Tag: UK GDPR

UK GDPR Handbook Updated: Now Includes DUA Act Amendments 

Act Now Training is pleased to announce the launch of the 2nd edition of the UK GDPR Handbook

The handbook is designed for data protection practitioners and legal advisers who require a complete guide to the UK Data Protection regime following the changes introduced by the Data (Use and Access) Act 2025 (“DUA Act”). 

The DUA Act received Royal Assent on 19th June 2025. It amends the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.  

This handbook sets out the full text of the amended UK GDPR. Amendments, insertions and deletions made by the DUA Act are referenced in colour to allow users to easily identify what has been changed. It also cross references relevant recitals of the EU GDPR which are still part of the UK GDPR pursuant to section 3 of the European Union (Withdrawal) Act 2018.  
 
Relevant provisions of the amended DPA 2018 have also been included where they contribute to the further understanding of the UK GDPR. Guidance from the (soon to be) Information Commission, the European Data Protection Board and relevant caselaw is signposted to assist users in interpreting the legislation. 

Act Now sold over 5,000 copies of the first edition of the handbook. This new publication will be a valuable addition to data protection practitioners’ libraries. Ibrahim Hasan, the editor of the handbook, said: 

“I am really pleased with the publication of the second edition of the UK GDPR handbook. My team and I have tried to produce a clear and easy to follow publication which will help practitioners navigate their way around this complex legislation.” 

Delegates on our future GDPR certificate courses will receive a complimentary copy of the UK GDPR Handbook as part of their course materials. 

The Rainfall Foundation 

The handbook also contains amendments made to Article 17 (the right to erasure) by section 31 of the Victims and Prisoners Act 2024.  

At Act Now we want to see a world where every individual, regardless of their past, has the opportunity to thrive; a community where everyone can contribute meaningfully and live with dignity. That is why we are partnering with Rainfall Foundation; a charity which works to support the reintegration of prison leavers into society. It provides tailored support that addresses prison leavers’ unique needs and helps them overcome the barriers they face in building a stable, rewarding life.  For each handbook sold, Act Now will be donating £1 to Rainfall Foundation.

The Data Protection and Digital Information Bill: Where are we now? 

The Data Protection and Digital Information Bill is currently in the Committee stage of the House of Lords. It will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). It is expected to be passed in May and will probably come into force after a short transitional period.  

The current Bill is not substantially different to the previous version whose passage through Parliament was paused in September 2022 so ministers could engage in “a co-design process with business leaders and data experts” and move away from the “one-size-fits-all’ approach of the European Union’s GDPR.”  

The Same 

Many of the proposals in the new Bill are the same as contained in the previous Bill. These include: 

  • Amended Definition of Personal Data: This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.

  • Vexatious Data Subject Requests: The terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, will be replaced with “vexatious” or “excessive” requests. Explanation and examples of such requests will also be included. 

  • Data Subject Complaints: Data Controllers will be required to acknowledge receipt of Data Subject complaints within 30 days and respond substantively “without undue delay”. The ICO will be entitled not to accept a complaint if a Data Subject has not made a complaint to the controller first. 

  • Data Protection Officer: The obligation for some controllers and processors to appoint a Data Protection Officer (DPO) will be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals will be required to designate a senior manager as a “Senior Responsible Individual”.  

  • Data Protection Impact Assessments: These will be replaced by leaner and less prescriptive “Assessments of High-Risk Processing.”  

  • International Transfers: There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR. (For more detail see also our forthcoming International Transfers webinar). 
  • The Information Commission: The Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive. 

  • PECR: Cookies will be allowed to be used without consent for the purposes of web analytics and to install automatic software updates. Furthermore, non-commercial organisations (e.g. charities and political parties) will be able to rely on the “soft opt-in” for direct marketing purposes, if they have obtained contact details from an individual expressing interest. Finally, there will be an increase to the fines from the current maximum of £500,000 to UK GDPR levels i.e. up to £17.5m of 4% of global annual turnover (whichever is higher).  

