Threads / Digital ID and Access to Public Services / Data (Use and Access) Act — Enactment Impact Assessment (DS…
Impact Assessment Published 19 Jun 2025 ↗ View on GOV.UK

Data (Use and Access) Act — Enactment Impact Assessment (DSIT)

The full impact assessment for the DUAA at enactment, covering costs and benefits of smart data, digital identity, data protection reforms, and adequacy risk, including analysis of UK-EU trade impacts.

▤ Verbatim text from source document
1 Impact Assessment (IA) Title: Data (Use and Access) Act IA number: DSIT001(EAND)-24-DTT RPC reference number: RPC-DSIT-5358(1) Lead department or agency: Department for Science, Innovation and Technology Other departments or agencies: Department for Business and Trade, Home Office, Digital Cabinet Office, Department of Health and Social Care, HM Treasury, Department for Energy Security and Net Zero, The Information Commissioner’s Office, Ministry of Justice Date: 30 October 2024 Stage: Enactment Source of intervention: Domestic Type of measure: Primary Legislation Contact for enquiries: datapolicyanalysis@dsit.gov.uk RPC opinion: N/A Summary: intervention and options Cost of preferred (or more likely) option (in 2024 prices, millions) Item Cost Total Net Present Social Value 10,604 Business Net Present Value 4,967 Net cost to business per year -281 Business Impact Target Status Not applicable What is the problem under consideration? Why is government action or intervention necessary? Harnessing the power of data for economic growth, supporting a modern digital government, and improving people’s lives were key government commitments laid out in the King’s Speech. The nature of several data-related innovations and complexity of the current regulatory regime means that firms, public sector organisations and consumers are not able to take full advantage of the benefits that could be available to them through effective use of data and data sharing. As 2 a result, the market fails and benefits are not realised. It is necessary for Government intervention to allow for the realisation of all benefits derived from more effective data use. What are the policy objectives of the action or intervention and the intended effects? The proposals aim to: • Harness the power of data for economic growth by giving a statutory footing to three innovative uses of data: Smart Data, Digital Verification Services, and the National Underground Asset Register • Support a modern digital government by enabling more and better digital public services, such as an electronic register of births and deaths and applying information standards to health and care suppliers • Update the UK's data laws to; help scientists make use of data for research; make public interest data sharing and re-use easier; support the safe deployment of new technology; future proof the legislation where appropriate; improve the law enforcement regime - while maintaining high standards of protection • Modernise and strengthen the ICO, with a more modern regulatory structure, and new, stronger powers • Establish a Data Preservation Process for coroners to support their investigations into children’s deaths • Establish a framework for further regulations that will allow researchers access to data relating to online safety held by tech companies • Provide Ofgem with greater flexibility in their process for choosing the next holder of the Smart Meter Communications Licence What policy options have been considered, including any alternatives to regulation? DSIT have considered a total of four policy options, which vary in the degree of change to the current UK data policy regime, these are outlined below: Option 0: do nothing This is the scenario in which no changes are made to the current legislation. All analysis carried out is compared to this baseline scenario. Option 1: do minimum Updating and simplifying the UK’s data protection framework while focusing on protecting individuals’ data rights and generating societal, scientific, and economic benefits. Option 2: do intermediate 3 The do intermediate option encapsulates moderate policy changes to the current regime aiming to resolve most aspects of the market failures. It also incorporates key reforms which aim to address those set out in the King’s Speech including Smart data, National Underground Asset Register (NUAR), Digital identity, and the Information Commissioner’s Office (ICO) reforms. Option 3: do maximum Those measures in the do intermediate with additional data protection reforms. Is this measure likely to impact international trade and investment? Yes Are any of these organisations in scope? Micro: Yes Small: Yes Medium: Yes Large: Yes What is the CO2 equivalent change in greenhouse gas emissions? (million tonnes C02 equivalent) Traded: Not applicable Non-traded: Not applicable Will the policy by reviewed? It will be reviewed. If applicable, set review date: within 5 years I have read the Impact Assessment, and I am satisfied that, given the available evidence, it represents a reasonable view of the likely costs, benefits and impact of the leading options. Signed by the responsible: Alex Rubin Date: 04/09/2024 Summary: analysis and evidence – policy option 1 Data (Use and Access) Act Description To enable new innovative uses of data to be safely developed and deployed; to improve people’s lives by making public services work better by reforming data sharing and standards; to help scientists and researchers make more life enhancing discoveries by improving our data laws; and ensure personal data is well protected by giving the Information Commissioner's 4 Office stronger powers and a more modern structure; and to make targeted updates to data protection legislation. Full economic assessment Price base per year PV base year Time period Net benefit (present value (PV)) (£million) Low Net benefit present value (PV)) (£million) High Net benefit present value (PV)) (£million) Best 2024 2024 10 3,170 20,138 10,604 Costs Estimate Total transition (constant price) Years (£million) Average annual (excluding transition) (constant price) (£million) Total cost (present value) (£million) Low 765 54 1,208 High 2,501 108 3,267 Best estimate 1,363 76 1,959 Description and scale of key monetised costs by ‘main affected groups’ There will be direct costs to both private and public sector organisations. The assessment provides monetised estimates for these where evidence is sufficient. These estimates include the up-front costs of familiarisation for UK businesses and public organisations including the Information Commissioner's Office. The assessment also estimates the monetised costs for Law Enforcement Agencies (LEAs) of introducing the ability to actively review automated decisions. Also included are the estimated costs to asset owners to conduct data transformation and refresh activities as well as familiarisation and administrative costs to comply with NUAR legislation. There will also be indirect costs as a result of the primary legislation designed to increase the interoperability of Digital Identity and Smart Data schemes. As these reforms are enabling, we have provided an overview of the potential scale of costs and detailed estimates will follow with secondary legislation. X Other key non-monetised costs by ‘main affected groups’ A qualitative assessment is provided for both direct and indirect costs where evidence is currently not available. These include the costs to LEAs of changes to public sector data handling regulations, the costs to government departments of making data sharing easier and the costs of improving interoperability of data systems across the NHS. The costs of creating innovative Smart Data and Digital Identity schemes are also qualitatively assessed. An assessment on the potential impacts to data subjects trust of the package of reforms has also been included. Benefits Estimate Total transition (constant price) Years (£million) Average annual (excluding transition) (constant price) (£million) Total cost (present value) (£million) Low 0 796 6,437 High 0 2,973 21,34688 Best estimate 0 1,732 12,562 5 Description and scale of key monetised benefits by ‘main affected groups’ Monetised estimates of direct benefits include the compliance cost savings expected to be experienced by UK business as a result of changes to compliance activities especially for firms that carry out research and development and use AI. The monetary benefit of the reforms to the ICO and LEAs that are currently required to keep logs of the number of processing activities that they carry out is also estimated. The reforms are also expected to increase data use by UK businesses which indirectly will have a quantifiable impact on UK firm-level productivity. The cost savings to owners of underground assets through utility strike avoidance, back office efficiencies and on site efficiencies of the NUAR proposals are also included. Other key non-monetised benefits by ‘main affected groups’ Where evidence is currently unavailable, we have provided a qualitative review of other anticipated benefits of the reforms. These include the benefits to law enforcement and intelligence services of introducing a ‘legal professional privilege’ exemption and removing the need to notify the ICO of data transfers. We also qualitatively assess the benefits of the oversight regime for the police use of biometrics and overt surveillance, the creation of Smart Data and Digital Identity schemes. Key assumptions/sensitivities/risks Discount rate: 3.5% Where assumptions have been made in the economic modelling, we have made sure to test these either using a confidence band approach or Monte Carlo analysis. Business case assessment (Option 1) Costs (£million) Benefits (£million) Net (£million) 26 307 -281 Score for Business Impact Target (qualifying provisions only) Not applicable 6 Evidence Base Contents 1. Executive summary 2. Problem under consideration 3. Rationale for government intervention 4. Rationale and evidence used to justify level of analysis 5. Options under consideration a. Do nothing b. Do minimum c. Do intermediate d. Do maximum 6. Policy objective 7. Preferred option and plan of implementation Impact Analysis 8. Assumptions and Methodology 9. Benefits a. Summary b. Direct benefits c. Indirect benefits 10. Costs a. Summary b. Direct costs c. Indirect costs 11. Wider impacts a. Impact on Competition b. Impact on Equalities c. Impact on individuals d. Environmental impacts e. National Security impacts 12. Impact on small and micro businesses 13. Impact on medium-sized businesses 14. Sectoral Impacts 15. Potential impact on international trade a. Changes to UK trade b. Impacts of changes to Article 27 c. Impacts of ensuring businesses are able to continue to seamlessly use their pre-bill existing transfer mechanisms d. EU Adequacy 16. Risks and assumptions a. Policy assumptions and risks b. Analytical assumptions and risk 17. Monitoring and Evaluation 18. Annex 7 a. List of all recommended policies b. Impact of preferred option (2024 prices, 2024 PV) c. EU Adequacy Monte-Carlo Analysis d. List of ICO guidance updates e. Gravity trade modelling f. List of additional measure in the Do maximum option. g. Measures added via amendment during passage of the DUA Bill and included in the Bill at Royal Assent 8 Executive Summary Context 1. As set out in the Kings Speech, the government has prioritised harnessing the power of data for economic growth, supporting a modern digital government, and improving people’s lives. 2. This act contains measures that start delivering on the Government’s commitment to better serve the British public through science and technology. 