but do not specify the method of sharing. As a
result, 700+ asset owners have to respond to numerous requests, and excavators must
contact multiple owners, receiving data in varying formats and timelines. Government
intervention through legislative reform is essential to standardize data sharing, thereby
resolving these issues.
29 The King’s Speech 2024, GOV.uk, 2024
30 Smart Data Impact Assessment, DBT (2024)
31 Digital Identity: Call for Evidence Response, DSIT, 2020
32 Digital identity and attributes De Minimis Assessment, DSIT, 2024
25
d. In the health care sector, the fragmented IT vendor market for health and social care has
resulted in suboptimal levels of interoperability, hindering the efficient exchange of
information across systems. This lack of interoperability creates significant challenges for
healthcare providers and patients, and the market has failed to address these issues on its
own. Government intervention is necessary to set standards, promote competition, and
ensure consistent and secure data sharing. By doing so, the government can overcome
key market failures, such as economic externalities, coordination failures, and imperfect
competition, to improve patient outcomes, reduce costs, and support innovation in
healthcare technology.
e. The provision for registering births, still births and deaths is contained in the Births and
Deaths Registration Act 1953 (BDRA) and the Registration of Births and Deaths
Regulations 1987. In 2009 the registration online system (RON) was introduced allowing
registrars to register births and deaths electronically. Even though all birth and death
information are held electronically, registrars are still required to also hold a record of the
events in paper registers. Removing the requirement for paper registers, requires a change
of legislation. This would introduce efficiencies and result in savings to public expenditure
as well as the support of government digital initiatives. Allowing the RON system to be the
only birth and death register removes duplication and simplifies the process. It also
introduces savings for the Home Office by removing the cost of providing registers,
associated resources, postage costs and loose leaf, watermarked, registration paper.
Moving away from paper registers will also reduce the risk of criminals gaining access to
blank stock to create false identities.
f. The direct marketing measure backs the third sector in reaching out to more potential
donors, potentially helping them boost their finances, which in turn could have valuable
societal benefits. It will enable charities to engage with supporters in order to fundraise and
promote campaigns.
g. In the case of purported intimate images, the rationale for intervention relates to equity,
ensuring that the criminal law adequately provides justice to victims, and reducing their
distress and invasions of privacy.
h. There is currently information asymmetry in the data licensing market as owners of
copyright works have difficulty monitoring how their data is used in AI training. One of the
AI and copyright issues that will be explored in the reports is the disclosure of information
by developers of AI systems about their use of copyright works to develop AI systems, and
how they access copyright works for that purpose (for example, by means of web
crawlers).
Table 4: How the legislation would overcome each market failure
Market Failure Policy Intervention
Externalities Implement legislation that makes it easier for personal data to be used in
science and research while also providing consumers with the optimum
level of privacy protection.
Public Goods Implement legislation that makes it easier for personal data to be
exchanged between public sector bodies. Introduce frameworks that
encourage data use in the public sector.
26
Information Asymmetry Simplify the legislation regarding data exchange and data use. Provide
clarification of the rules around using personal data to benefit businesses
and their consumers.
Imperfect Information Simplify the legislation regarding data exchange and data use. Provide
clarification of the rules around using personal data to benefit businesses
and their consumers.
Market Power Implement legislation that encourages competition through increased
data sharing and reduces the compliance requirements.
Network Failure Implement legislation that encourages cooperation and increased data
sharing.
45. The issues with the current data regime that have been outlined above require a range of
reforms to be corrected. The introduction of new guidance would not solve the complexity issue
of the current regime because the scale of change needed is too large to be covered by
guidance. It would be inefficient to solely produce guidance in an attempt to simplify the current
regime. For example, even if existing legislative mechanisms were used to oblige health and
adult social care providers to purchase information technology products and services with
appropriate technical features, this would be insufficient to bring the wholesale change to the IT
supplier market that is needed, particularly in the timeframe required to push forward the
digitisation in health and social care.
46. The full scope of the issues could also not be addressed by relying solely on changes to the
Information Commissioner's Office, as many of the market failures need legislative change for
them to be corrected. As a result of this, we explored policy options targeted at specific sectors
and market failures to overcome these issues.
a. The UK has three data protection regimes. Most personal data are governed by the UK
General Data Protection Regulation (UK GDPR) and its accompanying provisions in Part 2
DPA 2018. Law enforcement processing has its own bespoke regime (Part 3 DPA 2018)
which reflects the operational nature of the processing carried out by Law Enforcement
Agencies (LEAs). The third regime governs processing of personal data by the UK’s
Intelligence Services (Part 4 DPA 2018) and reflects the national security sensitivities as
well as the other forms of oversight outside data protection governing the intelligence
services.
b. The Home Office has responsibility for law-enforcement and intelligence services data
processing. The Act will update the Data Protection Act 2018 (DPA 2018). It will contribute
to reducing the risk from terrorism to the UK and UK interest overseas33 and will restore
confidence in the criminal justice system34 (CJS) when it comes to data protection.
c. As the DPA 2018 is recent and largely works well, the reforms will provide updates to the
existing legislation rather than fully re-writing it. This will prevent undue burden on
users/businesses and maintain international confidence in our data protection standards.
Most of the changes aim to simplify/clarify the existing law, which in turn will provide users
with the confidence needed to encourage data exchange effectively (both domestically and
33 Home Office Outcome Delivery Plan: 2021 to 2022 - GOV.UK (www.gov.uk)
34 People's priorities | Horizon
27
internationally). Effective data exchange is important for economic and law enforcement
relationships.
d. The Home Office has two overarching aims:
i. Firstly, to empower the police to use new technologies, like biometrics, within a strict
legal framework which maintains public trust.
ii. Secondly, to facilitate the effective flow and use of personal data for law
enforcement and national security purposes to enhance the work of the UK
Intelligence Services and Law Enforcement Agencies (LEAs) in the interest of public
security.
e. Intervention is necessary as improving UK data laws will continue to deliver effective data
exchange, which is good for business and public security. The measures being introduced
will drive efficiencies and encourage better data cooperation. The amendments prevent
undue burden on users and businesses and reduce the potential impact on the Adequacy
decisions. The amendments will simplify and clarify the existing law, which in turn will
provide users with the confidence needed to encourage data exchange effectively (both
domestically and internationally). Effective data exchange is important for economic and
law enforcement relationships.
f. In developing these proposals, the Home Office have engaged extensively with operational
partners, taking as the starting point changes that support improved operational outcomes
whilst maintaining public confidence and simplifying existing law (for example, using
consistent language) where appropriate.
g. The UK is ranked second in the world for science and research35,and made up 13.4% of
highly cited research publications worldwide in 202036. Data is key to a wide range of
research activities across many sectors, and this is reflected in the UK GDPR. The existing
legislation provides specific allowances in relation to processing for research purposes,
however, the laws around personal data use for “research purposes” are complex and the
current regulatory landscape has proven difficult for scientists to navigate, making it harder
to establish legal certainty for vital and innovative research. This highlights how the market
fails because scientists have incomplete information about personal data use and how the
data value chain suffers a market failure at the collection stage. Furthermore, through the
consultation process we identified that some aspects of the existing framework can place
unnecessary barriers to researchers, slowing down or even stopping their progress. The
barriers researchers face restricts the realisation of societal benefits from effective data
use. This shows how the data value chain suffers a market failure at the impact stage.
h. When used responsibly, data-driven artificial intelligence (AI) systems have the potential
to bring substantial benefits to the lives of consumers and businesses. The development of
AI and machine learning applications is contingent on data, and places specific demands
on its collection, curation and use. The market failures discussed all have an effect on the
current development of AI. Consumers may not be aware of their rights when subjected to
35 The AD Scientific Index, 2024
36 International Comparison of UK Research Base (BEIS, 2022)
28
automated decision making reflecting the information gaps. Uncertainty regarding these
data requirements could raise barriers to realising these benefits.
i. The Online Safety researchers’ access to data provision will improve understanding of
online safety issues and position the UK as a leader in research and innovation. While the
Online Safety Act 2023 (OSA) will improve the availability of data for researchers through
transparency reporting in particular, in the absence of this legislation there are no
provisions to provide researchers with direct access to data. Ofcom will be able to require
the largest providers to publish a broad range of information through transparency reports,
but Ofcom is unlikely to require companies to publish the kind of user data required to
conduct online safety research. The online safety impact of these proposed interventions
could be broad. Eligible independent researchers will be able to carry out research into
online safety issues that may include illegal activity, harmful content, damaging
behaviours, and issues relating to free speech. This additional research is likely to help to
address the limited information currently prevailing in this area and contribute to the
evidence base for future online safety interventions.
j. The re-use of personal data can provide economic and societal benefits through
facilitating innovation. The market currently fails as a result of the information gaps around
the re-use of personal data at several levels of the data value chain. Clarity on when
personal data can lawfully be reused is important at multiple levels of the data value chain:
data subjects benefit from transparency at the collection stage, data controllers benefit
from certainty during the publication stage, and society benefits from unlocking the
opportunities of re-use at the impact stage of the data value chain. The UK GDPR sets out
rules for when further processing of personal data is considered compatible with the
purpose for which it was collected, in recognition of the value of re-use of data in certain
circumstances and where safeguards are in place. In the consultation, the government
identified areas of uncertainty and therefore is able to set out proposals to improve clarity
in the legislation and as a result facilitate innovative re-use of data.
k. The Privacy and Electronic Communications Regulations 2003 (PEC Regulations) is
complementary to the UK GDPR and the DPA. PEC Regulations prohibits an organisation
from storing or gaining access to information that is held in the equipment of an individual
(such as computers and mobile phones), unless one of three exceptions apply (such as
the user’s consent). From consultation we know that organisations have found that the
ability to collect data in order to improve services/ websites is difficult to obtain when
relying on consent, and individuals find the number of consent request pop-ups a source of
annoyance and routinely accept the terms without reading them.
l. The government has highlighted its ambition for the UK to harness the power of data for
economic growth and the importance of the data economy to boosting trade37. Currently a
number of barriers to international data transfers exist, including a lack of alignment in
legal frameworks, transfer tools and data adequacy regulations. The complexity of the
regulations has contributed to information gaps for data controllers which have restricted
the international transfers of data. This market failure has an impact at all levels of the data
value chain. The government needs to intervene to achieve its ambition of helping
domestic businesses to connect more easily with foreign markets, while attracting
37 King’s Speech 2024: background briefing notes, (HMG, 2024)
29
investment from abroad by businesses that rightly have confidence in the responsible use
of data within the UK.
m. There are many opportunities to build on the lessons learned from COVID-19 pandemic in
relation to the power of using personal data responsibly in the public interest, and the
benefits of collaboration between the public and private sectors. There are currently some
challenges to do this effectively, including: data infrastructure that is not interoperable;
legal and cultural barriers to data sharing; inconsistent data capability in the workforce; and
financial disincentives that discourage investment. Government intervention is needed to
create a joined-up and interoperable data ecosystem for the public sector that will address
the limitations outlined above, whilst ensuring high levels of public trust.
n. In order for the ICO to perform its function as an agile and forward-looking regulator
a clear mandate for a risk-based and proactive approach to its regulatory activities in line
with best practice of other regulators is needed. A new legislative framework will allow for a
clearer strategic vision for the regulator and the reduction of barriers to data flows.
o. The Government is committed to maintaining a secure national communications network
for smart metering in Great Britain. The body responsible for establishing and operating
this does so under the Smart Meter Communication Licence (‘the DCC Licence’). The
Licence is currently held by Smart DCC Ltd. It was awarded by the government in 2013 for
an initial period of 12 years and is due to expire in September 2025. The process for
Ofgem to identify a successor licensee is set out in primary legislation and further in
regulations. This should lead to the successful selection of a provider, though it does not
guarantee it. To mitigate the risk of a successor licensee not being selected, our proposed
intervention provides Ofgem with greater flexibility in their process for choosing the next
licensee. We do not expect any direct impacts from this measure.
p. The criminal law should adequately protect the public by capturing people who commit
harmful acts so that they can be brought to justice.
Rationale and evidence to justify the level of analysis used in
the IA (proportionality approach)
47. Indicative analysis of those measures in the Data (Use and Access) Act that formed part of the
previous DPDI Bill was previously undertaken at the pre-consultation stage. Since then, the
analysis was updated to reflect consultation responses, discussions with cross-government
experts and external consultants, assessment of the latest literature, and reflections on the
RPC’s comments on the methodology. The Data (Use and Access) Act also includes new
measures not in the previous DPDI Bill or makes substantial changes to previous measures.
This Impact Assessment reflects these changes and additional amendments added during the
Bill’s passage since its introduction in October. A full list of the amendments highlighted in
Table 8 and are listed in full Annex 7.
48. Where evidence is available, we are able to analyse some policies at an individual level,
although there are still uncertainties and evidence gaps. We know that some reforms share
similar channels of impact and implication, so we have continued to analyse policies within
30
groups that are consistent with the expected impacts. This ensures that the analysis remains
novel, proportionate and robust.
49. In order to explore some of the uncertainties surrounding the data, greater use of sensitivity
analysis has been employed across impacts to consider variability in data and assumptions.