The Changes 

The main changes are summarised below: 

  • Scientific Research: The definition of scientific research is amended so that it now includes research for the purposes of commercial activity. This expands the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement. 
  • Legitimate Interests: The Previous Bill proposed that businesses could rely on legitimate interests (Article 6 lawful basis) without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These “recognised” legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.  The new Bill, whilst keeping the above changes, introduces a non-exhaustive list of cases where organisations may rely on the “legitimate interests” legal basis, including for the purposes of direct marketing, transferring data within the organisation for administrative purposes and for the purposes of ensuring the security of network and information systems; although a balancing exercise still needs to be conducted in these cases.  
  • Automated Decision Making: The Previous Bill clarified that its proposed restrictions on automated decision-making under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without “meaningful human involvement”. The new Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision.  
  • Records of Processing Activities (ROPA): The Previous Bill streamlined the required content of ROPAs. The new Bill exempts all controllers and processors from the duty to maintain a ROPA unless they are carrying out high risk processing activities.  
  • Subject Access: Clause 12 of the Bill introduced at the House of Commons Report Stage amends Article 12 of UK GDPR (and the DPA 2018) so that Data Controllers are only obliged to undertake a reasonable and proportionate search for information request under the right of access.  

Adequacy 

Although the Government states that the new Bill is “a new system of data protection”, it still retains the UK GDPR’s structure and fundamental obligations. Organisations that are already compliant with the UK GDPR will not be required to make any major changes to their systems and processes.  

The EU conducts a review of adequacy with the UK every four years; the next adequacy decision is due on 27th June 2025. Some commentators have suggested that the changes may jeopardise the UK’s adequate status and so impact the free flow of data between the UK and EU. Defend Digital Me, a civil liberties organisation, has claimed that the Bill would, among other things, weaken data subjects’ rights, water down accountability requirements, and reduce the independence of the ICO.  

Other Parts of the Bill 

The Bill would also: 

  • establish a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents. 
     
  • increase fines for nuisance calls and texts under PECR. 

  • update the PECR to cut down on ‘user consent’ pop-ups and banners. 

  • allow for the sharing of customer data, through smart data schemes, to provide services such as personalised market comparisons and account management. 
  • reform the way births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.
  • facilitate the flow and use of personal data for law enforcement and national security purposes. 

  • create a clearer legal basis for political parties and elected representatives to process personal data for the purposes of democratic engagement. 

Reading the Parliamentary debates on the Bill, it seems that the Labour party have no great desire to table substantial amendments to be the Bill. Consequently, it is expected that the Bill will be passed in a form similar to the one now published.  

Learn more about the updated bill with our Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms workshop. Dive into the issues discussed in this blog and secure your spot now. 

Act Now Launches Updated GDPR Practitioner Certificate  

Act Now Training is pleased to announce the launch of its updated GDPR Practitioner Certificate. This course has been running successfully for the past five years with excellent delegate reviews: 

“The course was very useful as an IG Officer. The trainer was knowledgeable and explained some complex aspects of the legislation using interesting examples and real life scenarios. The course materials and handbook are invaluable and I know I will reuse them in conjunction with my usual resources.” NC, Lincolnshire County Council  

“I would highly recommend this online course which was well structured and interactive. The course tutor was engaging and made a complex subject accessible. There was a good balance between understanding the legal framework and practical application. I learnt a great deal which will help me in my DPO role.” RS, London Councils  

Key features of the new course include an updated course curriculum, new exercises and more emphasis on helping delegates develop key DPO skills.  

Our Motivation  

This revised course is part of our ongoing commitment to encourage and assist new talent in the IG profession. Through our involvement in NADPO and the IRMS over the past 20 years, Act Now has been  actively encouraging new entrants to the IG profession and providing quality training to assist in their learning and development. When the DP and IG Apprenticeship was launched last year, we became one of the first training companies to partner up with a leading apprenticeship provider to deliver specialist IG training and materials to apprentices. These have led to our partner, Damar, recruiting over 100 apprentices and helping them lay the foundations for a successful career in IG.  