3. This impact assessment provides: a. An outline of the existing regulatory framework and market failures b. The proposed policy options and preferred package of reforms in overcoming these failures. c. The cost benefit analysis of the preferred package of reforms, comprising of: i. Direct costs and benefits ii. Indirect costs and benefits iii. Wider impacts iv. Trade modelling v. In depth analysis of the impact of these reforms on small and micro businesses and specific sectors within the UK economy d. An overview of all risks and assumptions associated with the modelling. e. An outline of all future monitoring and evaluation activities 4. Many of the policies included in the Act have been designed by other government departments alongside Department for Science, Innovation and Technology (DSIT), including, Department for Business and Trade (DBT), Home Office, Department for Energy Security and Net Zero (DESNZ) and Department of Health and Social Care (DHSC). Where this is the case, analysis has been provided directly by these departments and has been referenced accordingly. There are also reforms included in the Act which are enabling secondary legislation impact assessments. We have highlighted where this is the case and ensured that the analysis provided is representative of this, in line with Better Regulation Unit (BRU) and Regulatory Policy Committee (RPC) guidelines. Rationale and approach 5. The Act will harness the power of data for economic growth. First, it gives a statutory footing to three innovative uses of data that will accelerate innovation, investment and productivity across the UK: a. Smart Data Schemes, which empower customers to make more informed choices and provide businesses with a greater opportunity to innovate by increasing the portability of 9 their data. Open Banking is the only active example of a regime that is comparable to a 'Smart Data scheme' – but needs a legislative framework to put it on a permanent footing, from which it can grow and expand. b. By empowering consumers to access their data within new sectors, the aim is also to encourage similar economic growth as demonstrated in Open Banking across the economy. This is crucial in markets where customer engagement is low, or where businesses hold more information and data than the customer. c. Digital Verification Services will help people and businesses to make the most of identity- checking technologies with confidence and peace of mind. Digital verification services will save people time and money by providing convenient and reliable options to prove things about themselves as they go about their everyday lives. d. They will also enable smoother, cheaper and more secure online transactions. Digital verification services will lessen the everyday burdens on businesses by reducing costs, time and data leakage. e. The National Underground Asset Register (NUAR) is a new digital map that is revolutionising the way we install, maintain, operate and repair the pipes and cables buried beneath our feet. NUAR gives planners and excavators standardised, secure, instant access to the data they need, when they need it, to carry out their work efficiently, effectively and safely. f. Banning sexually explicit deepfakes includes new offences which criminalise the creating, or requesting the creation of, a purported intimate image (deepfake) of another person aged 18 or over without the adult’s consent or reasonable belief in consent of creating or requesting the creation of a purported intimate image of an adult without consent or reasonable belief in consent. g. Producing reports on the use of copyright works in the development of AI systems, and an impact assessment on the policy options considered in the AI and copyright consultation, will help inform policy decisions on AI and copyright. 6. The complexity of the current regulatory regime means that businesses and consumers are not able to take full advantage of the benefits that are available to them through effective use of data and data sharing. As a result, the market fails, and benefits are not realised. Furthermore, information asymmetry exists for UK businesses that are unaware of the benefits that increased data sharing can lead to. Therefore, it is necessary for Government intervention to allow for the realisation of all benefits that can be derived from more effective data use. a. DSIT set out many of these areas in the King’s Speech. The reforms aim at achieving the following objectives: Enabling more market competition and introduction of innovative services for consumers and firms through Smart Data schemes. b. Supporting the creation and adoption of secure and trusted digital identity products and services from certified providers to help with things like moving house, pre-employment checks, and buying age restricted goods and services. c. Creating a new digital map to revolutionise the way data can be transmitted through pipes and cables to allow secure, instant access. 10 d. Help scientists and researchers make more life enhancing discoveries by improving the UK's data laws. e. Delivering better public services through better data sharing, including in public health, law enforcement, and national security f. Improving regulation through the reform of the Information Commissioner’s Office g. Maintain high standards of protection while making some data laws clearer and more conducive to the safe development of new technologies. h. Establishment of a Data Preservation Process that can allow access to information as part of investigations into a child's death where needed. 7. From the evidence gathered and in line with analytical guidelines, we shortlisted down to a set of four options. The three options alongside the status-quo/do nothing option all seek to harness the power of data for economic growth, support a modern digital government, and improve people’s lives. The range of options includes continuing with the current data protection regime, making minor changes to address some market failures, or implementing more substantial reforms to modernise and digitalise government services. The current framework has limitations that restrict the potential benefits of data use. The minor changes aim to resolve specific issues with a generally positive reception from stakeholders, while the more moderate reforms seek to address a broader range of challenges, incorporating key recommendations from recent policy discussions. Findings 8. We estimate the total net present value of the preferred package of reforms to be between £3.2 billion and £18.8 billion over 10 years in 2024 prices. Table 1: Estimated NPV of preferred option Estimate Net Benefit (Present Value (PV)) (£million) Low 3,170.0 High 20,138.3 Best estimate 10,603.9 9. Some of the measures assessed are enabling only and given the uncertainty over the contents of the secondary legislation, will be assessed more fully at that stage (scenario 2 in the RPC’s primary legislation guidance). The impacts of these secondary measures are either indirect or unquantifiable at this stage. Usually where this is the case, an impact assessment would present two EANDCBs. However, in this case they are the same and therefore the EANDCB figures presented here cover the set of policies as a whole. 10. The Data (Use and Access) Act is classified as a quantifying regulatory provision. Many of the reforms included in the Act are pro-competition in nature. However, there are some proposals that do not qualify under these exemptions including the DHSC and Digital Identity measures. A breakdown of the competitive nature of the Act can be found later in the Impact Assessment. 11. We have ensured our analysis is robust and proportionate. We have quantified costs and benefits of the Data (Use and Access) Act where possible, and otherwise provided qualitative analysis. Any evidence gaps will feature in our monitoring and evaluation plan. 11 12. A breakdown of the NPV of the costs and benefits we have monetised can be found in the table below. Table 2: Estimated Net Present Value (NPV) of preferred option over 10 years in 2024 prices (£million) Net Estimates Low High Medium Total NPV 3,170.0 20,138.3 10,603.9 Costs Estimates Low High Medium Total transitional 765.1 2,501.0 1,363.3 Average annual 53.9 108.0 76.3 Total cost 1,207.8 3,267.4 1,958.5 Benefits Estimates Low High Medium Total transitional 0.0 0.0 0.0 Average annual 795.8 2,973.0.8 1732.3 Total cost 6,437.4 21,346.1 12562.4 13. Where evidence is currently unavailable or where reforms will be followed up with secondary legislation impact assessments, we have provided detailed non-monetised qualitative analysis of the expected direct and indirect costs and benefits. These include a deep dive into the impacts on consumer trust and privacy as well as public sector and law enforcement use of data. Impact on Trade 14. It is recognised that there will be some implications on trade as a result of the policy reforms as part of the act. The below provides a summary of the impacts on trade for the measures in the Act and further details can be found in the respective impact assessments. 15. Increasing market competition can lead to higher efficiency both domestically and boosted competitiveness internationally. By furthering the UK’s leading approach towards data portability with initiatives such as Smart Data, we can expect to see further opportunity to extend the UK’s tech leadership, and by providing an opportunity for international firms to 12 expand into the UK, attracting further foreign direct investment while increasing competition for domestic firms with knock-on benefits for customers. 16. Implementation of digital verification schemes is expected to bring beneficial impacts to international trade through reducing friction by facilitating remote ID verification checks, which is very commonly required whilst trading internationally, and helping to streamline business processes. The legal framework will also support the Government’s wider work internationally to enable identity verification across borders to be secure and trusted. 17. Cross-border data transfers are a key facilitator of international trade, particularly for digitised services. Transfers underpin business transactions and financial flows. They also help streamline supply chain management and allow business to scale and trade globally.1 We have conducted analysis that looks at the potential of the proposed data reforms to enable more trade between countries. The analysis however includes analytical caveats which mean that the results should be treated as merely indicative of the range and scale, rather than a granular and detailed account of the impacts. For this reason, we have decided to report these results separately to the total NPV of the package of reforms. 18. Moving to a system which allows personal data to be transferred more pragmatically via data adequacy regulations and alternative transfer mechanisms (ATMs) is expected to lower transaction costs and increase cross-border data flows. Using a business-level approach that assesses the direct cost of using standard contractual clauses (SCCs) we estimate the trade that is currently suppressed, due to this cost acting as a non-tariff barrier between UK businesses and the Rest of the World. This benefit is estimated to have an annual benefit of between £51m and £100m. 19. EU Adequacy decisions are adopted through a unilateral, EU process managed by the European Commission. EU Adequacy decisions do not require an ‘adequate’ country to have the same rules, and the Government’s position is that the proposals within the Act are aligned with the EU’s criteria to allow the UK to preserve its adequacy status allowing the free flow of personal data from Europe to the UK. 20. It is recognised that data transfers are integral for EU and UK organisations and if an EU Adequacy decision was not available, EU businesses would have to implement and comply with alternative transfer mechanisms to transfer personal data to the UK. Therefore, we have estimated the economic impact that UK businesses would face if Adequacy with the EU was to be discontinued or suspended as a result of this Act. We have updated our modelling assumptions and estimations of any changes to this agreement. As a result, we estimate the impact of Adequacy with the EU being lost on top of these measures to be between £190 and £460 million in one-off SCC costs and an annual cost of between £210 million and £420 million in lost export revenue when taking a micro approach to modelling. The analysis does not attempt to assign probabilities but simply estimates the impact in the event of loss of EU Adequacy. The trade impacts are the direct reduction in UK-EU trade and the impact may be larger when accounting for interactions with onward supply chains with trade with third countries. As there is uncertainty in both the likelihood and timing of any decision, the impact is not included in the net present value or other measures in the summary of the IA. The impacts 1International data transfers: building trust, delivering growth and firing up innovation, DSIT, 2021 13 have been uprated and discounted as if the decision was made presently, a conservative assumption. The impacts are presented for the purposes of transparency. 