50. DSIT has also worked alongside analysts from across Government to establish the rationale,
options, costs and benefits, and finer detail of the impact of reforms where analysis has been
led by their respective organisations and where relevant tailored towards a specific sector.
These organisations are the Department for Business and Trade,38 the Home Office, Central
Digital and Data Office (CDDO), DHSC, DESNZ and the Information Commissioner's Office
(ICO).
51. Where evidence exists that has allowed us to attempt to quantify impacts, this has come from a
variety of sources referenced throughout. DSIT’s UK Business Data Survey continues to be
instrumental in this analysis, providing us with an overview of UK businesses’ use of data and
interaction with data protection. The Annual Survey of International Trade in Services is also
used extensively in our trade and data adequacy modelling. Furthermore, we continue to use
the European Commission’s and Ministry of Justice’s 2012 impact assessments (IAs) of the
then proposed European data protection regulation and where possible, have integrated these
with more recent evidence.
52. Where quantitative evidence is not available, qualitative analysis of impacts has been
undertaken and expanded upon since consultation and introduction, including further literature
reviews and case studies. On particularly uncertain impacts, such as trade and data adequacy,
complementary approaches have been used to provide more evidence of the potential scale of
impacts.
53. As part of ongoing monitoring and evaluation, the framework of impacts explored will continue
to be refined. Monitoring and evaluation will be important in assessing whether and how the
newly proposed reforms will indeed succeed in improving on the deficiencies of previous
regulation and what lessons can be learned for any future revisions.
Description of options considered
Background
54. This section discusses the approach taken to identify the various policy options to ensure that
this Act of reforms delivers the government’s ambition to harness the power of data for
economic growth, to support a modern digital government, and improve people’s lives.
Identifying the correct and most effective set of reforms to achieve this is the key driver behind
the decision-making process and this economic analysis.
55. These ambitions have a strong economic rationale and the opportunity for the UK economy is
substantial, given its superior starting position in comparison to many of its peers. Data driven
companies generated an estimated £343 Billion in annual turnover (6% of total UK turnover) in
38 Smart Data Impact Assessment, DBT (2024)
31
2023. While contributing an estimated £84.9 billion (3.8%) in GVA to the UK economy and
employing 1.5 million people (5% of total UK employees) in all types of roles in 202339.
56. The UK data regime is already among the most comprehensive and open worldwide,40 which is
linked to its superior data governance. The UK needs to ensure that further reforms tackle key
issues and introduce net positive impacts on the economy and society. This framework underpins
the reforms considered and the process through which these were agreed upon.
Process of shortlisting options
57. This section details the approach of shortlisting the initial reforms included in the Data (Use and
Access) Act.
58. Reform measures including Smart Data, Digital identity, NUAR, Online harms and policies from
OGDs went through separate options framework detailed in their own impact assessments (IA)
or De minimis assessment (DMA). These were assessed independently and the preferred
option for those IA/DMAs are the ones in the preferred option here.
59. Reform options were designed to achieve the government's objectives of harnessing the power
of data for economic growth, supporting a modern digital government, and improving people’s
lives. The options continue to underpin a high level of protection for people's personal data and
control for individuals over how their personal data is used. The Government also continues to
recognise that organisations have and are continuing to invest in understanding, complying and
implementing the current regime.
60. A long list of potential reform options was generated in each area, with each option designed to
tackle an identified issue. These were then assessed for their likely impact, benefits and costs
on stakeholders (the public, organisations in the public and private sector and the wider data
economy), and associated risks. The viability of each reform option was then assessed as part
of continued engagement internal and external stakeholders, further policy research and
analysis looking at their legal, practical feasibility, and effectiveness in delivering the intended
policy outcome. Each reform was also re-considered in the context of the wider package of
potential reforms in order to assess its fit and interdependencies with other potential measures.
61. The three options alongside the status -quo/do nothing option all fall on the liberalisation side of
the data - openness scale when compared to the current regime. Our second option is to make
minor changes to the current regime. The intermediate option which looks to combine a suite of
data reform policies together which all aim to innovative the ways in which the UK uses data.
And the do max option which is the data reform options with additional data protection policies.
List of options initially considered
Table 5: Outline of policy options
Option Description
0. Do nothing/status quo No policy change
39 The UK Data Driven Market (DSIT, 2024)
40 As confirmed among multiple studies such as the Global Open Data Index from the Open Knowledge Foundation, and the data
governance study from Washington University
32
1. Do minimum Minor policy changes to the status quo and
current data regime
2. Intermediate option Considerable policy changes to the status quo
and current data regime
3. Do maximum Even bigger policy changes to the status quo, and
a complete overhaul of existing legislation,
repealing and replacing the existing data regime
inc. significant changes to data protection
legislation
62. Throughout the development of the Data (Use and Access) Act changes were proposed
reflecting stakeholder feedback and ongoing policy development. These developments led to a
better understanding of implicit costs and policy risks not previous considered which led to the
data protection and ultimately Do maximum option not being suitable for implementation. A list
of the reforms within the Do maximum options can be found in the annex.
63. There are reform measures inc. Smart Data, Digital identity, NUAR, Online harms and policies
from OGDs went through their own options framework which are in within their own impact
assessments (IA) or De minimis assessment (DMA). These were assessed independently and
the preferred option for those IA/DMAs are the ones in the preferred option here.
33
Do nothing option
64. This option is the benchmark counterfactual and describes a scenario in which the current
regime is continued without change. This is equivalent to retaining the current framework for
data related public service provision. As highlighted in section one, although the current
regime is effective in allowing data use and data transfers, and is relatively liberal in
comparison with other jurisdictions, there are certain limitations that mean the benefits from
this are limited and firms are not maximising their potential gain from data use.
Do minimum option
65. The do minimum option, encapsulates minor policy changes to the current regime in an
attempt to resolve aspects of the market failures. This includes key reforms that aim to
resolve some of the issues identified as part of the policy process. The majority of reforms
have been fairly well received by stakeholders and substantial evidence exists suggesting
that they would have a beneficial impact on the economy, LEAs, UK Intelligence Services,
and society as a whole.
34
Table 6: List of all policies in ‘do minimum’ category41
Reform measure Reform Summary
Research
Purposes ● Consolidating research provisions into a single chapter
Research
Purposes ● Creating a statutory definition of scientific research
Research
Purposes ● Incorporating broad consent for scientific research into legislation
Public Safety and
National Security
(Home Office):
Law Enforcement
Data Reform
Proposal
● National security exemption (DPA 2018 part 3)
Public Safety and
National Security
(Home Office):
Law Enforcement
Data Reform
Proposal
● Data subjects’ rights to information: legal professional privilege exemption (DPA 2018
part 3)
Public Safety and
National Security
(Home Office):
Law Enforcement
Data Reform
Proposal
● Consent to law enforcement processing (DPA 2018 part 3)
Public Safety and
National Security
(Home Office):
Law Enforcement
Data Reform
Proposal
● Law enforcement processing and codes of conduct (DPA 2018 part 3)
Public Safety and
National Security
(Home Office):
Law Enforcement
Data Reform
Proposal
● Logging of law enforcement processing (DPA 2018 part 3) Automated decision making
(DPA 2018 part 3)
Digital Identity ● Enable checks against government-held data but do not create a statutory governance
framework (option 3 in Digital Identity DMA)
Digital Identity ● Create a statutory governance framework to oversee the trust framework (Option 2 in
Digital Identity DMA)
Smart Data (DBT) ● Pursue non-legislative alternatives (Option 1 in Smart Data IA)
Smart Data (DBT) ● Support sector regulators to independently pursue legislative alternatives (option 2 in
Smart Data IA)
Data Architecture
(DHSC)
● Enabling legislation to prepare, publish and mandate standards that apply to the
products and services provided by IT suppliers
Strategy,
Objectives and
Duties
● ICO's Objectives and Duties
Strategy,
Objectives and
Duties
● Statement of Strategic Priorities
Governance
Model and
Leadership
● Remove the Information Commissioner corporate sole structure. Introduce a Board
structure with Chair/CEO.
Governance
Model and
Leadership
● Remove the requirement for Parliament to agree to a change to the IC salary.
35
Do intermediate option
66. The intermediate option encapsulates moderate policy changes to the current regime aiming
to resolve most aspects of the market failures. This involves modernising and digitalising
government services provision. It also incorporates key reforms which aim to address those
set out in the King’s Speech (see paragraph 6).
Table 7: List of all polices in ‘do intermediate’ category
Reform
measure Reform Summary
Research
Purposes ● Consolidating research provisions into a single chapter
Research
Purposes ● Creating a statutory definition of scientific research
Research
Purposes ● Incorporating broad consent for scientific research into legislation
Research
Purposes
● Extending the “disproportionate effort” exemption on information provision
requirements for further processing for research purposes of personal data
collected directly from the data subject
Research
Purposes
● Extending the exemptions from the regime when conducting scientific
research to include when that research is carried out in a commercial setting.
Further
Processing ● Clarifying how personal data can be further processed for research purposes
Further
Processing
● Clarifying that further processing for an incompatible purpose may be lawful
when based on a law that safeguards an important public interest or when the data
subject has re-consented
Further
Processing
● Exempt archives from further processing rules where personal data was
originally obtained in reliance on consent.
Legitimate
interests
● Recognised Legitimate Interests. The act will introduce a new lawful ground
for non-public bodies when processing personal data for “recognised legitimate
interests”. This is limited to a small number of public interest objectives, such as
the prevention of crime, safeguarding vulnerable individuals and responding to
emergencies. Under the current law, data controllers have to do a detailed
assessment of whether their interests are outweighed by the rights of data subjects
when processing personal data for such purposes
AI and Machine
Learning ● Future proofing Article 22
AI and Machine
Learning
● Enhancing the approach to explainability and accountability for fair
processing in the context of AI
AI and Machine
Learning
● Clarifying the circumstances in which safeguards apply to significant
decisions that are taken about individuals on the basis of profiling.
Data Adequacy ● Underpinning the UK’s future approach to data adequacy regulations with
principles of risk-assessment and proportionality
Data Adequacy ● Relaxing the requirement to review data adequacy regulations every 4 years
Alternative
Transfer
Mechanisms
● Power for SoS to formally recognise new ATMs
Alternative
Transfer
Mechanisms
● Changes to the standard approach to alternative transfer mechanisms. (Art
46)
Alternative
Transfer
Mechanisms
● Ensuring businesses are able to continue to use their pre-bill existing transfer
mechanisms without a requirement for further checks and avoiding additional
costs.
Alternative
Transfer
Mechanisms
● Clarifying that transfers of personal data under the UK-US Data Access
Agreement can be made under the ‘public interest tasks’ lawful ground
36
Reform
measure Reform Summary
Public Interest
● Clarifying that private organisations & individuals asked to carry out an
activity on behalf of a public body may rely on that body’s lawful ground for
processing the personal data under Art 6(1)(e)
Digital Economy
Act 2017
(CDDO)
● To extend powers under section 35 of the Digital Economy Act 2017 aimed at
improving public service delivery to business undertakings, beyond the current
scope of solely individuals and households
Public Safety
and National
Security (Home
Office): Subject
Access
Requests
● Time limits for responding to requests by data subjects (SAR) (DPA 2018
part 3/4)
Public Safety
and National
Security (Home
Office): Part 4
● Amendments to Part 4 of the DPA 2018 - Joint processing by intelligence
services and competent authorities
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● National security exemption (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Data subjects’ rights to information: legal professional privilege exemption
(DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Consent to law enforcement processing (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Law enforcement processing and codes of conduct (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Logging of law enforcement processing (DPA 2018 part 3) Automated
decision making (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office):
● Transfers based on special circumstances (Schedule 6 DPA, Section
76)Subsequent transfer's (Section 78 DPA)
37
Reform
measure Reform Summary
International
Transfers
Public Safety
and National
Security (Home
Office):
International
Transfers
● Clarify conditions on the use of international processors by UK competent
authorities (Part 3 DPA)
Public Safety
and National
Security (Home
Office):
Biometrics
● Retention of biometric data and recordable offences
Public Safety
and National
Security (Home
Office):
Biometrics
● Retention of biometric data from INTERPOL
Public Safety
and National
Security (Home
Office):
Biometrics
● Retention of biometric data from other international partners
The National
Underground
Asset Register
● National Underground Asset Register Legislation to underpin a national
register of underground assets (cables etc.)
The National
Underground
Asset Register
● Create powers to ensure the full participation by all owners of underground
assets in NUAR and enable a sustainable charging regime.
Data
Preservation
Notices
● Establishing a data preservation process which will require OFCOM,
following instruction by a coroner, to issue data preservation notices to online
service companies to ensure they retain data that may later be requested by a
coroner when carrying out an inquest into a child's death.
Smart Meter
Data (DESNZ)
● Create new power to give Ofgem more flexibility in the process it needs to
follow to identify the successor holder of the Smart Meter Communication Licence.
Smart Meter
Data (DESNZ)
● Enable Ofgem to modify conditions of existing licences and industry codes if
it considers that it is necessary or expedient to do for the purpose of granting a
Smart Meter Communication Licence.