Course Content 

The course curriculum has been updated in the light of Act Now’s Skills and Competency Framework for DPOs. For the past three years we have been working on this framework, alongside industry experts and education professionals, by thoroughly analysing all the core skills and competencies required for the DPO role and how they map against our wider GDPR course curriculum.  

Completing the course will enable delegates to gain a thorough understanding of the UK GDPR and develop the skills required to do their job with greater ease and confidence. In addition to the main course topics such as principles, rights and enforcement we have introduced new topics such as the ICO Accountability Framework. We also take time to consider the latest ICO enforcement action and the changes to the UK data protection regime proposed by the recently announced Data Protection and Digital Information Bill

Completing the GDPR Practitioner Certificate will enable delegates to gain a thorough understanding of the UK GDPR. The course will help delegates interpret the data protection principles in a practical context, drafting privacy notices, undertaking DPIAs and reporting data breaches. 

The course teaching style is based on four practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Delegates will also have personal tutor support throughout the course and access to a comprehensive revised online resource lab. 

The DPO Learning Pathway 

The updated UK GDPR Practitioner Certificate is part of our learning pathway for Data Protection Officers. Once completed they can move on to the Intermediate Certificate in GDPR Practice where the emphasis is on skills, as well as advanced knowledge, with delegates covering more challenging topics to gain a deeper awareness of the fundamental data protection principles.  

Our premier certification is the Advanced Certificate in GDPR Practice, tailored for seasoned Data Protection Officers seeking to refine and expand their expertise. The course comprises a rigorous set of masterclasses that engage delegates in dissecting and interpreting intricate GDPR scenarios through compelling case studies. This immersive experience empowers participants with the skills and confidence needed to tackle even the most challenging Data Protection and Privacy scenarios they may encounter.

If you would like a chat to discuss your suitability for any of our certificate courses, please get in touch.  

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates. Click on the link to find out more and take advantage of this limited time offer!

Introducing the New UK GDPR Handbook

GDPR Handbook Front Cover with Tabs cropped

Act Now Training is pleased to announce the launch of the new UK GDPR Handbook.

The handbook is designed for data protection practitioners and legal advisers who require a complete guide to the UK Data Protection regime post Brexit.

The UK’s exit from the European Union has resulted in changes to the principal UK Data Protection legislation namely the EU General Data Protection Regulation 2016 (EU GDPR) and the Data Protection Act 2018 (DPA 2018). The revision of the GDPR, pursuant to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, is now known as the ‘UK GDPR’.

The UK GDPR Handbook sets out the full text of the UK GDPR laid out in a clear and easy to read format including tabs for ease of navigation. Tabs have been the most requested feature from user feedback of our popular EU GDPR Handbook.

The Handbook cross references the EU GDPR recitals, which also now form part of the UK GDPR, allowing for a more logical reading. Amendments, insertions and deletions (made by the 2019 regulations and shown in the Keeling Schedule) have been clearly indicated, using a colour coding system, to allow users to easily identify what has been changed. Relevant provisions of the amended DPA 2018 have been included where they contribute to the further understanding of the UK GDPR. Guidance from the Information Commissioner’s Office, Article 29 Working Party and the European Data Protection Board is also signposted to assist users in interpreting the legislation.

Act Now has sold over 3000 copies of the EU GDPR Handbook. This new publication will be a valuable addition to data protection practitioners’ libraries. Ibrahim Hasan, the editor of the UK GDPR Handbook, said:

“I am really pleased with the publication of the UK GDPR handbook. My team and I have tried to produce a clear and easy to follow publication which will help practitioners navigate their way around this complex legislation.”

SPECIAL PRE ORDER PRICE

The UK GDPR Handbook will soon be on sale at £54.95 plus p&p.

We have a special price of only pre order price of £44.95 plus p&p until 12th March 2021 for the first 500 copies. Orders will be shipped from 22nd March 2021. Order now here.

Act Now will be donating £1 for each handbook sold to our chosen charity Woodgate Community Food based in Leicester.

Delegates on  the Act NowAdvanced Certificate  in GDPR Practice  will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.