21. We do not anticipate there being any direct implications for trade. NUAR will primarily change the costs for domestic activities. However, as the reforms will directly benefit owners of underground assets through reduced utility strikes, back office efficiencies and enabling better data sharing, it could over time make the utility and telecoms sector in the UK a more attractive place for inward investment, compared to other economies which have not yet taken action to improve data sharing in this manner. This could include the attractiveness of investing in new developments or major projects given the data contained and made available in NUAR will help reduce risk of project overruns and delays. As these benefits are speculative at this stage, they have not been quantified. 14 Summary of costs and benefits Benefits Benefits Monetised/ non-monetised Direct/ Indirect Compliance cost savings Monetised Direct Reform of the ICO Monetised Direct Productivity benefits Monetised Indirect Creation of innovative and secure Smart Data Schemes (DBT) Non-Monetised Indirect Increased Interoperability and Trust of Digital Identity Systems Monetised for four example use cases Indirect Increased Interoperability and Trust of Digital Identity Systems  Indirect Privacy, trust and individual data rights Non-Monetised Indirect Delivery of better public services Non-Monetised Indirect Improved Customer Outcomes Non-Monetised Indirect Improved Interoperability across Health and Social Care Systems Non-Monetised Indirect Improved Interoperability across Health and Social Care Systems Non-Monetised Direct Improved Interoperability across Health and Social Care Systems Monetised Indirect Improved Interoperability across Health and Social Care Systems Monetised Direct Enhance the work of the UK intelligence services and Law Enforcement Agencies (HO) Monetised Direct Enhance the work of the UK intelligence services and Law Enforcement Agencies (HO) Non-Monetised Direct Enhance the work of the UK intelligence services and Law Enforcement Agencies (HO) Non-Monetised Indirect Operationalise the National Underground Asset register Monetised Direct Operationalise the National Underground Asset register Monetised Indirect Operationalise the National Underground Asset register Non-Monetised Indirect Facilitate Researchers’ Access to Online Safety Data Non-Monetised Indirect Direct marketing Monetised Direct Direct marketing Non-Monetised Direct Strengthen the Criminal Law Non-Monetised Direct Producing reports and an IA on AI Copyright Non-monetised Indirect 15 Costs Costs Monetised/ non- monetised Direct/ Indirect Familiarisation costs Monetised Direct Reform of the ICO Monetised Direct Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO) Monetised but not included in calcs Direct Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO) Monetised Indirect Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO) Non-monetised Direct Creation of innovative and secure Smart Data Schemes (DBT) Non-Monetised Indirect Increased Interoperability and Trust of Digital Identity Systems Monetised for four example use cases Indirect Increased Interoperability and Trust of Digital Identity Systems Non-Monetised Delivery of better public services Non-Monetised Indirect Improved Interoperability across Health and Social Care Systems Non-Monetised Indirect Improved Interoperability across Health and Social Care Systems Monetised Direct Operationalise the National Underground Asset Register Monetised Direct Operationalise the National Underground Asset Register Monetised Indirect Operationalise the National Underground Asset Register Non-Monetised Indirect Facilitate Researchers’ Access to Online Safety Data Non-Monetised Direct Increased flows throughout the Criminal Justice System Monetised Direct Producing reports and an IA on AI Copyright Non-monetised Direct Wider impacts Wider impacts Monetised/ non-monetised Direct/ Indirect Impact on Competition Non-Monetised Indirect Impact on Equalities Non-Monetised Indirect Impact on Individuals Non-Monetised Indirect Environmental Impacts Non-Monetised Indirect National Security Impacts Non-Monetised Indirect Differential impact by sector and organisation size 22. Our modelling confirms that benefits and costs from these reforms will not fall equally across the economy and society. A breakdown of how the NUAR2, Smart Data3, Digital Identity4 and 2 DSIT: NUAR Impact Assessment, 2024 3 DBT: Regulatory Powers for Smart Data Impact Assessment, 2024 4 DSIT: Digital Identities De Minimis Assessment, 2024 16 Interoperability of Health Care Systems5 measures are expected to impact different sectors and organisation sizes can be found in their respective impact assessments. 23. Small and Micro Firms (SMFs) are included in the legislation for mandatory participation in Smart Data schemes to ensure the schemes' effectiveness across various sectors. Exempting SMFs could undermine the objectives of future schemes, such as providing comprehensive consumer information, as seen in the example of fuel pricing. However, the legislation requires consideration of the potential impact on SMFs, with options to mitigate disproportionate risks, such as third-party data collection or fee adjustments. The specific participation requirements and thresholds will be determined during the secondary legislation stage, with smaller businesses expected to participate voluntarily if benefits outweigh costs. 24. We expect the data protection reforms to have asymmetric distributional impacts on different organisations/ sectors as a result of differing levels and types of data use6, while in the case of several non-data protection measures, other differences including for example, firms in some sectors are more likely to have processes and privacy frameworks in place already than others. 25. Where we have been able to provide monetised estimates, the analysis is detailed and robust however some assumptions have had to have been made in areas where evidence is lacking. We have therefore ensured that we have carried out sufficient sensitivity analysis and testing to make sure that we accounted for these potential risks. 26. Given the estimated scale and scope of the project we intend to complete a Post Implementation Review (PIR),7 within 5 years of implementation. This will provide us with the opportunity to review whether the Act has met the intended objectives highlighted in this impact assessment. In order to be able to successfully measure these impacts we will also ensure that we invest in the monitoring of all key statistics that have fed into this IA with focus on the evidence gaps we have identified. 5 DHSC: Open Data Architecture Information Standards Impact Assessment, 2024 6 Different sectors use data differently, e.g. in 2024, the sector most likely to say they share personal data with other organisations was Finance and Insurance (41%). DSIT: UK Business Data Survey (2024) 7 Producing post-implementation reviews: principles of best practice, BEIS (2021) 17 Problem under consideration and the issue being addressed 27. The current UK General Data Protection Regulation (UK GDPR) provides an important regulatory framework for access, use and re-use of personal data that protects the rights of individuals. It also provides rules that facilitate data sharing in ways that are accountable, lawful, fair and secure. The government is committed to maintaining high standards of data protection so that people have confidence in the use of their personal data. 28. Smart Data could address various market issues, but current incentives and powers are inadequate to implement it effectively. The UK GDPR provides data portability rights but lacks the robust standards and secure sharing needed for Smart Data. Low consumer engagement across markets leads to problems like the 'loyalty penalty', low switching rates, poor satisfaction, and subscription traps, especially for vulnerable consumers. Trust in using personal data is also low, and some consumers use insecure methods like 'screen scraping', which poses risks. Restricted data access is increasingly seen as a barrier to market entry, making intervention necessary to address these challenges. 29. Identity proofing methods that rely on physical documents are costly, inefficient, and prone to fraud. Digital identities could improve and streamline this process, but the current system is inadequate. There is a gap in communication between digital identity providers and users, with a lack of standards for interoperability and insufficient trust. In the 2019 Call for Evidence, respondents highlighted the need for government intervention to establish these standards, create mechanisms for organisations to demonstrate compliance, and enable verification against government-held data. 30. Data access and availability can also support industry in other ways. Over 4 million kilometres of underground energy, water, and telecoms infrastructure suffer around 60,000 accidental strikes each year, costing industry and government £2.4 billion annually (2021 prices). Current legislation requires asset owners to share data with excavators but doesn’t specify how, leading to inefficiencies. With over 700 asset owners, this results in repeated requests and inconsistent data formats. Government intervention is needed to reform legislation and establish a sustainable data sharing service that ensures secure, efficient access to underground asset data while managing commercial interests and legal liabilities. 31. In the health sector, despite 2012 legislation for data standards, adoption is low (around 42%) and not keeping up with necessary changes. Health and social care providers struggle to access or share care information in real-time. The Health and Care Act 2022 made compliance with information standards mandatory for providers, aiming to improve interoperability. However, current powers don't compel IT suppliers to adopt these standards. This act seeks to address this by requiring IT suppliers in England's health and care system to meet specified information standards. Helping the adoption of digital identities, enabling economic gains in the digital economy while protecting against harms and enhancing privacy. 32. While the Online Safety Act 2023 (OSA) will improve the availability of data for researchers through transparency reporting in particular, in the absence of this legislation there are no provisions to provide researchers with direct access to data. This data could significantly enhance research that benefits society, such as improving public understanding of online safety 18 and reducing online harm in the UK. However, since platforms are not currently required to share this data, there is a clear need for government intervention to address this issue and ensure that data protection laws facilitate access to valuable information for scientific research. 33. Some businesses also view data as a liability, particularly where personal data is concerned, and take steps to curtail access and usage, implying a level of strategic over-compliance arising from uncertainty. This may come at significant opportunity cost. For example, 92% of UK businesses do not transfer data internationally, of which 10% of businesses give concerns around legal risks and uncertainty as a reason.8 Alongside this, fewer than 10% of UK businesses use customer relationship management software to collect, store, and share customer information within their businesses,9 meaning that most businesses do not have an easy way of using data to gain customer insights. 34. From an international perspective, “uncertainty regarding legal privacy regimes” was listed across 19 OECD countries as a main barrier to transborder data flows, followed by “Incompatibility of legal regimes” by 16 countries10 and the overall estimated compliance cost to UK businesses of using transfer mechanisms inherited from the EU for rest of world personal data transfers is estimated at about £360m annually.11 35. The OECD12 highlights that achieving the benefits available from data use requires employing data-governance frameworks that incorporate whole-of-government approaches and are coherent across areas, sectors and ideally countries. Work by Frontier Economics which was published in March 202113 identified a number of interrelated barriers to greater use and sharing of data in the economy, including a lack of knowledge (about potential uses of, and benefits from, data), high perceived risks (regulatory, commercial reputational), high upfront costs and misaligned incentives. 