Online safety
researchers
access to data
● Create powers for the Secretary of State (SoS) to place a duty on platforms
to comply with any regulations later passed by SoS allowing researchers access to
certain data held by platforms.
Electoral
Purposes
● Amend Schedule 1 of the Data Protection Act 2018 so that the 4 day
threshold in which outgoing elected representatives have to process special
category data on behalf of their constituents without explicit consent, is changed to
30 days, to overcome these operational barriers.
Electoral
Purposes
● Amending exemptions in Sch 1 DPA 2018 (special category data) to permit
elected representatives to process political opinions data.
Subject Access
Requests
● Clarifying that controllers are not required to make disproportionate searches
in response to subject access requests - necessary as a result of the loss of the EU
principle of proportionality under the REUL Act. (Home Office measure)
Privacy and
electronic
communications
● To add three low privacy risk exceptions to the prohibition on storing
information, or accessing information stored, on a user’s connected device. For
example, collecting statistical information to improve the service/website requested
by the user.
Privacy and
electronic
communications
● Empowering ICO to take action against organisations for the number of
unsolicited direct marketing calls 'sent' as well as calls 'received' and connected.
38
Reform
measure Reform Summary
Privacy and
electronic
communications
● Amending the regulations’ powers of enforcement so that they are aligned
with the enforcement regime under the Data Protection Act 2018, including fine
levels, whilst keeping bespoke tools such as third-party information notices.
Privacy and
electronic
communications
● Extending approved code of conduct provisions under Article 40 UK GDPR to
the PEC Regulation
Privacy and
electronic
communications
● Extending the reporting period for breaches under reg 5A PEC Regulation
from 24 to 72 hours
Updating
Special
Category Data
● Create a new power for the Secretary of State to add new types of data to the
list of special categories of data that get extra protection. This will provide the
flexibility to add new types in the future including in response to new technological
developments, to ensure heightened protections for citizens.
Digital Identity ● eIDAS/trust services
Digital Identity ● Data checking gateway
Digital Identity ● Trust framework accreditation and certification
Digital Identity ● Trust framework governance
Digital Identity ● Validity of digital identity
Digital Identity ● Mutual recognition of digital identities
Digital Identity ● Mutual recognition of trust services
Digital Identity ● Welsh and Scottish safeguards for Digital Verification Services
Digital Identity
● Include a power for DSIT SoS to approve additional rules for particular
sectors or use cases which build on the rules in the UK digital identity and
attributes trust framework; to make provision for organisations to be certified
against those additional rules; and to make provision for the DVS Register to note
which sets of additional rules (if any) an organisation has been certified against in
addition to the trust framework. In policy terms, we refer to a set of additional rules
as a ‘scheme’, and we expect the equivalent term in the Act to be ‘supplementary
code’.
Digital Identity
● To amend the Immigration Act 2014 and the Immigration Asylum and
Nationality Act 2006 to permit regulations to specify that, where digital checks are
undertaken, these are undertaken by a DVS provider on the DVS register.
Smart Data
(DBT)
● Smart Data: Introduction of primary legislation, creating new “regulation-
making” powers to enable Smart Data schemes to be introduced in any given
sector. 1]
Smart Data
(DBT)
● Expanding the definition of ‘‘customer data’’ to include transactions between
the customer and third parties, and clarify the scope of action initiation, or ‘write
access’ services
Smart Data
(DBT)
● Provisions to clarify the powers of enforcers to investigate and monitor
compliance, and the process for setting fines, penalties and fees and to allow
existing data sharing requirements in other legislation to be incorporated into Smart
Data regulations.
Smart Data
(DBT)
● Clarification of the power to make provision in connection with business data
– to expressly facilitate a Smart Data delivery model where data holders provide
business data to a specified third party, who then provides (or publishes) the
business data to other third parties
Data
Architecture
(DHSC)
● Enabling legislation to prepare, publish and mandate standards that apply to
the products and services provided by IT suppliers
Data
Architecture
(DHSC)
● Enabling legislation to prepare, publish and mandate standards that apply to
the products and services provided by IT suppliers, to ensure that those products
and services enable and support data to be accessed, interrogated and processed
in real time by anyone with the basis to appropriately access that data, irrespective
of the system used by the health or social care provider who collated, produced or
otherwise processed that data.
39
Reform
measure Reform Summary
Home Office:
Public Interest ● Processing in reliance on relevant international law (Joint DSIT/HO measure)
Home Office:
Sensitive
Processing
● Power to add categories of sensitive processing (Mirroring provision from
UKGDPR to Part 3 and 4 DPA)
Public Safety
and National
Security (Home
Office): Birth and
Deaths
● Remove the requirement for paper birth and death registers moving to an
electronic register
Strategy,
Objectives and
Duties
● ICO's Objectives and Duties
Strategy,
Objectives and
Duties
● Statement of Strategic Priorities
Governance
Model and
Leadership
● Remove the Information Commissioner corporate sole structure. Introduce a
Board structure with Chair/CEO.
Governance
Model and
Leadership
● Remove the requirement for Parliament to agree to a change to the IC salary.
Accountability
and
Transparency
● Accountability and Transparency - require publication of key documents
Accountability
and
Transparency
● Statutory codes of practice - ICO required to undertake and publish an impact
assessment and consult with a panel of experts when developing or updating
statutory codes of practice, unless exempt
Complaints ● Complaints - organisations required to have a complaint handling process
Enforcement
Powers ● Enforcement - power to commission technical reports
Enforcement
Powers ● Enforcement - power to compel witnesses to attend interview
Enforcement
Powers ● Enforcement - notice of intent extension
Enforcement
Powers ● Enforcement - without attending premises clarification
Do Maximum option
67. Reforms in the “Do maximum” option were deemed to not currently meet the bar set in terms
of available evidence or feasibility to progress at this stage. Amassing the evidence and
balancing priorities would introduce delays and the Government is prioritising making
progress quickly on the issue of data policy.
68. The preferred option was the intermediate package of reforms, outlined above. This set of
options were expected to meet objectives of the government has prioritised harnessing the
power of data for economic growth, supporting a modern digital government, and improving
people’s lives. Changes were later made to consider policy risks and implicit costs. Going
forward in this impact assessment we assess the costs and benefits of the preferred option
only compared to the baseline ‘do nothing’ scenario.
40
Policy objective
69. The proposed set of reforms that form part of the preferred package are designed to benefit
the UK as a whole. These include policies targeted at resolving market failures for both the
private and public sector as well as creating a framework for effective oversight of the UK’s
data protection regime. These sets of reforms largely reflect and align with the priorities set
out in the Kings Speech: harnessing the power of data for growth, improving people’s lives,
and a modern digital government.
70. The objective of Smart Data legislation is to enable new, and accelerate existing, Smart
Data schemes, and create a common framework for consistent regulations. This is intended
to improve poor consumer and business outcomes, increase competition, create greater
opportunities for innovation, produce time saving for users, reduce costs, increase the
quality of services, improve the security of data sharing and increase the trust in data
sharing mechanisms.42
71. Reforms to enable people to use swift and secure identification to prove things about
themselves aim to unlock economic gains associated with a functioning digital identity
system, enabling the full realisation of the digital economy. Having a system which is more
secure can support protection against fraud for businesses and people and enhance privacy.
There is also an aim to promote inclusive solutions and remove barriers to inclusion. More
information on how the proposed policy will overcome market failures in the digital identity
market can be found in the Digital identity and attributes - De Minimis Assessment.43
72. The National Underground Asset Register will provide secure access to privately and
publicly owned location data from 700+ organisations about the pipes and cables beneath
our feet. The digital map gives planners and excavators standardised access to the data
they need, when they need it, to carry out their work effectively and safely. It also includes
features to keep data secure and improve its quality over time. The policy objectives include
increased efficiency of data sharing; reduced asset strikes; reduced disruptions for citizens
and businesses; and expedited delivery of projects like new roads, new houses and
broadband roll-out.
73. The objective of removing the requirement for paper birth and death registers moving to an
electronic register is to introduce a change to the legislation which will remove the
requirement for paper registers to be held in 175 Local Authorities. Local Authorities within
England relate to county, district or parish councils, London borough councils, the Common
Council of the City of London and the Council of the Isles of Scilly. In Wales, Local
Authorities relate to any county, county borough or community council in Wales. This
removes the requirement for records of births, still-births and deaths to be held in two
mediums (paper and online). There will be no requirement for registrars to store paper
registers in the future reducing the risk of loss or theft of those registers for those seeking to
commit identity fraud, therefore resulting in public protection and counter fraud benefits. The
move to an electronic register will provide savings to central and local governments and
remove the duplication of processes.
42 Smart Data Impact Assessment 2024 - DBT
43 Digital identity and attributes - De Minimis Assessment, 2024 DSIT
41
74. The objective for changing data use in the health and social care sector, across providers of
care and IT systems, is using information standards to ensure systems are fully
interoperable, so data can flow through the system in a usable and standardised form. The
measures provided in the DUA act are intended to enable this vision to be delivered further,
faster – by extending the scope of information standards to apply to IT suppliers of products
and services used in the health and care system. Further, there is value to patients from
improved patient safety. In addition, improved standardisation of information will facilitate
research and promote innovation, further supporting improved patient outcomes, as well as
improved decision-making enabled by access to accurate and complete information and
supporting a more dynamic and responsive health and care IT market.
75. The proposed reforms aim to update UK data processing laws, including those related to law
enforcement and national security, to maintain high data protection standards and bolster
public confidence in how the public sector uses data. The Home Office seeks to simplify
legislation, reduce administrative burdens, and ensure consistency across data processing
regimes, such as aligning the definition of consent in law enforcement with UK GDPR. The
reforms will also support Law Enforcement Agencies in making better use of Automated
Decision Making (ADM), and improve international data flows
76. There has been growing global support for legislation providing independent researchers
access to online safety related data to conduct associated research. This issue was
raised during the passage of the OSA. Good quality research will help identify unknown or
emerging risks and will provide evidence on the impact of providers’ activities, enabling
protective actions from Ofcom, government, providers, and civil society. The European
Union’s Digital Services Act mandates access to data for researchers. This provision aims to
provide SoS with the ability to create regulations on researchers’ access to data. Should
SoS decide to regulate, the regulations will provide a legal basis for researchers to request
or access online safety related information to conduct research. The evidence base for the
decision to introduce a framework, as well as what any future framework will look like, will be
developed by Ofcom’s report into the matter and a government consultation.
77. Reforms also seek to ensure your data is well protected. We are modernising and
strengthening the ICO. It will be transformed into a more modern regulatory structure, with a
CEO, board and chair. And it will have new, stronger powers. This will be accompanied by
targeted reforms to some data laws that will maintain high standards of protection but where
there is currently a lack of clarity impeding the safe development and deployment of some
new technologies.
78. A further reform objective is to establish a Data Preservation Process that coroners (and
procurators fiscal in Scotland) can initiate when they decide it is necessary and appropriate
to support their investigations into a child’s death. This will help coroners get access to
online information they need when investigating a child’s death.
79. These policies are designed to boost trade and remove barriers to international data
flows. Consumers and businesses collect, share and process personal data internationally
in order to use or trade digital products and services. According to the World Trade
Organisation, trade in data-enabled services grew from $1.0 trillion in 2005 to $3.9 trillion in
42
2022.44 Data flows have a larger impact in raising world GDP than the trade in goods.45 In
2024 the UK exported £330 billion in data enabled services (65% of total UK services
exports) and imported £154 billion in data-enabled services (49% of total UK services
imports).46
80. The objective of amending the Smart Meter Communication licensing procedure is to provide
Ofgem with flexibility in the way in which it appoints the future licence holder. The process
for Ofgem to identify a successor licensee is set out in primary legislation and further in
regulations. Ofgem has recently consulted on the specific measure in this Act, proposing
that changes to the legislative framework that specifies the process by which a new licensee
is appointed, would be in the interests of consumers. This consultation engaged industry
stakeholders, including the incumbent licence holder.
81. Separately, since 2021, in anticipation of the current DCC licence term coming to an end,
Ofgem have been undertaking a review of the regulatory framework for it. They have
consulted with industry at each stage of the development of that framework.47 A September
2022 consultation set out the key principles that they were seeking to achieve, together with
a series of proposed regulatory options, evaluated against those principles. That
consultation culminated in a published document in August 2023 setting out Ofgem’s
decisions on the overarching regulatory framework. A wide variety of industry stakeholders,
including the incumbent, were engaged in and responded to that consultation.
82. The proposed measure does not impact on the regulatory framework for the future licence
which Ofgem will implement using its existing powers. Rather the measure aims to provide
flexibility in how the process to appoint the licensee is carried out.
Amendments made to the preferred package of reforms (October 2024 – June 2025)
83. Since the Bill’s introduction in October 2024, a number of amendments were proposed,
reflecting stakeholder feedback and further policy development. These are set out in the
amendment papers for the Bill. These amendments were made as the Bill progressed
through the Lords and Commons. The impact analysis section has assessed these
amendments where there are additional economic or wider impacts to UK businesses, the
public sector or data subjects. For substantial technical and policy amendments, we have
included an outline of their rationale for inclusion. These include the following:
Table 8: List of all amendments since the DUA Bill’s introduction (October 2024)
Amendment Rationale for inclusion
Lawfulness of Processing & Rights
of Data Subjects: This amendment
adds an express reference to
children meriting specific protection
with regard to their personal data
when the SoS is considering
whether to use regulations to add to
During Lords Committee stage, peers raised concerns about what
they saw to be a lack of specific protections for children’s personal
data. They emphasised children’s unique vulnerabilities and the
need for stringent safeguards across educational, social media,
and health platforms. A key issue was the omission of the opening
part of Recital 38 of the UK GDPR, which states, 'Children merit
specific protection with regard to their personal data,' from Clause
46 DSIT Internal analysis estimating the UK’s data enabled services trade using ONS experimental estimates for proportion of
UK services trade delivered remotely.
47 https://www.ofgem.gov.uk/decision/dcc-review-phase-1-decision
43
the list of ‘recognised legitimate
interests’
91 of the Act, which provides the ICO with a duty to consider that
children may be less aware of the risks of consequences of
processing and their rights in relation to it in all its data protection
activities where relevant. To address these concerns and ensure
consistency in areas where similar language was used, the
amendment adds the opening wording from recital 38 to the start
of the existing duty in Clauses 70 (recognised legitimate interests)
and 91 (the ICO’s duties). The amendment was designed to
improve the clarity of an existing Act provision in Clauses 70 and
91.
Information Commissioner’s Office -
Privacy by design: children’s higher
protection matters
This amendment builds on existing duties under Article 25 of the
UK GDPR to design their processing activities in a way that
complies with the data protection principles. It requires Information
Society Services that are likely to be accessed by children (and are
already subject to the Age-Appropriate Design Code) to consider
how best to protect and support children when designing their
services; and to take account of the fact that children merit specific
protection because they may be less aware of the risks of the
processing, and may have different needs at different ages.
During Lords stages of the Bill, peers raised concerns that the ICO
duty alone would not sufficiently increase protections for children,
unless data controllers were also under a clear legal obligation to
consider children’s interest in the design of their processing
activities.
Direct Marketing - Regulation 22 of
the PEC Regulations prohibits the
transmission, by means of electronic
mail, of unsolicited communications
to individual subscribers. This
amendment creates an exception
from the prohibition for direct
marketing carried out by a charity for
charitable purposes.
Regulation 22 of the PEC Regulations applies to the transmission
of unsolicited communications by electronic mail to individual
subscribers. Electronic mail covers, among others, communication
by email or text messages. Under this regulation unsolicited
communication by such means is in principle prohibited without the
recipient’s consent, unless exceptions apply.
Currently regulation 22 of the PEC Regulations provides for one
exception. It allows anyone (companies, charities, or other
organisations) to send electronic marketing communications to an
individual (recipient) without their explicit consent, if their contact
details were collected during the sale of a product or service, or
negotiations of a sale. The direct marketing materials benefiting
from this exception may only concern similar products and services
and the individual recipient must be offered a simple means of
opting out of receiving marketing communications, both at the time
the contact details are collected and in all subsequent
communication sent. Both safeguards are aimed at limiting an
individual’s exposure to spam and nuisance communications. This
exception is commonly known as the ‘soft opt-in'.
The current exception does not enable charities to send direct
marketing messages to individuals in order to fundraise or promote
campaigns, which is a core activity for some charities in helping
them to deliver their charitable purpose(s). The government
engaged with stakeholders, listening to the concerns raised by the
sector over the difficulties it has experienced through covid and
cost of living situation and has taken steps to support charities
resilience.
44
Smart Data During the Act’s passage through the House of Commons, the
government introduced amendments to Part 1 which are
summarised below under four groups. These amendments were
accepted and now form part of the Act.
Group 1 – These amendments expressly allow regulations to
require business data to be provided to a third party appointed by a
public authority and to require that third party to publish or disclose
the business data.
Group 2 – This group of amendments contains changes to fee
charging under section 11. The amendments have the following
aims:
a. Allowing regulations to provide for charging of fees that
exceed expenses where appropriate. Under the initial
drafting, regulations could only enable persons listed in
section 11(2) (including data holders, decision makers,
interface bodies, enforcers and others) to charge fees to
cover the costs of performing duties or exercising powers
conferred by or under Part 1 regulations. The amendment
ensures that Smart Data schemes can operate on a
commercial basis if necessary.
b. Enabling regulations to clarify whether or not powers to
charge arising outside of regulations made under Part 1
can be used to charge fees in connection with performing
duties or exercising powers conferred by or under those
regulations. The amendment also provides that section 11
does not prevent or limit what third-party recipients can
charge (with some exceptions). The policy intention has
always been that the basis of charging arrangements
between third party recipients and customers is a
commercial matter for them to determine.
c. The amendments to section 15, mirror the changes above,
ensuring that the Treasury’s power to confer rule-making
powers on the FCA regarding fees is consistent with the
general fee charging power under section 11.
Group 3: This group contains amendments regarding The
Treasury’s power to confer rule making powers to the FCA. The
amendments to section 14, allow the Treasury to delegate powers
to the FCA to set rules around interface requirements for persons
who are enabled by regulations to take action on behalf of a
customer (sometimes referred to as action initiation). This
amendment brought the drafting of the Act in line with the policy
intention and will ensure that Open Banking-enabled payments
continue to work effectively.
Group 4: The government also introduced further amendments
that are either clarifying amendments or have otherwise been
assessed to have minimal impact.
45
New section 251ZC of the Health
and Social Care Act 2012 (public
censure of relevant IT providers) if
that would contravene the data
protection legislation.
Government minor and technical amendment – details are
captured in the commons amendments48
NUAR - Devolved Government
Consent
The NUAR measures legislate in a devolved area. Amendments
tabled during Bill passage mean that the Secretary of State will be
required to gain the consent of devolved governments before
regulations can be made, where the regulations relate to apparatus
in the street in Wales and Northern Ireland, or otherwise touch on
devolved competencies.
NUAR - Requirement to produce
guidance
This amendment requires The Secretary of State to produce
guidance for persons gaining access to NUAR through regulations
made under section 106C and article 45C informing them on how
to protect information kept in, or obtained from, NUAR.
Adds references to investigating
crime to existing references in the
Data Protection Act 2018 to
detecting or preventing crime.
Government minor and technical amendment
Copyright works and artificial
intelligence systems
This clause commits the government to publishing a report and
Impact Assessment within 9 months of Royal Assent:
• The Impact Assessment will cover the options laid out in the
consultation, as well as any alternative options that are under
consideration.
• The Report will cover the policy options from the consultation
as well as any other options the Secretary of State considers
appropriate following the consultation.
The report must consider and make proposals with regard to;
• Technical measures and standards that may be used to control
use of works, or accessing works by webcrawlers
• The effect of copyright on access to and use of data by AI
developers, including SMEs
• The disclosure of information by AI developers about their use
of copyright works and how they have accessed them
(transparency)
• Licensing of copyright works for AI training
• Potential approaches to models trained overseas
Approaches to enforcement of rules relating to copyright, AI and
web crawlers, including potential future regulatory options.
48 Data (Use and Access) Bill [HL]
46
Summary of preferred option with description of
implementation plan
84. This section and the rest of this Impact Assessment reflects the original preferred package of
reforms combined with the changes made throughout the policy development of the DUA
Bill. The table below provides a list and summary of all of these reforms.
Table 9: All policy reforms and measures included in the preferred package
Reform
measure Reform Summary
Original measures as introduced October 2024
Research
Purposes ● Consolidating research provisions into a single chapter
Research
Purposes ● Creating a statutory definition of scientific research
Research
Purposes ● Incorporating broad consent for scientific research into legislation
Research
Purposes
● Extending the “disproportionate effort” exemption on information provision
requirements for further processing for research purposes of personal data
collected directly from the data subject
Research
Purposes
● Extending the exemptions from the regime when conducting scientific
research to include when that research is carried out in a commercial setting.
Further
Processing
● Clarifying how personal data can be further processed for research
purposes
Further
Processing
● Clarifying that further processing for an incompatible purpose may be lawful
when based on a law that safeguards an important public interest or when the
data subject has re-consented
Further
Processing
● Exempt archives from further processing rules where personal data was
originally obtained in reliance on consent.
Legitimate
interests
● Recognised Legitimate Interests. The Act will introduce a new lawful ground
for non-public bodies when processing personal data for “recognised legitimate
interests”. This is limited to a small number of public interest objectives, such as
the prevention of crime, safeguarding vulnerable individuals and responding to
emergencies. Under the current law, data controllers have to do a detailed
assessment of whether their interests are outweighed by the rights of data
subjects when processing personal data for such purposes
AI and Machine
Learning ● Future proofing Article 22
AI and Machine
Learning
● Enhancing the approach to explainability and accountability for fair
processing in the context of AI
AI and Machine
Learning
● Clarifying the circumstances in which safeguards apply to significant
decisions that are taken about individuals on the basis of profiling.
Data Adequacy ● Underpinning the UK’s future approach to data adequacy regulations with
principles of risk-assessment and proportionality
Data Adequacy ● Relaxing the requirement to review data adequacy regulations every 4
years
Alternative
Transfer
Mechanisms
● Power for SoS to formally recognise new ATMs
Alternative
Transfer
Mechanisms
● Changes to the standard approach to alternative transfer mechanisms. (Art
46)
47
Alternative
Transfer
Mechanisms
● Ensuring businesses are able to continue to use their pre-bill existing
transfer mechanisms without a requirement for further checks and avoiding
additional costs.
Public Interest
● Lawful ground for transferring personal data under the UK-US Data Access
Agreement
● Clarifying that private organisations & individuals asked to carry out an
activity on behalf of a public body may rely on that body’s lawful ground for
processing the personal data under Art 6(1)(e)
Digital Economy
Act 2017
(CDDO)
● To extend powers under section 35 of the Digital Economy Act 2017 aimed
at improving public service delivery to business undertakings, beyond the current
scope of solely individuals and households
Public Safety
and National
Security (Home
Office): Part 4
● Amendments to Part 4 of the DPA 2018 - Joint processing by intelligence
services and competent authorities
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● National security exemption (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Data subjects’ rights to information: legal professional privilege exemption
(DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Consent to law enforcement processing (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Law enforcement processing and codes of conduct (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office): Law
Enforcement
Data Reform
Proposal
● Logging of law enforcement processing (DPA 2018 part 3) Automated
decision making (DPA 2018 part 3)
Public Safety
and National
Security (Home
Office):
International
Transfers
● Transfers based on special circumstances (Schedule 6 DPA, Section 76)
Subsequent transfer's (Section 78 DPA)
Public Safety
and National
● Clarify conditions on the use of international processors by UK competent
authorities (Part 3 DPA)
48
Security (Home
Office):
International
Transfers
Public Safety
and National
Security (Home
Office):
Biometrics
● Retention of biometric data and recordable offences
Public Safety
and National
Security (Home
Office):
Biometrics
● Retention of biometric data from INTERPOL
Public Safety
and National
Security (Home
Office):
Biometrics
● Retention of biometric data from other international partners
The National
Underground
Asset Register
● National Underground Asset Register Legislation to underpin a national
register of underground assets (cables etc.)
The National
Underground
Asset Register
● Create powers to ensure the full participation by all owners of underground
assets in NUAR and enable a sustainable charging regime.
Data
Preservation
Notices
● Establishing a data preservation process which will require OFCOM,
following instruction by a coroner, to issue data preservation notices to online
service companies to ensure they retain data that may later be requested by a
coroner when carrying out an inquest into a child's death.
Smart Meter
Data (DESNZ)
● Create new power to give Ofgem more flexibility in the process it needs to
follow to identify the successor holder of the Smart Meter Communication
Licence.
● Enable Ofgem to modify conditions of existing licences and industry codes if
it considers that it is necessary or expedient to do for the purpose of granting a
Smart Meter Communication Licence.
Online safety
researchers
access to data
● Create powers for the Secretary of State (SoS) to place a duty on platforms
to comply with any regulations later passed by SoS allowing researchers access
to certain data held by platforms.
Electoral
Purposes
● Amend Schedule 1 of the Data Protection Act 2018 so that the 4-day
threshold in which outgoing elected representatives have to process special
category data on behalf of their constituents without explicit consent, is changed
to 30 days, to overcome these operational barriers.
Electoral
Purposes
● Amending exemptions in Sch 1 DPA 2018 (special category data) to permit
elected representatives to process political opinions data.
Subject Access
Requests
(Joint DSIT/HO)
● Clarifying that controllers are not required to make disproportionate
searches in response to subject access requests - necessary as a result of the
loss of the EU principle of proportionality under the REUL Act
Subject Access
Requests
(Joint DSIT/HO)
● Time limits for responding to requests by data subjects (SAR) (DPA 2018
Part 3/4)
Privacy and
electronic
communications
● To add three low privacy risk exceptions to the prohibition on storing
information, or accessing information stored, on a user’s connected device. For
example, collecting statistical information to improve the service/website
requested by the user
Privacy and
electronic
communications
● Empowering ICO to take action against organisations for the number of
unsolicited direct marketing calls 'sent' as well as calls 'received' and connected.