36. UK businesses identify many benefits of the UK GDPR14 and the Data Protection Act 2018 (DPA 2018) for example in 2021, of the businesses that were shown to collect digitised personal data, 58% agreed that the introduction of the GDPR had led to increased awareness of data protection at a senior level.15 However, the current regime can also be complex to interpret and apply, especially for small and medium businesses.16 The 2024 UK Business Data Survey found that smaller businesses were less likely than large businesses to have someone whose role includes leading on data protection, and were less likely to say they find the regulatory guidance published by the ICO clear and easy to understand17. Such complexity is understood to be a barrier to compliance and lead to uncertainty, and potential over- or under- compliance (through strategy or error).18 There is also evidence that the current regime may 8 UK Business Data Survey (2024) 9 ONS (2018) E-commerce and ICT activity Statistical bulletins, Table 25; this is even lower for micro-sized firms. 10 OECD: Digital Economy Outlook 2020, fig 6.4 11Published DSIT estimate, from RoW Adequacy Umbrella IA. 12 Enhancing access to and sharing of data: Reconciling risks and benefits for data re-use across societies, OECD (2019) 13 Increasing access to data held across the economy , Frontier Economics, 2021 14 Until the end of 2020 the EU GDPR applied in the UK. Since then, the applicable legislation in the UK has been the UK GDPR. For simplicity we typically refer to the UK GDPR throughout, but where evidence relates to the earlier GDPR we refer to this as the GDPR. 15 UK Business Data Survey (2021) 16 The European Commission’s (2020) evaluation of the GDPR identified challenges for organisations, in particular SMEs. 17 UK Business Data Survey (2024) 18 Christensen et al.(2013) The Impact of the Data Protection Regulation in the E.U. To note, this is a forecast of the proposed GDPR rather than an ex-post impact evaluation. 19 reduce firm-level innovation, business creation and employment,19 decrease investment in emerging technology firms,20 and negatively impact data-driven industries. 37. Regulation 22 of the PEC Regulations prohibits the transmission, by means of electronic mail, of unsolicited communications to individual subscribers. Currently regulation 22 of the PEC Regulations provides for one exception. It allows anyone (companies, charities, or other organisations) to send electronic marketing communications to an individual (recipient) without their explicit consent, if their contact details were collected during the sale of a product or service, or negotiations of a sale. The direct marketing materials benefiting from this exception may only concern similar products and services and the individual recipient must be offered a simple means of opting out of receiving marketing communications, both at the time the contact details are collected and in all subsequent communication sent. Both safeguards are aimed at limiting an individual’s exposure to spam and nuisance communications. This exception is commonly known as the ‘soft opt-in'. 38. This measure creates an exception from the prohibition for direct marketing carried out by a charity for charitable purposes. The current exception does not enable charities to send direct marketing messages to individuals in order to fundraise or promote campaigns, which is a core activity for some charities in helping them to deliver their charitable purpose(s). The government engaged with stakeholders, listening to the concerns raised by the sector over the difficulties it has experienced through covid and cost of living situation and has taken steps to support charities resilience. 39. There has been a significant rise in the ease in the accessibility of technology used to create purported intimate images (“intimate deepfakes”), and in their prevalence online without the consent of the person depicted. A purported intimate image could include a photo or video (or any hyper-realistic image) of someone engaged in sexual acts, or where the most intimate parts of the body are exposed or covered with underwear, or where the person is using the toilet, as defined in section 66D (5) to 66D (9) in the Sexual Offences Act 2003. a. Under section 66B of the Sexual Offences Act 2003, the law already captures situations where intimate images including deepfakes are shared without consent or reasonable belief in consent. Likewise, the criminal law already covers the creation of intimate images of children as this it already captures the making of indecent images. This includes making deepfake images of children (i.e. those under the age of 18) in section 1 of the Protection of Children Act, 1978. b. However, there is currently no criminal offence banning the creating or requesting of intimate image deepfakes of an adult without consent or reasonable belief in consent. This behaviour can cause harm to the individuals depicted and forms part of a wider harmful and misogynistic behaviour. c. The Government committed in its manifesto to banning sexually explicit deepfakes. The measure assessed in this IA will fulfil that commitment by introducing the new offences of 19 Christensen et al.(2013) The Impact of the Data Protection Regulation in the E.U. 20 Jia et al. (2018) found that GDPR negatively affected venture capital investment in digital technology firms. 20 creating or requesting the creation of a purported intimate image of an adult without consent or reasonable belief in consent. 40. Producing reports on the use of copyright works in the development of AI systems, and an impact assessment on the policy options considered in the AI and copyright consultation, will help inform policy decisions on AI and copyright. 21 Rationale for intervention 41. The complexity of the current regulatory regime means that firms and consumers are not able to take full advantage of the benefits that are available to them through effective use of data and data sharing. There are six market failures across different sectors of the economy that have been identified as a result of the complexity of the UK’s current data regime. a. Externalities occur when the production or consumption of a good incurs costs or benefits on a third-party outside of the transaction. A data externality is an effect that arises from the disclosure of personal data.21 In the data market, a negative externality occurs when the disclosure of personal data by some consumers leads to an excessive privacy loss for other consumers. The use of the disclosed personal data by businesses or organisations for activities such as targeted advertising, leads to a loss of privacy for those who consider the data to be private information. A positive externality can occur when data collected by one party is freely accessed by others and this generates positive external benefits for re- users.22 b. Public goods, where the delivery and efficiency of public services is inefficient as a result of limited data sharing. The complexity of the regulation delays the sharing of data between public services. Also, public sector services lack the necessary framework to use data efficiently and this leads to public goods being under-utilised. The government can create open access data to provide the right framework to help improve the utilisation of public goods. 23 c. Information asymmetry refers to when one party in a transaction has more information than the other. In the data market, businesses such as online platforms that provide search engines or targeted advertising, have better and more information on the services markets they cover compared to the users of the platforms. The consumers are unaware of whether the platforms use the information to maximise social welfare via increased efficiency or to maximise their own profits. d. Imperfect information, where UK businesses have incomplete information regarding the regulations around data sharing and therefore choose not to share data to minimise risk. A further example is when consumers are unaware of how much personal data businesses collect and how businesses process personal data. Also includes areas where better sharing of data enables efficiencies. e. Market power refers to when the power is concentrated into too few businesses or organisations. In data markets that lack competition the complexity of the regulation deters new entrants and limits firms with relatively less power from achieving the additional benefits of effective data use. Firms with market dominance can expand into complementary data markets, at a relatively low marginal cost rather than share data with complementary firms, this may deter new entrants into complementary markets. f. Network failure refers to when a good or service whose value increases as the number of users increases fails to raise its value due to a lack of users. The data network effect is 21 The Economics of Privacy: A Primer Especially for Policymakers, Bank of Japan, 2021 22 Business-to-Business data sharing: An Economic and Legal Analysis, JRC Digital Economy Working Paper, 2020 23 “Creating and governing social value from data” - Diane Coyle and Stephanie Diepeveen, 2021 22 when a product's value grows as a result of more usage via the accretion of data.24 In terms of data network failure, the complexity of the regulations has resulted in insufficient cooperation between UK businesses to combine datasets through data sharing and benefit from economies of scope. 42. The table below highlights the specific market failures that are present in certain parts of the UK’s data processes, policies and current protection regime. Table 3: Summary of the market failures in data markets 24 https://www.nfx.com/post/truth-about-data-network-effects 23 Market Externalities Public goods Information asymmetry Imperfect information Market power Network Failure Smart Data25 ✓ ✓ ✓ ✓ Digital Identity Schemes26 ✓ ✓ The National Underground Asset Register (NUAR)27 ✓ ✓ ✓ Using data to improve public services (including DHSC CDDO and HO initiatives) ✓ ✓ ✓ ✓ Data use for science and research (including AI) ✓ ✓ ✓ Online Safety: Researcher Access to Data28 ✓ ✓ Processing/ Re-use of data ✓ ✓ Privacy and Electronic communications ✓ Data subject rights ✓ ✓ International data transfers ✓ ✓ The Information Commissioner's Office (ICO) ✓ Smart meter data (DESNZ) ✓ Direct marketing ✓ ✓ Copyright works and artificial intelligence systems ✓ 43. The market currently fails at different levels of the data value chain. The table above explores where the market failures exist. 44. Government intervention in the form of new legislation or changes to existing legislation will help overcome these market failures. Reform options have been designed specifically to 25 More information on the rationale for intervention in the Smart Data market can be found in the Smart Data final Impact Assessment 2024 - DBT 26 More information on the rationale for intervention in the Digital Identity market can be found in the Digital Identity De Minimis Assessment - DSIT, 2024 27 More information on the NUAR measures can be found in the NUAR final Impact Assessment 2024 28 DSIT: Researchers’ Access to Data Impact Assessment, 2024 24 remedy market failure in specific industries and sectors as well as UK data policy more generally. These areas have been set out in the King’s Speech29 a. Smart Data initiatives, there is a failure of existing regulation to enable easy and secure data mobility. Many markets currently face low levels of consumer engagement. Consumers are unable to navigate these markets easily resulting in negative outcomes such as the ‘loyalty penalty’, low switching rates, poor satisfaction. These negative outcomes are further exacerbated for vulnerable consumers who may have further inabilities to access and engage. Alongside low consumer engagement is a lack of trust and empowerment to utilise their own data in markets, increasing their cost of informed decision making. While already sharing data, some customers are currently using less secure methods, such as ‘screen scraping’, which can lead to direct harm if this data is mishandled. Evidence also shows that in digital markets there is increasing concern that access to data is a significant barrier to entry. Intervention is therefore necessary to help address the issues arising in these markets and to alleviate wider market failures. The Smart Data amendments in the House of Commons were intended to ensure that Smart Data schemes function optimally, and to ensure the Part 1 regulation-making powers are as clear as possible. This will further assist in addressing the market failures mentioned above. The section 11 amendments specifically allow for regulations to provide for a greater range of Smart Data scheme models regarding fee charging. This means Smart Data schemes can be designed with a fee structure that is tailored to the needs of the markets corresponding to each sector. More detail can be found on Smart Data rationales in the Smart Data Impact Assessment.30 b. An emergent marketplace in Digital Identities already exists, with more and more businesses and citizens preferring to verify information about themselves without needing paper documents. However, current identity proofing methods can be expensive, inefficient, and vulnerable to fraud. Digital identities can strengthen and simplify the process, however, the current landscape lacks standards which will enable interoperability and does not yet command trust. In the 2019 Digital Identity Call for Evidence,31 respondents noted that the market required the government to step in and set these standards, create mechanisms to allow organisations to prove they follow them, and to enable checks against government-held data. More information on this market failure can be found in the Digital identity and attributes De Minimis Assessment.32 c. Currently, there are over 4 million kilometres of underground energy, water, and telecoms pipes and cables, suffering approximately 60,000 accidental strikes each year, costing the industry and government £2.4 Billion annually (2021 prices). Establishing a new sustainable data-sharing service, National Underground Asset Register (NUAR), is necessary to provide secure and efficient access to underground asset data, balance commercial interests, and manage legal liabilities. Existing laws require asset owners to share data on these assets with excavators but do not specify the method of sharing. As a result, 700+ asset owners have to respond to numerous requests, and excavators must contact multiple owners, receiving data in varying formats and timelines. Government intervention through legislative reform is essential to standardize data sharing, thereby resolving these issues. 