49
Privacy and
electronic
communications
● Amending the regulations’ enforcement tools and sanctions so that they are
aligned with the regime under the Data Protection Act 2018, including fine levels,
whilst keeping bespoke tools such as third-party information notices.
Privacy and
electronic
communications
● Extending approved code of conduct provisions under Article 40 UK GDPR
to the PEC Regulation
Privacy and
electronic
communications
● Extending the reporting period for breaches under reg 5A PEC Regulation
from 24 to 72 hours
Updating
Special
Category Data
● Create a new power for the Secretary of State to add new types of data to
the list of special categories of data that get extra protection. This will provide the
flexibility to add new types in the future including in response to new technological
developments, to ensure heightened protections for citizens.
Digital Identity ● eIDAS/trust services
Digital Identity ● Data checking gateway
Digital Identity ● Trust framework accreditation and certification
Digital Identity ● Trust framework governance
Digital Identity ● Validity of digital identity
Digital Identity ● Mutual recognition of digital identities
Digital Identity ● Mutual recognition of trust services
Digital Identity ● Welsh and Scottish safeguards for Digital Verification Services
Digital Identity
● Include a power for DSIT SoS to approve additional rules for particular
sectors or use cases which build on the rules in the UK digital identity and
attributes trust framework; to make provision for organisations to be certified
against those additional rules; and to make provision for the DVS Register to note
which sets of additional rules (if any) an organisation has been certified against in
addition to the trust framework. In policy terms, we refer to a set of additional
rules as a ‘scheme’, and we expect the equivalent term in the Act to be
‘supplementary code’.
Digital Identity
● To amend the Immigration Act 2014 and the Immigration Asylum and
Nationality Act 2006 to permit regulations to specify that, where digital checks are
undertaken, these are undertaken by a DVS provider on the DVS register.
Smart Data
(DBT)
● Smart Data: Introduction of primary legislation, creating new “regulation-
making” powers to enable Smart Data schemes to be introduced in any given
sector.[
Smart Data
(DBT/HMT)
• That the Smart Data primary legislation includes the four groups of Smart
Data amendments introduced throughout the Data (Use and Access) Act’s
passage through parliament, as set out in Table 8.
Data
Architecture
(DHSC)
● Enabling legislation to prepare, publish and mandate standards that apply
to the products and services provided by IT suppliers
Data
Architecture
(DHSC)
● Enabling legislation to prepare, publish and mandate standards that apply
to the products and services provided by IT suppliers, to ensure that those
products and services enable and support data to be accessed, interrogated and
processed in real time by anyone with the basis to appropriately access that data,
irrespective of the system used by the health or social care provider who collated,
produced or otherwise processed that data.
Public Safety
and National
Security (Home
Office): Birth and
Deaths
● Remove the requirement for paper birth and death registers moving to an
electronic register
Strategy,
Objectives and
Duties
● ICO's Objectives and Duties
Strategy,
Objectives and
Duties
● Statement of Strategic Priorities
50
Governance
Model and
Leadership
● Remove the Information Commissioner corporate sole structure. Introduce a
Board structure with Chair/CEO.
Governance
Model and
Leadership
● Remove the requirement for Parliament to agree to a change to the IC
salary.
Accountability
and
Transparency
● Accountability and Transparency - require publication of key documents
Accountability
and
Transparency
● Statutory codes of practice - ICO required to undertake and publish an
impact assessment and consult with a panel of experts when developing or
updating statutory codes of practice, unless exempt
Complaints ● Complaints - organisations required to have a complaint handling process
Enforcement
Powers ● Enforcement - power to commission technical reports
Enforcement
Powers ● Enforcement - power to compel witnesses to attend interview
Enforcement
Powers ● Enforcement - notice of intent extension
Enforcement
Powers ● Enforcement - without attending premises clarification
Measures introduced via amendments
National
Underground
Asset Register
• Guidance will be required to be provided to end users to about how to protect
information kept in or obtained from NUAR
National
Underground
Asset Register
• Changes made to reflect agreement with devolved government establishing
how the devolved governments will be engaged in the delivery of NUAR
regulations.
Express
reference to
children meriting
specific
protection with
regard to their
personal data
• Provides ICO with a duty to consider that children may be less aware of the
risks of consequences of processing and their rights in relation to it in all its
data protection activities where relevant.
Data protection
by design:
children’s higher
protection
matters
• Provides ICO with a duty to consider that children may be less aware of the
risks of consequences of processing and their rights in relation to it in all its
data protection activities where relevant.
Creating, or
requesting the
creation of,
purported
intimate image
of an adult
• Criminalising the creation, or requesting the creation of, a purported intimate
image (deepfake) of another person aged 18 or over without the adult’s
consent or reasonable belief in consent.
Copyright works
and artificial
intelligence
systems
• The Act requires that a set of reports on the use of copyright works in the
development of AI systems are published within 9 months, and that a
statement of progress is provided within 6 months
Direct Marketing • Allowing charities to send direct marketing for the purposes of furthering one
or more of their charitable purposes.
51
85. A theory of change sets out how policies have direct and indirect effects that contribute to
achieving final intended outcomes and objectives. We have developed a theory of change
for our preferred package of policies using economic principles and evidence of the impact
of comparable policies.
86. The figure below sets out the theory of change for the group of reforms. Where we have
sufficient evidence and we have been able to make reasonable assumptions, we have
quantified the net impact in terms of changes relative to the baseline. We assume the
baseline is where the status quo remains in place with respect to the current data protection
regime.
87. The preferred package of policy options is designed to correct for the current market failures
by encouraging greater responsible data use, reducing costs for businesses and
encouraging more effective use of personal data in public organisations. As a result of this
we expect to see an increase in productivity across businesses in the UK and an increase in
trade as international data transfers increase.
88. More detailed theory of change for the Smart Data initiatives49, Digital Identity50, National
Underground Asset Register51 and Interoperability of Health Care Systems52 reforms can be
found in their respective impact assessments. We have simplified these here to provide an
overview of the impacts and outcomes.
49 Smart Data Impact Assessment 2024 - DBT
50 Digital identity and attributes - De Minimis Assessment, 2024 DSIT
51 NUAR Impact Assessment, 2024 DSIT
52 DHSC Open Data Architecture Information Standards Impact Assessment, 2024
52
Figure 1: Theory of change for preferred option
53
89. The policies included in this package will be primary legislation and some will be followed up
by further secondary legislation. Analytical evidence for the reforms that are likely to be
followed up by secondary legislation tends to be limited in these early stages, though we
have included all that is available. More analytical detail will be provided in the secondary
legislation Impact Assessments. The table below details the reforms in the Act that will likely
be followed by secondary legislation and whether these are likely to include any direct costs
or benefits to business – further details can be provided as policy develops.
Table 10: List of all reforms that are being followed up with secondary legislation
Reform Heading Reform subheading
Will secondary
legislation
include direct
costs and
benefits to UK
businesses?
Who will be
responsible for
the secondary
legislation IAs?
AI and Machine Learning
Future proofing Article 22
Enhancing the approach to explainability
and accountability for fair processing in the
context of AI
Yes DSIT
Delivering better public
services
To extend powers under section 35 of the
Digital Economy Act 2017 aimed at
improving public service delivery to business
undertakings, beyond the current scope of
solely individuals and households (CDDO)
No CDDO
Digital Identity
Digital Identity: Create a governance
framework and enable checks against
government-held data53
No DSIT
Smart Data
Smart Data: Introduction of primary
legislation, creating new regulation-making
powers to enable Smart Data schemes to be
introduced in any given sector54
Yes This will be
sector specific
Health and Social Care
Create primary legislation for a new power
for the Secretary of State for Health and
Social Care to direct suppliers to adopt an
open data architecture approach55
Yes DHSC
National Security and Law
Enforcement
Joint processing by intelligence services and
competent authorities Yes Home Office
NUAR
National Underground Asset Register
Legislation to underpin a national register of
underground assets (cables etc.). Only some
of the NUAR policy is subject to secondary
legislation.
Yes DSIT
53 This is the preferred option in the Digital identity and attributes - De Minimis Assessment 2024 published by DSIT
54 This is the preferred option in the Smart Data initiatives Impact Assessment 2024 published by DBT
55 An overview of how this policy will be implemented can be found in the DHSC Open Data Architecture Information Standards
Impact Assessment, 2024.
54
Reform Heading Reform subheading
Will secondary
legislation
include direct
costs and
benefits to UK
businesses?
Who will be
responsible for
the secondary
legislation IAs?
Online Safety
Researchers’ Access to
Data
Amend the OSA via the DUA to provide SoS
with a regulation making power regarding
researchers’ access to data.
Yes DSIT
90. In order to measure the continued success of these reforms, we are building a monitoring
and evaluation framework that will ensure that we measure and monitor the changes to the
key impact variables including GVA and business costs throughout the life of the policies.
55
Impact Analysis
Assumptions and methodology
91. The preferred package of reforms has been analysed and estimations of the potential costs
and benefits can be found below. These are assessed over a period of 10 years from 2024
to 2033, and are discounted using the Green Book’s suggested discount rate of 3.5%.56
92. Where analysis has already been published with respect to some of the policies included in
the Act, this is referenced accordingly. This is the case for the Digital Identity measures57,
the Smart Data policies58, the NUAR measures59, the Interoperability of Health Care systems
measures60 and the Researchers’ Access to Data provisions61. In these cases, where
appropriate, all costs and benefits have been appraised over 10 years and the same base
year has been applied. Where other government departments have fed into this analysis,
this is also the case.
93. The expected impact of the policies will fall on private organisations that use data and those
that currently face barriers in doing so. Public sector organisations will also be impacted by
reforms designed to improve the efficiency of data transfers across government departments
and increase the interoperability across health and social care systems. Many of these
reforms are also designed to make data use for Law Enforcement Agencies (LEAs) and
Intelligence Services more efficient.
94. Where sufficient robust data is available, we have estimated the monetary impact of the
various reforms, both direct and indirect. Where this evidence is not yet available, we have
provided an in-depth outline of the potential costs and benefits and ensured that any
evidence gaps will be referenced in our monitoring and evaluation plan which can be found
at the end of this IA.
95. This section begins by looking at the direct monetised benefits of implementing the package
of reforms, this includes the saving in compliance costs for UK businesses and a deep dive
into the benefits of increased regulatory oversight and data-use in national security and law
enforcement. This is followed by qualitative analysis of the direct benefits where monetary
evidence is currently limited.
96. Following the analysis of the direct benefits, we look at the indirect benefits. Using analysis,
we have estimated the potential impact on UK productivity levels of an increase in data use
resulting from these reforms. We have also conducted analysis that looks at the potential
impacts to consumer trust and privacy as well as the reduction in ambiguity for businesses
and the delivery of better public services.
97. We expect the package of reforms to have a net positive impact overall, however we provide
an overview of the direct and indirect costs that could be faced by UK businesses as a result
of these policies. These costs are likely to consist mainly of familiarisation costs faced by
56 HMT: The Green Book, 2022
57 DSIT: Digital identity and attributes - De Minimis Assessment, 2024
58 DBT: Smart Data Impact Assessment, 2024
59DSIT: NUAR Impact Assessment, 2024
60 DHSC Open Data Architecture Information Standards, 2024
61 DSIT: Researchers’ Access to Data Impact Assessment, 2024
56
businesses and public sector organisations having to update any processes and systems to
be in line with the new guidance.
98. As well as looking at the costs and benefits to UK businesses we have also estimated the
impact on international trade. For this analysis we have used a variety of approaches
however as the modelling uses many variables and assumptions that create uncertainty, we
are excluding this from the total estimated NPV for the package of reforms.
99. Alongside the potential trade impacts of the reforms, we are also aware that any changes to
the UK’s current data adequacy regulations are likely to have an impact on these results. We
have used consultation responses to build upon the analysis previously conducted, and
refined our methodology to present a possible range of the monetary impact to the UK if
Adequacy with the EU were to be removed.
100. As there is a wide array of reforms in the package the cost benefit analysis is split out in
table 11 and the reforms are classified as being either monetisable or not, having direct or
indirect impacts, whether or not they will be followed by secondary legislation or not, and
who is likely to be impacted.
101. Some of the measures assessed here are enabling only and given the uncertainty over
the contents of the secondary legislation, will be assessed more fully at that stage (scenario
two in the RPC’s primary legislation guidance). The impacts of these secondary measures
are either indirect or unquantifiable at this stage. Usually where this is the case, an impact
assessment would present two EANDCBs. However, in this case they are the same and
therefore the EANDCB figures presented here cover the set of policies as a whole.
102. Throughout this section references are made to data controllers, data processors and
joint controllers. Data controllers are understood to be the individual or organisation who
determine the purpose and means of processing personal data, they exercise overall control
over the data being processed and are ultimately responsible for the processing. Data
processors are understood to be the individual or organisation that processes personal data
on behalf of the controller, they act under the authority, and in the interests of, the data
controller. Joint controllers are where two or more data controllers jointly determine the
purpose and means of processing; they have the same shared purposes. Controllers are not
considered joint controllers if they are processing the same data for different purposes62.