29 The King’s Speech 2024, GOV.uk, 2024 30 Smart Data Impact Assessment, DBT (2024) 31 Digital Identity: Call for Evidence Response, DSIT, 2020 32 Digital identity and attributes De Minimis Assessment, DSIT, 2024 25 d. In the health care sector, the fragmented IT vendor market for health and social care has resulted in suboptimal levels of interoperability, hindering the efficient exchange of information across systems. This lack of interoperability creates significant challenges for healthcare providers and patients, and the market has failed to address these issues on its own. Government intervention is necessary to set standards, promote competition, and ensure consistent and secure data sharing. By doing so, the government can overcome key market failures, such as economic externalities, coordination failures, and imperfect competition, to improve patient outcomes, reduce costs, and support innovation in healthcare technology. e. The provision for registering births, still births and deaths is contained in the Births and Deaths Registration Act 1953 (BDRA) and the Registration of Births and Deaths Regulations 1987. In 2009 the registration online system (RON) was introduced allowing registrars to register births and deaths electronically. Even though all birth and death information are held electronically, registrars are still required to also hold a record of the events in paper registers. Removing the requirement for paper registers, requires a change of legislation. This would introduce efficiencies and result in savings to public expenditure as well as the support of government digital initiatives. Allowing the RON system to be the only birth and death register removes duplication and simplifies the process. It also introduces savings for the Home Office by removing the cost of providing registers, associated resources, postage costs and loose leaf, watermarked, registration paper. Moving away from paper registers will also reduce the risk of criminals gaining access to blank stock to create false identities. f. The direct marketing measure backs the third sector in reaching out to more potential donors, potentially helping them boost their finances, which in turn could have valuable societal benefits. It will enable charities to engage with supporters in order to fundraise and promote campaigns. g. In the case of purported intimate images, the rationale for intervention relates to equity, ensuring that the criminal law adequately provides justice to victims, and reducing their distress and invasions of privacy. h. There is currently information asymmetry in the data licensing market as owners of copyright works have difficulty monitoring how their data is used in AI training. One of the AI and copyright issues that will be explored in the reports is the disclosure of information by developers of AI systems about their use of copyright works to develop AI systems, and how they access copyright works for that purpose (for example, by means of web crawlers). Table 4: How the legislation would overcome each market failure Market Failure Policy Intervention Externalities Implement legislation that makes it easier for personal data to be used in science and research while also providing consumers with the optimum level of privacy protection. Public Goods Implement legislation that makes it easier for personal data to be exchanged between public sector bodies. Introduce frameworks that encourage data use in the public sector. 26 Information Asymmetry Simplify the legislation regarding data exchange and data use. Provide clarification of the rules around using personal data to benefit businesses and their consumers. Imperfect Information Simplify the legislation regarding data exchange and data use. Provide clarification of the rules around using personal data to benefit businesses and their consumers. Market Power Implement legislation that encourages competition through increased data sharing and reduces the compliance requirements. Network Failure Implement legislation that encourages cooperation and increased data sharing. 45. The issues with the current data regime that have been outlined above require a range of reforms to be corrected. The introduction of new guidance would not solve the complexity issue of the current regime because the scale of change needed is too large to be covered by guidance. It would be inefficient to solely produce guidance in an attempt to simplify the current regime. For example, even if existing legislative mechanisms were used to oblige health and adult social care providers to purchase information technology products and services with appropriate technical features, this would be insufficient to bring the wholesale change to the IT supplier market that is needed, particularly in the timeframe required to push forward the digitisation in health and social care. 46. The full scope of the issues could also not be addressed by relying solely on changes to the Information Commissioner's Office, as many of the market failures need legislative change for them to be corrected. As a result of this, we explored policy options targeted at specific sectors and market failures to overcome these issues. a. The UK has three data protection regimes. Most personal data are governed by the UK General Data Protection Regulation (UK GDPR) and its accompanying provisions in Part 2 DPA 2018. Law enforcement processing has its own bespoke regime (Part 3 DPA 2018) which reflects the operational nature of the processing carried out by Law Enforcement Agencies (LEAs). The third regime governs processing of personal data by the UK’s Intelligence Services (Part 4 DPA 2018) and reflects the national security sensitivities as well as the other forms of oversight outside data protection governing the intelligence services. b. The Home Office has responsibility for law-enforcement and intelligence services data processing. The Act will update the Data Protection Act 2018 (DPA 2018). It will contribute to reducing the risk from terrorism to the UK and UK interest overseas33 and will restore confidence in the criminal justice system34 (CJS) when it comes to data protection. c. As the DPA 2018 is recent and largely works well, the reforms will provide updates to the existing legislation rather than fully re-writing it. This will prevent undue burden on users/businesses and maintain international confidence in our data protection standards. Most of the changes aim to simplify/clarify the existing law, which in turn will provide users with the confidence needed to encourage data exchange effectively (both domestically and 33 Home Office Outcome Delivery Plan: 2021 to 2022 - GOV.UK (www.gov.uk) 34 People's priorities | Horizon 27 internationally). Effective data exchange is important for economic and law enforcement relationships. d. The Home Office has two overarching aims: i. Firstly, to empower the police to use new technologies, like biometrics, within a strict legal framework which maintains public trust. ii. Secondly, to facilitate the effective flow and use of personal data for law enforcement and national security purposes to enhance the work of the UK Intelligence Services and Law Enforcement Agencies (LEAs) in the interest of public security. e. Intervention is necessary as improving UK data laws will continue to deliver effective data exchange, which is good for business and public security. The measures being introduced will drive efficiencies and encourage better data cooperation. The amendments prevent undue burden on users and businesses and reduce the potential impact on the Adequacy decisions. The amendments will simplify and clarify the existing law, which in turn will provide users with the confidence needed to encourage data exchange effectively (both domestically and internationally). Effective data exchange is important for economic and law enforcement relationships. f. In developing these proposals, the Home Office have engaged extensively with operational partners, taking as the starting point changes that support improved operational outcomes whilst maintaining public confidence and simplifying existing law (for example, using consistent language) where appropriate. g. The UK is ranked second in the world for science and research35,and made up 13.4% of highly cited research publications worldwide in 202036. Data is key to a wide range of research activities across many sectors, and this is reflected in the UK GDPR. The existing legislation provides specific allowances in relation to processing for research purposes, however, the laws around personal data use for “research purposes” are complex and the current regulatory landscape has proven difficult for scientists to navigate, making it harder to establish legal certainty for vital and innovative research. This highlights how the market fails because scientists have incomplete information about personal data use and how the data value chain suffers a market failure at the collection stage. Furthermore, through the consultation process we identified that some aspects of the existing framework can place unnecessary barriers to researchers, slowing down or even stopping their progress. The barriers researchers face restricts the realisation of societal benefits from effective data use. This shows how the data value chain suffers a market failure at the impact stage. h. When used responsibly, data-driven artificial intelligence (AI) systems have the potential to bring substantial benefits to the lives of consumers and businesses. The development of AI and machine learning applications is contingent on data, and places specific demands on its collection, curation and use. The market failures discussed all have an effect on the current development of AI. Consumers may not be aware of their rights when subjected to 35 The AD Scientific Index, 2024 36 International Comparison of UK Research Base (BEIS, 2022) 28 automated decision making reflecting the information gaps. Uncertainty regarding these data requirements could raise barriers to realising these benefits. i. The Online Safety researchers’ access to data provision will improve understanding of online safety issues and position the UK as a leader in research and innovation. While the Online Safety Act 2023 (OSA) will improve the availability of data for researchers through transparency reporting in particular, in the absence of this legislation there are no provisions to provide researchers with direct access to data. Ofcom will be able to require the largest providers to publish a broad range of information through transparency reports, but Ofcom is unlikely to require companies to publish the kind of user data required to conduct online safety research. The online safety impact of these proposed interventions could be broad. Eligible independent researchers will be able to carry out research into online safety issues that may include illegal