Impact of Criminalising the creation, or requesting the creation of, a purported intimate
image (deepfake) of another person aged 18 or over without the adult’s consent or
reasonable belief in consent.
103. We expect low levels of police recorded crime: as this offence relates solely to the
creating or requesting of these images, often without any intention that the person in the
image is aware, many instances may not be reported to the police.
104. Conversely, where the new offences are reported, it is likely that this will occur along with
the offences of sharing or threatening to share the image which has been created. If an
intimate image deepfake were to be shared without consent or threatened to be shared it
would be captured under existing legislation in the Sexual Offences Act 2003, carrying a
sentence of up to two years in custody. We expect that the police would pursue this more
62 ICO: What are ‘controllers’ and ‘processors’?
57
serious charge as well as the “creating” offence, and that the offender would be sentenced
for the totality of their offending behaviour.
105. To estimate the costs to the Criminal Justice System (CJS) of this measure, data from
South Korea was used, where the creation and sharing of sexually explicit deepfakes was
criminalised in 2021, alongside data from the Security Hero ‘State of Deepfakes’63 report,
which covers the ‘reality, state and impact’ of online deepfakes over the period 2019 to
2023.
106. South Korea is used as a comparison as it is one of the few countries where sexually
explicit deepfakes have been criminalised for long enough for there to be useful data.
However, this data is suggestive only, due to differences in the relevant criminal law and the
wider cultural environment.
107. For the “requesting” offence there is even more limited data as it is a novel offence. We
assume that, since the law in South Korea is even more comprehensive (possession of
sexually explicit deepfakes is criminalised), our methodology using volumes in South Korea
as a base covers both offences.
108. To estimate the impacts of Option 1, we have used the following scenarios:
a. The ‘low’ scenario assumes the increase in sexually explicit deepfakes has been linear
between 2019-2023 (17,422 and 95,820 respectively - the two given data points in the
Security Hero report) and has increased at a rate of roughly 13% per year. It also
applies the Security Hero observational data which shows South Koreans to be the
victims of 53% of online deepfakes, whilst UK victims form 6% of the total. This gives a
ratio of 8.83, which has then been applied to South Korea’s police recorded crime
figures.
b. The ‘high’ scenario adjusts the South Korea police recorded crime figures with the ratio
of voyeurism offences observed in South Korea to the UK between 2013-2018 (3.17). It
applies the compound growth rate of police recorded crime in South Korea between
2021 and 2024 (62%), which could approximate the observed trend in the UK due to the
expected trajectory of detection and policing changes after criminalisation, as well as
technological and accessibility improvements.
109. The ‘best’ estimate takes the average of the high and low scenarios, which are calculated
as above and presented in Section F, and form a wide range reflecting the lack of robust
evidence to base estimates off:
110. In both the ‘high’ and ‘low’ scenarios, the prevalence of sexually explicit deepfakes is
assumed to increase for 5 years following the last observed data point (2024 for police
recorded crime in South Korea) before reaching a steady state. This is to reflect likely
technological and accessibility improvements over the appraisal period
111. These assumptions result in baseline 2024 UK police recorded crime figures of around
80 in the low estimate and around 210 in the high estimate. We expect these to serve as an
overestimate.
63 2023 State Of Deepfakes: Realities, Threats, And Impact
58
Impact of reporting on copyright works and artificial intelligence systems
112. The Act requires that an impact assessment is carried out on the four options consulted
on in section B.4 of the Copyright and AI Consultation Paper and is published within 9
months, and that a statement of progress is provided within 6 months. As part of the Better
Regulation Framework, it is a requirement for government departments to carry out final-
stage impact assessments for measures which are brought forward for legislation, including
the short-list options considered. Work on producing an impact assessment can therefore be
considered business as usual, and would not add significant additional public costs
compared to the counterfactual. However it does guarantee than an economic assessment
is published in this time period, and it will be of benefit to stakeholders who engage with the
results of the assessment. This is not monetised.
113. The Act requires that a set of reports on the use of copyright works in the development of
AI systems are published within 9 months, and that a statement of progress is provided
within 6 months. These reports would provide the public with more detail several issues
regarding the use of copyright works in AI model training. Work on these subjects is
expected to be conducted by government officials with consultation from stakeholders. This
work will be absorbed into business as usual resource, therefore there will be limited
additional public cost to producing the reports. This is not monetised.
59
Table 11: Breakdown of all costs and benefits by category
Benefits
Benefits Reform Monetised? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Compliance cost
savings Harness the power of data for economic growth Monetised Direct No UK Businesses
Compliance cost
savings Improve people’s lives Monetised Direct No UK Businesses
Support a modern
digital government Relaxed requirement to review data adequacy decisions Monetised Direct No Government
(ICO)
Support a modern
digital government Enforcement Powers Monetised Direct No Government
(ICO)
Support a modern
digital government Complaints Monetised Direct No Government
(ICO)
Harness the power
of data for economic
growth
Harness the power of data for economic growth Monetised Indirect No UK Businesses
Creation of
Innovative and
Secure Smart Data
Schemes (DBT):
Increase in use of
Smart Data
schemes indirect
benefits
Introduction of primary legislation, creating new “regulation-making”
powers to enable Smart Data schemes to be introduced in any given
sector
Non-
Monetised Indirect
Yes - to be
followed up
with sector
specific
legislation
Consumers,
businesses,
data holders
and data
recipients
Support a modern
digital government
Increased Interoperability and Trust of Digital Identity Systems - Create
a governance framework and enable checks against government-held
Monetised
for four Indirect Yes - to be
followed up
UK businesses
and consumers
60
Benefits Reform Monetised? Direct?
Followed by
secondary
legislation?
Who is
impacted?
data
examples
use cases
with sector
specific
legislation
Support a modern
digital government
Increased Interoperability and Trust of Digital Identity Systems - Create
a governance framework and enable checks against government-held
data
 Indirect
Yes - to be
followed up
with sector
specific
legislation
UK businesses
and consumers
Improve peoples’
lives: Privacy, trust
and individual data
rights
Harness the power of data for economic growth Non-
Monetised Indirect No UK consumers
Improve peoples’
lives: Privacy, trust
and individual data
rights
Improve people’s lives Non-
Monetised Indirect No UK consumers
Support a modern
digital government:
Delivery of better
public services
Clarifying that private organisations & individuals asked to carry out an
activity on behalf of a public body may rely on that body’s lawful ground
for processing the personal data under Art 6(1)
Non-
Monetised Indirect No
UK businesses
and public
sector
organisations
Support a modern
digital government:
Delivery of better
public services
Exemption for Archives from further processing rules Non-
Monetised Indirect No
Data subjects,
Archives and
public sector
organisations
Support a modern
digital government:
Delivery of better
To extend powers under section 35 of the Digital Economy Act 2017
aimed at improving public service delivery to business undertakings,
beyond the current scope of solely individuals and households (CDDO)
Non-
Monetised Indirect Yes
UK businesses
and
Government
61
Benefits Reform Monetised? Direct?
Followed by
secondary
legislation?
Who is
impacted?
public services
Improve peoples’
lives: Improved
Customer Outcomes
All reforms Non-
Monetised Indirect No Consumers
Improve peoples’
lives: Improved
Interoperability
across Health and
Social Care Systems
Improved Interoperability across Health and Social Care Systems:
Create primary legislation for a new power for the Secretary of State for
Health and Social Care to direct suppliers/suppliers to adopt an open
data architecture approach through the use of ISNs. 64
Non-
Monetised Indirect Yes
Healthcare
providers,
patients and
third-party
providers
Improve peoples’
lives: Improved
Interoperability
across Health and
Social Care Systems
Improved Interoperability across Health and Social Care Systems:
Create primary legislation for a new power for the Secretary of State for
Health and Social Care to direct suppliers/suppliers to adopt an open
data architecture approach through the use of ISNs.64
Non-
Monetised Direct Yes
Healthcare
providers,
patients and
third-party
providers
Improve peoples’
lives: Improved
Interoperability
across Health and
Social Care Systems
Improved Interoperability across Health and Social Care Systems:
Create primary legislation for a new power for the Secretary of State for
Health and Social Care to direct suppliers/suppliers to adopt an open
data architecture approach through the use of ISNs. 64
Monetised Indirect Yes
Healthcare
providers,
patients and
third-party
providers
Improve peoples’
lives: Improved
Interoperability
across Health and
Social Care Systems
Improved Interoperability across Health and Social Care Systems:
Create primary legislation for a new power for the Secretary of State for
Health and Social Care to direct suppliers/suppliers to adopt an open
data architecture approach through the use of ISNs. 64
Monetised Direct Yes
Healthcare
providers,
patients and
third-party
providers
Support a modern
digital government:
Law Enforcement
Logging of law enforcement processing (Part 3 DPA) Monetised Direct No
Government
(LEAs) and
private sector
64 This is the preferred option in the DHSC proposed reforms
62
Benefits Reform Monetised? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Agencies LEAs
Support a modern
digital government:
Law Enforcement
Agencies
Data subjects’ rights to information: legal professional privilege
exemption (Part 3 DPA) Data subjects’ rights to information: legal
professional privilege exemption (Part 3 DPA)
Non-
Monetised Direct No
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
Time limits for responding to requests by data subjects (Part 3 and 4
DPA)
Non-
Monetised Indirect No
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
National security exemption (DPA 2018 part 3) Non-
Monetised Indirect No
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
Amendments to Part 4 of the DPA 2018 - Joint processing by
intelligence services and competent authorities
Non-
Monetised Direct Yes
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
Consent to law enforcement processing (DPA 2018 part 3) Non-
Monetised Indirect No
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
Transfers based on special circumstances (Schedule 6, Section 76
DPA)
Non-
Monetised Indirect No
Government
(LEAs and UK
Intelligence
Services)
63
Benefits Reform Monetised? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Support a modern
digital government:
Law Enforcement
Agencies
Subsequent transfer's (Section 78 DPA)
Non-
Monetised Indirect No
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
Retaining biometrics disseminated by Interpol and other international
exchange routes Monetised Direct No
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
Remove the requirement for paper birth and death registers moving to
an electronic register Monetised Indirect No
Government
(LEAs and UK
Intelligence
Services)
Support a modern
digital government:
Law Enforcement
Agencies
Remove the requirement for paper birth and death registers moving to
an electronic register
Non-
Monetised Indirect No
Government
(LEAs and UK
Intelligence
Services)
Harness the power
of data for economic
growth
Introduction of provision to operationalise the National Underground
Asset Register (NUAR), which is a digital map of underground pipes
and cables.
Monetised Direct Yes UK businesses
and government
Harness the power
of data for economic
growth
Introduction of provision to operationalise the National Underground
Asset Register (NUAR), which is a digital map of underground pipes
and cables.
Monetised Indirect Yes UK businesses
and government
64
Benefits Reform Monetised? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Harness the power
of data for economic
growth
Introduction of provision to operationalise the National Underground
Asset Register (NUAR), which is a digital map of underground pipes
and cables.
Non-
Monetised Indirect Yes UK businesses
and government
Support a modern
digital government
Create powers for the Secretary of State (SoS) to place a duty on
platforms to comply with any regulations later passed by SoS allowing
researchers access to certain data held by platforms.
Non-
Monetised Indirect Yes
Individuals,
businesses and
government
Improve peoples’
lives: Privacy, trust
and individual data
rights
Compliance benefits from charities having a clearer legal basis to send
direct marketing for the purposes of furthering one or more of their
charitable purposes.
Monetised Direct No Businesses
Improve peoples’
lives: Privacy, trust
and individual data
rights
Allowing charities to send direct marketing for the purposes of furthering
one or more of their charitable purposes leading to additional donations.
Non-
Monetised Direct No Individuals,
businesses
Strengthen the
criminal law and
increase confidence
in Criminal Justice
System
Introduction of two new offences to protect individuals and educate the
public about the unacceptability of the creating and requesting intimate
deepfakes, and intimate image abuse more generally.
Non-
Monetised Direct No
Individuals,
Criminal Justice
System
Increase public
knowledge of the key
issues, factors and
impacts to be
considered ahead of
potentially legislating
on AI and copyright.
Producing reports and an economic impact assessment on AI and
Copyright.
Non-
monetised Indirect No
Individuals, UK
businesses and
government.
65
Costs
Costs Reform Monetised
? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Familiarisation
costs
Harness the power of data for economic growth Monetised Direct No UK businesses
Familiarisation
costs
Improve people’s lives Monetised Direct No UK businesses
Familiarisation costs
Enhancing the work of the UK intelligence services and Law Enforcement
Agencies in the interest of public security (HO) Monetised Direct No
Government
(LEAs and UK
Intelligence
Services)
Familiarisation costs New ICO Duty to consult Monetised Direct No
Government
(LEAs and UK
Intelligence
Services)
Familiarisation costs Mandatory IAs for statutory codes and guidance Monetised Direct No
Government
(LEAs and UK
Intelligence
Services)
Familiarisation costs Setting up expert panels for statutory codes and guidance Monetised Direct No
Government
(LEAs and UK
Intelligence
Services)
Governance changes Monetised Direct No Government
66
Costs Reform Monetised
? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Familiarisation costs (LEAs and UK
Intelligence
Services)
Support a modern
digital government
(Enhance the work of
the UK intelligence
services and Law
Enforcement
Agencies in the
interest of public
security (HO))
Introduce the ability to actively review automated decisions
Monetised
but not
included in
calcs
Direct No
Government
(LEAs) and UK
businesses
Support a modern
digital government
(Enhance the work of
the UK intelligence
services and Law
Enforcement
Agencies in the
interest of public
security (HO))
Time Limits for responding to requests by data subjects (Part 3 and 4
DPA)
Non-
monetised Direct No
Government
(ICO, LEAs and
UK Intelligence
Services)
Support a modern
digital government
(Enhance the work of
the UK intelligence
services and Law
Enforcement
Agencies in the
interest of public
Law enforcement processing and codes of conduct (Part 3 DPA) Non-
monetised Direct No
Government
(ICO, LEAs and
UK Intelligence
Services)
67
Costs Reform Monetised
? Direct?
Followed by
secondary
legislation?
Who is
impacted?
security (HO))
Support a modern
digital government
(Enhance the work of
the UK intelligence
services and Law
Enforcement
Agencies in the
interest of public
security (HO))
Amendments to Part 4 of the DPA 2018 - Joint processing by intelligence
services and competent authorities
Non-
monetised Direct Yes
Government
(ICO, LEAs and
UK Intelligence
Services)
Support a modern
digital government
(Enhance the work of
the UK intelligence
services and Law
Enforcement
Agencies in the
interest of public
security (HO))
Remove the requirement for paper birth and death registers moving to an
electronic register Monetised Indirect No
Government
(ICO, LEAs and
UK Intelligence
Services)
Support a modern
digital government
(Creation of Robust
and Secure Smart
Data Schemes
(DBT): Increase in
use of Smart Data
schemes indirect
costs)
Introduction of primary legislation, creating new “regulation-making”
powers to enable Smart Data schemes to be introduced in any given
sector
Non-
Monetised Indirect
Yes - to be
followed up
with sector
specific
legislation
UK businesses
and consumers
68
Costs Reform Monetised
? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Improve people’s
lives (Increased
Interoperability and
Trust of Digital
Identity Systems)
Create a governance framework and enable checks against government-
held data
Monetised
for 4
examples
use cases
Indirect
Yes - to be
followed up
with sector
specific
legislation
UK businesses
and consumers
Improve people’s
lives (Increased
Interoperability and
Trust of Digital
Identity Systems)
Create a governance framework and enable checks against government-
held data
Non-
Monetised
Indirect
Yes - to be
followed up
with sector
specific
legislation
UK businesses
and consumers
Improve people’s
lives (Delivery of
better public
services)
To extend powers under section 35 of the Digital Economy Act 2017 aimed
at improving public service delivery to business undertakings, beyond the
current scope of solely individuals and households (CDDO)
Non-
Monetised Indirect Yes
UK businesses
and
Government
Improved
Interoperability
across Health and
Social Care Systems
Prepare, publish and mandate standards that apply to the products and
services provided by IT suppliers, to ensure that those products and
services enable and support data to be accessed, interrogated and
processed in real time by anyone with the basis to appropriately access
that data, irrespective of the system used by the health or social care
provider who collated, produced or otherwise processed that data.65
Non-
Monetised Indirect Yes
Healthcare
providers,
patients and
third-party
providers
Improved
Interoperability
across Health and
Social Care Systems
Prepare, publish and mandate standards that apply to the products and
services provided by IT suppliers, to ensure that those products and
services enable and support data to be accessed, interrogated and
processed in real time by anyone with the basis to appropriately access
that data, irrespective of the system used by the health or social care
provider who collated, produced or otherwise processed that data.65
Monetised Direct Yes
Healthcare
providers,
patients and
third-party
providers
Operationalise the
National
Underground Asset
Introduction of provision to operationalise the National Underground Asset
Register (NUAR), which is a digital map of underground pipes and cables. Monetised Direct Yes UK businesses
and government
65 This is the preferred option in the DHSC proposed reforms
69
Costs Reform Monetised
? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Register
Operationalise the
National
Underground Asset
Register
Introduction of provision to operationalise the National Underground Asset
Register (NUAR), which is a digital map of underground pipes and cables. Monetised Indirect Yes UK businesses
Operationalise the
National
Underground Asset
Register
Introduction of provision to operationalise the National Underground Asset
Register (NUAR), which is a digital map of underground pipes and cables.
Non-
Monetised Indirect Yes UK businesses
and government
Facilitate
Researchers’ Access
to Online Safety
Data
Create powers for the Secretary of State (SoS) to place a duty on
platforms to comply with any regulations later passed by SoS allowing
researchers access to certain data held by platforms.
Non-
Monetised Direct Yes UK Businesses
Costs to relevant
agencies in the
Criminal Justice
System
New offences will increase volumes flowing through the Criminal Justice
System, resulting in additional costs. Monetised Direct No
Agencies
relating to the
Criminal Justice
System
Public costs of
researching, drafting
and publishing.
Producing reports and an economic impact assessment on AI and
Copyright.
Non-
Monetised Direct No UK government
Wider impacts
70
Wider Impacts Reform Monetised
? Direct?
Followed by
secondary
legislation?
Who is
impacted?
Impact on
Competition All reforms Non-
Monetised Indirect N/A N/A
Impact on Equalities All reforms Non-
Monetised Indirect N/A N/A
Impact on Individuals
ICO Taxonomy of Harms
Artificial Intelligence Ethics
Increased Interoperability and Trust of Digital Identity Systems
Use of data for purposes relating to electoral services
Non-
Monetised Indirect N/A N/A
Environmental
Impacts All reforms Non-
Monetised Indirect N/A N/A
National Security
Impacts All reforms Non-
Monetised Indirect N/A N/A
71
Benefits
Summary
Analysis of the benefits of the proposed package of reforms has been split in the following way,
and further details can be found in the continuing sections.
1. Direct Benefits
a. Monetised
i. Compliance cost savings
ii. Improved regulatory oversight
iii. Enhancement of the work of the UK intelligence services and Law
Enforcement Agencies in the interest of public security
iv. Delivery of the National Underground Asset Register
v. Improved interoperability across health and social care systems
b. Non-monetised
i. Enhancement of the work of the UK intelligence services and Law
Enforcement Agencies in the interest of public security
ii. Improved interoperability across health and social care systems
iii. Strengthening of the criminal law to protect victims, reduce abusive conduct
and prevent emotional distress and adverse physical health impacts
associated with being a victim of abuse, thereby also increasing confidence in
the Criminal Justice System.
iv. Direct marketing carried out by a charity for charitable purposes.
2. Indirect Benefits
a. Monetised
i. Impact on UK business productivity and innovation
ii. Increased interoperability and trust of digital identity systems
iii. Remove the requirement for paper birth and death registers moving to an
electronic register
iv. Improved interoperability across health and social care systems
v. Delivery of the National Underground Asset Register
b. Non-monetised
i. Creation of innovative and secure Smart Data schemes
ii. Privacy, trust and individual data rights
iii. Delivery of better public services
72
iv. Exemption for Archives from further processing rules
v. Improved customer outcomes
vi. Improved interoperability across health and social care systems
vii. Enhancement of the work of the UK Intelligence Services and Law
Enforcement Agencies in the Interest of Public Security
viii. Remove the requirement for paper birth and death registers moving to an
electronic register.
ix. Powers relating to verification of identity or status (DSIT & Home Office)
x. Power to add categories of sensitive processing (DSIT & Home Office) (DSIT
& Home Office)
xi. Processing in reliance on relevant international law (DSIT & Home Office)
xii. Searches in response to data subjects(DSIT & Home Office)
xiii. Clarify conditions on the use of international processors by UK competent
authorities (Part 3 DPA)
xiv. Delivery of the National Underground Asset Register
xv. Ied interoperability and trust of digital identity systems
xvi. Facilitating online safety researchers’ access to data
114. Benefits arise from a variety of impacts including an estimated increase in responsible data
use and a reduction in compliance costs. We estimate the whole package of reforms will
generate benefits of between £3.2 billion and £20.1 billion over ten years, discounted and
in 2024 prices. These benefits arise mostly from the measures relating to reducing barriers to
responsible innovation and reducing burdens on business and delivering better outcomes for
people. The rest of this section sets out our approach and evidence used to quantify these
benefits.
73
Direct benefits - Monetised
115. The preferred package of reforms is designed to be beneficial to both the private and public
sector, where evidence is available, we have calculated monetised estimates of some of the
direct benefits of the policies below. These include efficiency benefits from the use of NUAR,
the compliance cost savings firms will experience, the efficiency benefits of the reforms to the
ICO and the benefits to Law Enforcement Agencies of removing the need to log the
‘justification’ for consulting / disclosing data disclosure.
Compliance cost savings
116. We have identified the reforms within the package that are likely to impact UK business
compliance costs and updated these to reflect any post-consultation stage policy changes.
Using data from the UK Business Data Survey,66 we have estimated the total number of
businesses likely to be impacted following implementation.
117. The table below sets out some of the key compliance requirements and activities that we
assume result from the current UK GDPR/DPA requirements, and the associated unit-costs or
time-cost (costs incurred by organisations to undertake such activities or complete
requirements).
118. The full list of legal activities, estimated costs and sources can be found in the table below.
We have updated our modelling to use a more up to date exchange rate,67 and uplifted fees to
2024 prices. These are derived from the best available evidence, however, there remains a
large degree of uncertainty. For example, we assume that the baseline cost of some
compliance activities varies depending on the size of the organisation (e.g. establishing a lawful
ground for data processing) whereas others do not (e.g. cost of seeking legal advice).
119. We have updated the impact assessment with all the relevant material as of Autumn 2024
made further updates to the modelling. These updates include changes to the estimated
number of businesses in each sector and size category using 2023 ONS Business Population
Estimates and use of the 2024 UK Business Data Survey to estimate the proportion of
businesses affected by each measure.
120. Where data was available, we have updated the modelling to the 2024 edition of the UK
Business Data Survey (UKBDS). UKBDS 2024 did not suggest many significant changes since
2022, however several smaller changes have had a cumulative impact on some of the model
results. For this reason, we scrutinised all instances in which we used updated UKBDS figures.
In some cases, we found that 2024 results were not sufficiently comparable to previous
iterations of the UKBDS, for example due to different survey routing. In these cases, we tried to
find compromise solutions, usually involving trying to draw and combine insights from previous
survey iterations. For example, estimates for the number of businesses who handle digitised
data and personal data were calculated by finding the average response to these questions
across the three editions of the UK Business Data Survey (202168, 202269 and 202470). While
the estimate for the proportion of businesses who analyse data to generate insights or
66 DSIT: UK Business Data Survey
67 We assume that 1 EUR = £0.85 which is the 2024 Q2 European Central Bank average
68 DSIT: UK Business Data Survey, 2021
69 DSIT: UK Business Data Survey, 2022
70 DSIT: UK Business Data Survey, 2024
74
knowledge was calculated using an average between the 2021 and 2024 releases, as the
question was not asked in 2022.
121. The modelling assumes full compliance with legislation, both pre-and post We have updated
the impact assessment with all the relevant material as of autumn 2024 implementation. Over or
under compliance can occur as a result of complexity of legislation. While this is not accounted
for in our modelling, we acknowledge that this could, in theory, impact the compliance cost
savings to a business. For example, if a business is currently non-compliant either will
experience no impact as a result of the changes, or an increase the costs for that business if
they become compliance as a result of clarification of the requirements. Similarly, a business
that is over compliant, could continue to do so after the changes and not see a reduction in
compliance costs.
Table 12: A list of all compliance activities and their estimated cost
Activity Description Annual cost per activity per
business (£)
Seeking legal advice
Businesses often require external legal advice in
order to maintain their compliance with regulation.
This includes advice on how and whether data
can be used. (Excludes the cost of establishing a
legal basis for data processing)
£1,278/year cost of legal
advice (equivalent to 4 hours
of a legal professional and 2
hours of a clerical worker)71
Acquiring consent to
store or access
information
There is a prohibition on businesses storing
information, or accessing information, on a user’s
connected device unless they obtain the user’s
consent or they can rely on two further
exceptions. They often fulfil this requirement by
having ‘opt-in’ functionality on their website
£80.54 cost per business per
year to run opt-in72
Preparing Data
Protection Impact
Assessments
(DPIAs)
DPIAs must be completed by businesses where
data processing is likely to result in a high risk to
individuals. They describe the nature and scope
of processing, identify the risks to individuals of
processing and ways to mitigate those risks. DSIT
confirmed that under each of the measures a
DPIA would still be required
£1,278/year cost of legal
advice (equivalent to 4 hours
of a legal professional and 2
hours of a clerical worker)73
Other internal
compliance activities
Other internal compliance activities not listed
above include, but are not limited to, notifying the
authorities of processing of data which might
represent specific risks to individuals, and
responding to consumer questions about how the
business is following data protection principles
Annual wages for DPO
(medium and large
enterprises): £50,000 for
medium and large enterprises;
annual labour costs for DPO-
type functions: £900 for small
and micro enterprises74
71 Proposal for an EU Data Protection Regulation, Ministry of Justice, (2012)
72The EC evaluation of Directive 2002/58 conducted by Deloitte estimated that technical implementation of the opt-in / opt-out
solution on a businesses website costs 75 EUR, once uplifted to 2024 prices and converted to GBP, this figure is £80.54
73 Proposal for an EU Data Protection Regulation, Ministry of Justice, (2012)
74 Data Protection Officer Salaries - Glassdoor (2021)
75
Activity Description Annual cost per activity per
business (£)
Direct marking for
charities
Charities save in legal costs in understanding
regulation when they use data to gain donations On average £946/year
122. We have updated these activities to reflect the fact that ‘establishing a legal basis for data
processing’ forms part of ‘seeking legal advice’. As a result, our estimation for the total annual
cost of compliance saved by firms can be seen in the table below split by reform.