activity, harmful content, damaging behaviours, and issues relating to free speech. This additional research is likely to help to address the limited information currently prevailing in this area and contribute to the evidence base for future online safety interventions. j. The re-use of personal data can provide economic and societal benefits through facilitating innovation. The market currently fails as a result of the information gaps around the re-use of personal data at several levels of the data value chain. Clarity on when personal data can lawfully be reused is important at multiple levels of the data value chain: data subjects benefit from transparency at the collection stage, data controllers benefit from certainty during the publication stage, and society benefits from unlocking the opportunities of re-use at the impact stage of the data value chain. The UK GDPR sets out rules for when further processing of personal data is considered compatible with the purpose for which it was collected, in recognition of the value of re-use of data in certain circumstances and where safeguards are in place. In the consultation, the government identified areas of uncertainty and therefore is able to set out proposals to improve clarity in the legislation and as a result facilitate innovative re-use of data. k. The Privacy and Electronic Communications Regulations 2003 (PEC Regulations) is complementary to the UK GDPR and the DPA. PEC Regulations prohibits an organisation from storing or gaining access to information that is held in the equipment of an individual (such as computers and mobile phones), unless one of three exceptions apply (such as the user’s consent). From consultation we know that organisations have found that the ability to collect data in order to improve services/ websites is difficult to obtain when relying on consent, and individuals find the number of consent request pop-ups a source of annoyance and routinely accept the terms without reading them. l. The government has highlighted its ambition for the UK to harness the power of data for economic growth and the importance of the data economy to boosting trade37. Currently a number of barriers to international data transfers exist, including a lack of alignment in legal frameworks, transfer tools and data adequacy regulations. The complexity of the regulations has contributed to information gaps for data controllers which have restricted the international transfers of data. This market failure has an impact at all levels of the data value chain. The government needs to intervene to achieve its ambition of helping domestic businesses to connect more easily with foreign markets, while attracting 37 King’s Speech 2024: background briefing notes, (HMG, 2024) 29 investment from abroad by businesses that rightly have confidence in the responsible use of data within the UK. m. There are many opportunities to build on the lessons learned from COVID-19 pandemic in relation to the power of using personal data responsibly in the public interest, and the benefits of collaboration between the public and private sectors. There are currently some challenges to do this effectively, including: data infrastructure that is not interoperable; legal and cultural barriers to data sharing; inconsistent data capability in the workforce; and financial disincentives that discourage investment. Government intervention is needed to create a joined-up and interoperable data ecosystem for the public sector that will address the limitations outlined above, whilst ensuring high levels of public trust. n. In order for the ICO to perform its function as an agile and forward-looking regulator a clear mandate for a risk-based and proactive approach to its regulatory activities in line with best practice of other regulators is needed. A new legislative framework will allow for a clearer strategic vision for the regulator and the reduction of barriers to data flows. o. The Government is committed to maintaining a secure national communications network for smart metering in Great Britain. The body responsible for establishing and operating this does so under the Smart Meter Communication Licence (‘the DCC Licence’). The Licence is currently held by Smart DCC Ltd. It was awarded by the government in 2013 for an initial period of 12 years and is due to expire in September 2025. The process for Ofgem to identify a successor licensee is set out in primary legislation and further in regulations. This should lead to the successful selection of a provider, though it does not guarantee it. To mitigate the risk of a successor licensee not being selected, our proposed intervention provides Ofgem with greater flexibility in their process for choosing the next licensee. We do not expect any direct impacts from this measure. p. The criminal law should adequately protect the public by capturing people who commit harmful acts so that they can be brought to justice. Rationale and evidence to justify the level of analysis used in the IA (proportionality approach) 47. Indicative analysis of those measures in the Data (Use and Access) Act that formed part of the previous DPDI Bill was previously undertaken at the pre-consultation stage. Since then, the analysis was updated to reflect consultation responses, discussions with cross-government experts and external consultants, assessment of the latest literature, and reflections on the RPC’s comments on the methodology. The Data (Use and Access) Act also includes new measures not in the previous DPDI Bill or makes substantial changes to previous measures. This Impact Assessment reflects these changes and additional amendments added during the Bill’s passage since its introduction in October. A full list of the amendments highlighted in Table 8 and are listed in full Annex 7. 48. Where evidence is available, we are able to analyse some policies at an individual level, although there are still uncertainties and evidence gaps. We know that some reforms share similar channels of impact and implication, so we have continued to analyse policies within 30 groups that are consistent with the expected impacts. This ensures that the analysis remains novel, proportionate and robust. 49. In order to explore some of the uncertainties surrounding the data, greater use of sensitivity analysis has been employed across impacts to consider variability in data and assumptions. 50. DSIT has also worked alongside analysts from across Government to establish the rationale, options, costs and benefits, and finer detail of the impact of reforms where analysis has been led by their respective organisations and where relevant tailored towards a specific sector. These organisations are the Department for Business and Trade,38 the Home Office, Central Digital and Data Office (CDDO), DHSC, DESNZ and the Information Commissioner's Office (ICO). 51. Where evidence exists that has allowed us to attempt to quantify impacts, this has come from a variety of sources referenced throughout. DSIT’s UK Business Data Survey continues to be instrumental in this analysis, providing us with an overview of UK businesses’ use of data and interaction with data protection. The Annual Survey of International Trade in Services is also used extensively in our trade and data adequacy modelling. Furthermore, we continue to use the European Commission’s and Ministry of Justice’s 2012 impact assessments (IAs) of the then proposed European data protection regulation and where possible, have integrated these with more recent evidence. 52. Where quantitative evidence is not available, qualitative analysis of impacts has been undertaken and expanded upon since consultation and introduction, including further literature reviews and case studies. On particularly uncertain impacts, such as trade and data adequacy, complementary approaches have been used to provide more evidence of the potential scale of impacts. 53. As part of ongoing monitoring and evaluation, the framework of impacts explored will continue to be refined. Monitoring and evaluation will be important in assessing whether and how the newly proposed reforms will indeed succeed in improving on the deficiencies of previous regulation and what lessons can be learned for any future revisions. Description of options considered Background 54. This section discusses the approach taken to identify the various policy options to ensure that this Act of reforms delivers the government’s ambition to harness the power of data for economic growth, to support a modern digital government, and improve people’s lives. Identifying the correct and most effective set of reforms to achieve this is the key driver behind the decision-making process and this economic analysis. 55. These ambitions have a strong economic rationale and the opportunity for the UK economy is substantial, given its superior starting position in comparison to many of its peers. Data driven companies generated an estimated £343 Billion in annual turnover (6% of total UK turnover) in 38 Smart Data Impact Assessment, DBT (2024) 31 2023. While contributing an estimated £84.9 billion (3.8%) in GVA to the UK economy and employing 1.5 million people (5% of total UK employees) in all types of roles in 202339. 56. The UK data regime is already among the most comprehensive and open worldwide,40 which is linked to its superior data governance. The UK needs to ensure that further reforms tackle key issues and introduce net positive impacts on the economy and society. This framework underpins the reforms considered and the process through which these were agreed upon. Process of shortlisting options 57. This section details the approach of shortlisting the initial reforms included in the Data (Use and Access) Act. 58. Reform measures including Smart Data, Digital identity, NUAR, Online harms and policies from OGDs went through separate options framework detailed in their own impact assessments (IA) or De minimis assessment (DMA). These were assessed independently and the preferred option for those IA/DMAs are the ones in the preferred option here. 59. Reform options were designed to achieve the government's objectives of harnessing the power of data for economic growth, supporting a modern digital government, and improving people’s lives. The options continue to underpin a high level of protection for people's personal data and control for individuals over how their personal data is used. The Government also continues to recognise that organisations have and are continuing to invest in understanding, complying and implementing the current regime. 60. A long list of potential reform options was generated in each area, with each option designed to tackle an identified issue. These were then assessed for their likely impact, benefits and costs on stakeholders (the public, organisations in the public and private sector and the wider data economy), and associated risks. The viability of each reform option was then assessed as part of continued engagement internal and external stakeholders, further policy research and analysis looking at their legal, practical feasibility, and effectiveness in delivering the intended policy outcome. Each reform was also re-considered in the context of the wider package of potential reforms in order to assess its fit and interdependencies with other potential measures. 61. The three options alongside the status -quo/do nothing option all fall on the liberalisation side of the data - openness scale when compared to the current regime. Our second option is to make minor changes to the current regime. The intermediate option which looks to combine a suite of data reform policies together which all aim to innovative the ways in which the UK uses data. And the do max option which is the data reform options with additional data protection policies. List of options initially considered Table 5: Outline of policy options Option Description 0. Do nothing/status quo No policy change 39 The UK Data Driven Market (DSIT, 2024) 40 As confirmed among multiple studies such as the Global Open Data Index from the Open Knowledge Foundation, and the data governance study from Washington University 32 1. Do minimum Minor policy changes to the status quo and current data regime 2. Intermediate option Considerable policy changes to the status quo and current data regime 3. Do maximum Even bigger policy changes to the status quo, and a complete overhaul of existing legislation, repealing and replacing the existing data regime inc. significant changes to data protection legislation 62. Throughout the development of the Data (Use and Access) Act changes were proposed reflecting stakeholder feedback and ongoing policy development. These developments led to a better understanding of implicit costs and policy risks not previous considered which led to the data protection and ultimately Do maximum option not being suitable for implementation. A list of the reforms within the Do maximum options can be found in the annex. 63. There are reform measures inc. Smart Data, Digital identity, NUAR, Online harms and policies from OGDs went through their own options framework which are in within their own impact assessments (IA) or De minimis assessment (DMA). These were assessed independently and the preferred option for those IA/DMAs are the ones in the preferred option here. 33 Do nothing option 64. This option is the benchmark counterfactual and describes a scenario in which the current regime is continued without change. This is equivalent to retaining the current framework for data related public service provision. As highlighted in section one, although the current regime is effective in allowing data use and data transfers, and is relatively liberal in comparison with other jurisdictions, there are certain limitations that mean the benefits from this are limited and firms are not maximising their potential gain from data use. Do minimum option 65. The do minimum option, encapsulates minor policy changes to the current regime in an attempt to resolve aspects of the market failures. This includes key reforms that aim to resolve some of the issues identified as part of the policy process. The majority of reforms have been fairly well received by stakeholders and substantial evidence exists suggesting that they would have a beneficial impact on the economy, LEAs, UK Intelligence Services, and society as a whole. 34 Table 6: List of all policies in ‘do minimum’ category41 Reform measure Reform Summary Research Purposes ● Consolidating research provisions into a single chapter Research Purposes ● Creating a statutory definition of scientific research Research Purposes ● Incorporating broad consent for scientific research into legislation Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● National security exemption (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Data subjects’ rights to information: legal professional privilege exemption (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Consent to law enforcement processing (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Law enforcement processing and codes of conduct (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Logging of law enforcement processing (DPA 2018 part 3) Automated decision making (DPA 2018 part 3) Digital Identity ● Enable checks against government-held data but do not create a statutory governance framework (option 3 in Digital Identity DMA) Digital Identity ● Create a statutory governance framework to oversee the trust framework (Option 2 in Digital Identity DMA) Smart Data (DBT) ● Pursue non-legislative alternatives (Option 1 in Smart Data IA) Smart Data (DBT) ● Support sector regulators to independently pursue legislative alternatives (option 2 in Smart Data IA) Data Architecture (DHSC) ● Enabling legislation to prepare, publish and mandate standards that apply to the products and services provided by IT suppliers Strategy, Objectives and Duties ● ICO's Objectives and Duties Strategy, Objectives and Duties ● Statement of Strategic Priorities Governance Model and Leadership ● Remove the Information Commissioner corporate sole structure. Introduce a Board structure with Chair/CEO. Governance Model and Leadership ● Remove the requirement for Parliament to agree to a change to the IC salary. 35 Do intermediate option 66. The intermediate option encapsulates moderate policy changes to the current regime aiming to resolve most aspects of the market failures. This involves modernising and digitalising government services provision. It also incorporates key reforms which aim to address those set out in the King’s Speech (see paragraph 6). Table 7: List of all polices in ‘do intermediate’ category Reform measure Reform Summary Research Purposes ● Consolidating research provisions into a single chapter Research Purposes ● Creating a statutory definition of scientific research Research Purposes ● Incorporating broad consent for scientific research into legislation Research Purposes ● Extending the “disproportionate effort” exemption on information provision requirements for further processing for research purposes of personal data collected directly from the data subject Research Purposes ● Extending the exemptions from the regime when conducting scientific research to include when that research is carried out in a commercial setting. Further Processing ● Clarifying how personal data can be further processed for research purposes Further Processing ● Clarifying that further processing for an incompatible purpose may be lawful when based on a law that safeguards an important public interest or when the data subject has re-consented Further Processing ● Exempt archives from further processing rules where personal data was originally obtained in reliance on consent. Legitimate interests ● Recognised Legitimate Interests. The act will introduce a new lawful ground for non-public bodies when processing personal data for “recognised legitimate interests”. This is limited to a small number of public interest objectives, such as the prevention of crime, safeguarding vulnerable individuals and responding to emergencies. Under the current law, data controllers have to do a detailed assessment of whether their interests are outweighed by the rights of data subjects when processing personal data for such purposes AI and Machine Learning ● Future proofing Article 22 AI and Machine Learning ● Enhancing the approach to explainability and accountability for fair processing in the context of AI AI and Machine Learning ● Clarifying the circumstances in which safeguards apply to significant decisions that are taken about individuals on the basis of profiling. Data Adequacy ● Underpinning the UK’s future approach to data adequacy regulations with principles of risk-assessment and proportionality Data Adequacy ● Relaxing the requirement to review data adequacy regulations every 4 years Alternative Transfer Mechanisms ● Power for SoS to formally recognise new ATMs Alternative Transfer Mechanisms ● Changes to the standard approach to alternative transfer mechanisms. (Art 46) Alternative Transfer Mechanisms ● Ensuring businesses are able to continue to use their pre-bill existing transfer mechanisms without a requirement for further checks and avoiding additional costs. Alternative Transfer Mechanisms ● Clarifying that transfers of personal data under the UK-US Data Access Agreement can be made under the ‘public interest tasks’ lawful ground 36 Reform measure Reform Summary Public Interest ● Clarifying that private organisations & individuals asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground for processing the personal data under Art 6(1)(e) Digital Economy Act 2017 (CDDO) ● To extend powers under section 35 of the Digital Economy Act 2017 aimed at improving public service delivery to business undertakings, beyond the current scope of solely individuals and households Public Safety and National Security (Home Office): Subject Access Requests ● Time limits for responding to requests by data subjects (SAR) (DPA 2018 part 3/4) Public Safety and National Security (Home Office): Part 4 ● Amendments to Part 4 of the DPA 2018 - Joint processing by intelligence services and competent authorities Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● National security exemption (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Data subjects’ rights to information: legal professional privilege exemption (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Consent to law enforcement processing (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Law enforcement processing and codes of conduct (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Logging of law enforcement processing (DPA 2018 part 3) Automated decision making (DPA 2018 part 3) Public Safety and National Security (Home Office): ● Transfers based on special circumstances (Schedule 6 DPA, Section 76)Subsequent transfer's (Section 78 DPA) 37 Reform measure Reform Summary International Transfers Public Safety and National Security (Home Office): International Transfers ● Clarify conditions on the use of international processors by UK competent authorities (Part 3 DPA) Public Safety and National Security (Home Office): Biometrics ● Retention of biometric data and recordable offences Public Safety and National Security (Home Office): Biometrics ● Retention of biometric data from INTERPOL Public Safety and National Security (Home Office): Biometrics ● Retention of biometric data from other international partners The National Underground Asset Register ● National Underground Asset Register Legislation to underpin a national register of underground assets (cables etc.) The National Underground Asset Register ● Create powers to ensure the full participation by all owners of underground assets in NUAR and enable a sustainable charging regime. Data Preservation Notices ● Establishing a data preservation process which will require OFCOM, following instruction by a coroner, to issue data preservation notices to online service companies to ensure they retain data that may later be requested by a coroner when carrying out an inquest into a child's death. Smart Meter Data (DESNZ) ● Create new power to give Ofgem more flexibility in the process it needs to follow to identify the successor holder of the Smart Meter Communication Licence. Smart Meter Data (DESNZ) ● Enable Ofgem to modify conditions of existing licences and industry codes if it considers that it is necessary or expedient to do for the purpose of granting a Smart Meter Communication Licence. Online safety researchers access to data ● Create powers for the Secretary of State (SoS) to place a duty on platforms to comply with any regulations later passed by SoS allowing researchers access to certain data held by platforms. Electoral Purposes ● Amend Schedule 1 of the Data Protection Act 2018 so that the 4 day threshold in which outgoing elected representatives have to process special category data on behalf of their constituents without explicit consent, is changed to 30 days, to overcome these operational barriers. Electoral Purposes ● Amending exemptions in Sch 1 DPA 2018 (special category data) to permit elected representatives to process political opinions data. Subject Access Requests ● Clarifying that controllers are not required to make disproportionate searches in response to subject access requests - necessary as a result of the loss of the EU principle of proportionality under the REUL Act. (Home Office measure) Privacy and electronic communications ● To add three low privacy risk exceptions to the prohibition on storing information, or accessing information stored, on a user’s connected device. For example, collecting statistical information to improve the service/website requested by the user. Privacy and electronic communications ● Empowering ICO to take action against organisations for the number of unsolicited direct marketing calls 'sent' as well as calls 'received' and connected. 38 Reform measure Reform Summary Privacy and electronic communications ● Amending the regulations’ powers of enforcement so that they are aligned with the enforcement regime under the Data Protection Act 2018, including fine levels, whilst keeping bespoke tools such as third-party information notices. Privacy and electronic communications ● Extending approved code of conduct provisions under Article 40 UK GDPR to the PEC Regulation Privacy and electronic communications ● Extending the reporting period for breaches under reg 5A PEC Regulation from 24 to 72 hours Updating Special Category Data ● Create a new power for the Secretary of State to add new types of data to the list of special categories of data that get extra protection. This will provide the flexibility to add new types in the future including in response to new technological developments, to ensure heightened protections for citizens. Digital Identity ● eIDAS/trust services Digital Identity ● Data checking gateway Digital Identity ● Trust framework accreditation and certification Digital Identity ● Trust framework governance Digital Identity ● Validity of digital identity Digital Identity ● Mutual recognition of digital identities Digital Identity ● Mutual recognition of trust services Digital Identity ● Welsh and Scottish safeguards for Digital Verification Services Digital Identity ● Include a power for DSIT SoS to approve additional rules for particular sectors or use cases which build on the rules in the UK digital identity and attributes trust framework; to make provision for organisations to be certified against those additional rules; and to make provision for the DVS Register to note which sets of additional rules (if any) an organisation has been certified against in addition to the trust framework. In policy terms, we refer to a set of additional rules as a ‘scheme’, and we expect the equivalent term in the Act to be ‘supplementary code’. Digital Identity ● To amend the Immigration Act 2014 and the Immigration Asylum and Nationality Act 2006 to permit regulations to specify that, where digital checks are undertaken, these are undertaken by a DVS provider on the DVS register. Smart Data (DBT) ● Smart Data: Introduction of primary legislation, creating new “regulation- making” powers to enable Smart Data schemes to be introduced in any given sector. 