Table 13: Estimated compliance cost savings by reform, 2024 prices
Reform
Average
Annual
Compliance
Costs
(£million)
Low
Scenario
Average
Annual
Compliance
Costs
(£million)
Medium
scenario
Average
Annual
Compliance
Costs
(£million)
High
scenario
Legitimate Interests 0.4 2.5 6.5
AI and Machine Learning 0.7 7 19.4
Research Purposes 1.1 4.7 10.7
Privacy and electronic communications 8.6 17.1 25.7
Direct marketing for charities 0.1 0.5 1.3
Total 10.9 31.8 62.3
123. These results can be broken down by reform and compliance activity. For example, the table
below sets out the estimated annual compliance cost saving from creating a limited non-
exhaustive list of legitimate interests for which businesses can use personal data without
applying the balancing test. We also estimate the savings for businesses by clarifying that
activities, such as direct marketing or ensuring network and information security, fall into the
scope of the legitimate interest basis for processing personal data. We estimate these reforms
to result in a total cost saving for businesses of between £0.4 and £6.5 million and the central
estimate is presented in the table below.
76
Table 14: Breakdown of compliance cost saving calculations as a result of creating a limited non-
exhaustive list of legitimate interests, 2024 prices
Compliance
Activity
Number of
organisations
potentially
impacted
Proportion of
these
organisations
actually
affected
Baseline Cost Percentage change
in compliance cost
resulting from
measure
Estimate
d effect
(£m per
year on
average)
Effect on legal
advice costs
1.0 million
businesses
that use data
to generate
new insights or
knowledge75
On average
41% of the
organisations
that have
sought legal
advice on
GDPR/DPA20
18 use data to
improve
marketing or
sales
performance76
and 6% have
sought legal
advice in the
last year to
comply with
UK data
protection77
£37.9
million annual
costs of legal
advice for
these
organisations
6.3%: assuming that
25% of legal advice
costs are related to
issues clarified by
this measure78, and
that for those issues
the cost of legal
advice will fall by
25% as a result of
the measure79
2.4
Reduction in
customer
complaints
about data use
relating to non-
permissible
uses of data
Number of
customer
complaints:
2,976,
according to
ICO - data on
number of
complaints to
ICO on how
data is being
used/collected
Not applicable Cost of
responding to
legal
complaints:
£91381
6.3%: assuming that
25% of all data uses
are affected and
there is a 25%
reduction in
complaints as a
result of the
measure82
0.2
75 DSIT: UK Business Data Survey, 2024
76 UK Business Data Survey, 2024
77 DSIT: UK Business Data Survey, 2024
78 This is an assumption made in the model. As there is currently a lack of evidence available of the true number of issues this is
something that is tested in the sensitivity analysis section and a proposal of how this will be measured going forward will be included
in the Monitoring and Evaluation plan.
79In the model we assume that clarification can reduce costs in around 25% of cases where legal advice would have been sought.
As this is an assumption we test this in the sensitivity analysis section and propose a way of monitoring this in the M&E plan.
81 Average cost of each ICO investigation (2016/17), uplifted to 2024 prices
82We assume that 25% of data uses will be affected by this measure and that the measure will impact 25% of these. We understand
that this measure will not eliminate all of the complaints under the categories listed above. Businesses are less likely to do things
that break the law and if the guidance is clearer, but we assume this will be minimal based upon consultation responses. We test
this assumption in the sensitivity analysis section.
77
Compliance
Activity
Number of
organisations
potentially
impacted
Proportion of
these
organisations
actually
affected
Baseline Cost Percentage change
in compliance cost
resulting from
measure
Estimate
d effect
(£m per
year on
average)
80
Total annual reduction in compliance costs (£million): 2.5
124. The table below shows the average annual decrease in compliance costs from all of the AI
and machine learning reforms in the Act. We estimate these savings to be approximately
between £0.7 million and £19.4 million a year.
125. By including the additional reform that clarifies that profiling is only subject to the safeguards
associated with solely automated decision-making when significant decisions are taken about
an individual on its basis without meaningful human involvement, firms that use data for AI-
driven ADM will have more clarity on the use of data for profiling activities within solely
automated decision-making processes. This clarification will reassure firms that may currently
be unsure about using data for this purpose and that spend money and time seeking legal
advice on the matter. This increase in confidence could therefore lead to a decrease in costs of
compliance and employing legal assistance. We assume that there will be a 20% further
reduction in the legal advice requested because of the additional measure. Evidence is limited
to suggest the exact percentage however we have remained conservative in our estimates as
we acknowledge this is not the only reason why these firms would seek legal advice. Because
of this the assumption is tested using sensitivity analysis.
126. Assuming that approximately 835,000 businesses use personal data with AI and 13% of
these do not find regulatory guidance published by the ICO guidance clear83 applying the
assumption above we estimate that this additional reform could lead to an increase in
compliance cost savings of £6.9 million a year.
Table 15: Breakdown of compliance cost saving calculations as a result of AI and Machine learning
measures, 2024 prices
Compliance
Activity
Number of
organisations
potentially
impacted
Proportion of
these
organisations
affected
Baseline Cost Percentage change in
compliance cost
resulting from
measure
Estimated
effect (£m
per year
on
average)
Effect on
legal advice
costs
834,722
businesses
that use
personal data
and use AI
13%:
organisations
that don’t find
ICO regulatory
guidance clear
and easy to
£139 m
annual costs of
legal advice
5%: assuming that
20% of legal advice
costs for affected
organisations are
related to processing
personal data to
6.9
80 ICO Complaints and concerns data sets
83 DSIT: UK Business Data Survey, 2024
78
Compliance
Activity
Number of
organisations
potentially
impacted
Proportion of
these
organisations
affected
Baseline Cost Percentage change in
compliance cost
resulting from
measure
Estimated
effect (£m
per year
on
average)
understand84 improve accuracy of
AI systems, and that
25% of legal costs in
these cases could be
saved as a result of
the measure85
Reduction in
customer
complaints
about data
use
Number of
customer
complaints:
2,976,
according to
ICO - data on
number of
complaints to
ICO on how
data is being
used/collected
86
8% of
organisations
associated with
research
purposes
Cost of
responding to
legal
complaints:
£91387
6.3%: assuming that
25% of all data uses
are affected and there
is a 25% reduction in
complaints as a result
of the measure88
<0.1
Total annual reduction in compliance costs (£million): 7.0
127. The table below shows the average annual decrease in compliance costs resulting from
simplifying the use of personal data for research purposes. This includes amending existing
legislation to support responsible research activity using personal data as well as extending the
exemptions by incorporating ‘research in a commercial setting’ into the definition of research
purposes for data protection legislation.
128. Businesses will benefit from the improved legal certainty of definitions. As a result, we
predict a reduction in the need for businesses to seek legal advice and a reduction in the
number of customer complaints about the use of personal data for commercial research
purposes.
84 DSIT: UK Business Data Survey, 2024 Businesses that responded “Strongly disagree” and “tend to disagree” to the question “My
business finds the regulatory guidance published by the ICO clear and easy to understand?”
85 We assume that AI is a smaller subset of use cases than with the legitimate interest measure hence 20% is applied. We
understand that even with clearer guidance, some legal advice will still be required. The amount of time spent seeking legal advice is
an assumption due to the current lack of data. Because of this we test these assumptions in the sensitivity analysis section and
make plans for their measurement going forward.
86 ICO Complaints and concerns data sets
87 Average cost of each ICO investigation (2016/17), uplifted to 2024 prices
88 We assume that 25% of data uses will be affected by this measure and that the measure will impact 25% of these. We understand
that this measure will not eliminate all of the complaints under the categories listed above. Businesses are less likely to do things
that break the law and if the guidance is clearer, but we assume this will be minimal based upon consultation responses. We test
this assumption in the sensitivity analysis section.
79
129. Using the 2024 UK Business Data Survey (UKBDS), we estimate that the number of
businesses that use data to generate new insights or knowledge, employ someone who leads
on R&D and have sought legal advice because of UK GDPR or the DPA 2018 in a year is
approximately 42,000.
130. Assuming a constant cost of legal advice of £1,278 for these businesses we estimate that
the total cost is approximately £53.1m a year.
131. Initially we assumed that policies designed to amend existing legislation to support
responsible research activity using personal data, constitute 10% of the legal costs faced by
these firms. By adding this additional reform that further clarifies the businesses that can rely on
‘research purposes’ we assume that an extra 25% of legal costs will be impacted.
132. The total savings are estimated to be approximately between £1.1 and £10.7million a year.
Table 16: Breakdown of compliance cost saving calculations as a result of research purposes
measures, 2024 prices
Compliance
Activity
Number of
organisations
potentially
impacted
Proportion of
these
organisations
actually
affected
Baseline Cost Percentage change
in compliance cost
resulting from
measure
Estimate
d effect
(£m per
year on
average)
Effect on
legal advice
costs
41,572
8990
All
businesses
£53m annual
cost of legal
advice
9%: assuming that
35% of legal advice
costs are related to
issues clarified by
this measure, and
that for those issues
the cost of legal
advice will fall by
25% as a result of
the measure91
4.7
Reduction in
customer
complaints
about data
use
Number of
customer
complaints: 2,976,
according to ICO -
data on number of
complaints to ICO
on how data is
being
3.7% of
organisations
associated
with research
purposes
Cost of
responding to
legal
complaints:
£91393
6.3%: assuming that
25% of all data uses
are affected and
there is a 25%
reduction in
complaints as a
result of the
measure94
<0.1
89 DSIT: UK Business Data Survey, 2021 and 2024
90 DSIT: UK Business Data Survey, 2021 and 2024
91 We assume that Research purposes are a smaller subset of use cases than with the legitimate interest measure hence only 10%
is applied. We understand that even with clearer guidance, some legal advice will still be required. The amount of time spent seeking
legal advice is an assumption due to the current lack of data. Because of this we test these assumptions in the sensitivity analysis
section and make plans for their measurement going forward.
93 Average cost of each ICO investigation (2016/17), uplifted to 2024 prices
94 We assume that 25% of data uses will be affected by this measure and that the measure will impact 25% of these. We understand
that this measure will not eliminate all of the complaints under the categories listed above. Businesses are less likely to do things
80
Compliance
Activity
Number of
organisations
potentially
impacted
Proportion of
these
organisations
actually
affected
Baseline Cost Percentage change
in compliance cost
resulting from
measure
Estimate
d effect
(£m per
year on
average)
used/collected92
Total annual reduction in compliance costs (£million): 4.7
133. Allowing organisations to use cookies or similar technologies by introducing the new low-risk
processing exceptions could achieve between £8.6 million and £25.7 million cost savings on
average each year.
Table 17: Breakdown of compliance cost saving calculations as a result of PEC Regulations
measures, 2024 prices
Compliance
Activity
Number of
organisations
potentially
impacted
Proportion
of these
organisation
s actually
affected
Baseline Cost Percentage change
in compliance cost
resulting from
measure
Estimated
effect (£m
per year
on
average)
Obtaining opt-
in consent
708,027
organisations that
collect personal
data through
website analytics
95
All
businesses
£57 m 30% of businesses
will no longer offer
opt-in consent96
17.1
Total annual reduction in compliance costs (£million): 17.1
134. The estimated figures above rely on many modelling assumptions as a result of the level of
evidence available being restrictive at this time. We go on to test these assumptions in our
sensitivity analysis section later on in this report. By modelling a low and high scenario where
we flex these assumptions, we estimate that the total compliance cost saved will fall between
£10.7 and £62.3.
135. The DUA Bill compliance cost model estimates the direct marketing measure could lead to
some compliance cost saving of circa £0.5million per annum from creating an exception for
which charities can use personal data without applying the balancing test. This will save
that break the law and if the guidance is clearer, but we assume this will be minimal based upon consultation responses. We test
this assumption in the sensitivity analysis section.
92 ICO Complaints and concerns data sets
95 DSIT: UK Business Data Survey, 2024
96 Businesses that will no longer need to offer opt in/out: 30% of business will no longer need to offer opt-in/out services. The EC
evaluation of Directive 2002/58 conducted by Deloitte found that, of the websites that use cookies, 70% use tracking cookies whilst
30% do not use tracking cookies. We have therefore assumed that the portion of businesses that do not use tracking cookies will
benefit from this measure.