1] Smart Data (DBT) ● Expanding the definition of ‘‘customer data’’ to include transactions between the customer and third parties, and clarify the scope of action initiation, or ‘write access’ services Smart Data (DBT) ● Provisions to clarify the powers of enforcers to investigate and monitor compliance, and the process for setting fines, penalties and fees and to allow existing data sharing requirements in other legislation to be incorporated into Smart Data regulations. Smart Data (DBT) ● Clarification of the power to make provision in connection with business data – to expressly facilitate a Smart Data delivery model where data holders provide business data to a specified third party, who then provides (or publishes) the business data to other third parties Data Architecture (DHSC) ● Enabling legislation to prepare, publish and mandate standards that apply to the products and services provided by IT suppliers Data Architecture (DHSC) ● Enabling legislation to prepare, publish and mandate standards that apply to the products and services provided by IT suppliers, to ensure that those products and services enable and support data to be accessed, interrogated and processed in real time by anyone with the basis to appropriately access that data, irrespective of the system used by the health or social care provider who collated, produced or otherwise processed that data. 39 Reform measure Reform Summary Home Office: Public Interest ● Processing in reliance on relevant international law (Joint DSIT/HO measure) Home Office: Sensitive Processing ● Power to add categories of sensitive processing (Mirroring provision from UKGDPR to Part 3 and 4 DPA) Public Safety and National Security (Home Office): Birth and Deaths ● Remove the requirement for paper birth and death registers moving to an electronic register Strategy, Objectives and Duties ● ICO's Objectives and Duties Strategy, Objectives and Duties ● Statement of Strategic Priorities Governance Model and Leadership ● Remove the Information Commissioner corporate sole structure. Introduce a Board structure with Chair/CEO. Governance Model and Leadership ● Remove the requirement for Parliament to agree to a change to the IC salary. Accountability and Transparency ● Accountability and Transparency - require publication of key documents Accountability and Transparency ● Statutory codes of practice - ICO required to undertake and publish an impact assessment and consult with a panel of experts when developing or updating statutory codes of practice, unless exempt Complaints ● Complaints - organisations required to have a complaint handling process Enforcement Powers ● Enforcement - power to commission technical reports Enforcement Powers ● Enforcement - power to compel witnesses to attend interview Enforcement Powers ● Enforcement - notice of intent extension Enforcement Powers ● Enforcement - without attending premises clarification Do Maximum option 67. Reforms in the “Do maximum” option were deemed to not currently meet the bar set in terms of available evidence or feasibility to progress at this stage. Amassing the evidence and balancing priorities would introduce delays and the Government is prioritising making progress quickly on the issue of data policy. 68. The preferred option was the intermediate package of reforms, outlined above. This set of options were expected to meet objectives of the government has prioritised harnessing the power of data for economic growth, supporting a modern digital government, and improving people’s lives. Changes were later made to consider policy risks and implicit costs. Going forward in this impact assessment we assess the costs and benefits of the preferred option only compared to the baseline ‘do nothing’ scenario. 40 Policy objective 69. The proposed set of reforms that form part of the preferred package are designed to benefit the UK as a whole. These include policies targeted at resolving market failures for both the private and public sector as well as creating a framework for effective oversight of the UK’s data protection regime. These sets of reforms largely reflect and align with the priorities set out in the Kings Speech: harnessing the power of data for growth, improving people’s lives, and a modern digital government. 70. The objective of Smart Data legislation is to enable new, and accelerate existing, Smart Data schemes, and create a common framework for consistent regulations. This is intended to improve poor consumer and business outcomes, increase competition, create greater opportunities for innovation, produce time saving for users, reduce costs, increase the quality of services, improve the security of data sharing and increase the trust in data sharing mechanisms.42 71. Reforms to enable people to use swift and secure identification to prove things about themselves aim to unlock economic gains associated with a functioning digital identity system, enabling the full realisation of the digital economy. Having a system which is more secure can support protection against fraud for businesses and people and enhance privacy. There is also an aim to promote inclusive solutions and remove barriers to inclusion. More information on how the proposed policy will overcome market failures in the digital identity market can be found in the Digital identity and attributes - De Minimis Assessment.43 72. The National Underground Asset Register will provide secure access to privately and publicly owned location data from 700+ organisations about the pipes and cables beneath our feet. The digital map gives planners and excavators standardised access to the data they need, when they need it, to carry out their work effectively and safely. It also includes features to keep data secure and improve its quality over time. The policy objectives include increased efficiency of data sharing; reduced asset strikes; reduced disruptions for citizens and businesses; and expedited delivery of projects like new roads, new houses and broadband roll-out. 73. The objective of removing the requirement for paper birth and death registers moving to an electronic register is to introduce a change to the legislation which will remove the requirement for paper registers to be held in 175 Local Authorities. Local Authorities within England relate to county, district or parish councils, London borough councils, the Common Council of the City of London and the Council of the Isles of Scilly. In Wales, Local Authorities relate to any county, county borough or community council in Wales. This removes the requirement for records of births, still-births and deaths to be held in two mediums (paper and online). There will be no requirement for registrars to store paper registers in the future reducing the risk of loss or theft of those registers for those seeking to commit identity fraud, therefore resulting in public protection and counter fraud benefits. The move to an electronic register will provide savings to central and local governments and remove the duplication of processes. 42 Smart Data Impact Assessment 2024 - DBT 43 Digital identity and attributes - De Minimis Assessment, 2024 DSIT 41 74. The objective for changing data use in the health and social care sector, across providers of care and IT systems, is using information standards to ensure systems are fully interoperable, so data can flow through the system in a usable and standardised form. The measures provided in the DUA act are intended to enable this vision to be delivered further, faster – by extending the scope of information standards to apply to IT suppliers of products and services used in the health and care system. Further, there is value to patients from improved patient safety. In addition, improved standardisation of information will facilitate research and promote innovation, further supporting improved patient outcomes, as well as improved decision-making enabled by access to accurate and complete information and supporting a more dynamic and responsive health and care IT market. 75. The proposed reforms aim to update UK data processing laws, including those related to law enforcement and national security, to maintain high data protection standards and bolster public confidence in how the public sector uses data. The Home Office seeks to simplify legislation, reduce administrative burdens, and ensure consistency across data processing regimes, such as aligning the definition of consent in law enforcement with UK GDPR. The reforms will also support Law Enforcement Agencies in making better use of Automated Decision Making (ADM), and improve international data flows 76. There has been growing global support for legislation providing independent researchers access to online safety related data to conduct associated research. This issue was raised during the passage of the OSA. Good quality research will help identify unknown or emerging risks and will provide evidence on the impact of providers’ activities, enabling protective actions from Ofcom, government, providers, and civil society. The European Union’s Digital Services Act mandates access to data for researchers. This provision aims to provide SoS with the ability to create regulations on researchers’ access to data. Should SoS decide to regulate, the regulations will provide a legal basis for researchers to request or access online safety related information to conduct research. The evidence base for the decision to introduce a framework, as well as what any future framework will look like, will be developed by Ofcom’s report into the matter and a government consultation. 77. Reforms also seek to ensure your data is well protected. We are modernising and strengthening the ICO. It will be transformed into a more modern regulatory structure, with a CEO, board and chair. And it will have new, stronger powers. This will be accompanied by targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies. 78. A further reform objective is to establish a Data Preservation Process that coroners (and procurators fiscal in Scotland) can initiate when they decide it is necessary and appropriate to support their investigations into a child’s death. This will help coroners get access to online information they need when investigating a child’s death. 79. These policies are designed to boost trade and remove barriers to international data flows. Consumers and businesses collect, share and process personal data internationally in order to use or trade digital products and services. According to the World Trade Organisation, trade in data-enabled services grew from $1.0 trillion in 2005 to $3.9 trillion in 42 2022.44 Data flows have a larger impact in raising world GDP than the trade in goods.45 In 2024 the UK exported £330 billion in data enabled services (65% of total UK services exports) and imported £154 billion in data-enabled services (49% of total UK services imports).46 80. The objective of amending the Smart Meter Communication licensing procedure is to provide Ofgem with flexibility in the way in which it appoints the future licence holder. The process for Ofgem to identify a successor licensee is set out in primary legislation and further in regulations. Ofgem has recently consulted on the specific measure in this Act, proposing that changes to the legislative framework that specifies the process by which a new licensee is appointed, would be in the interests of consumers. This consultation engaged industry stakeholders, including the incumbent licence holder. 81. Separately, since 2021, in anticipation of the current DCC licence term coming to an end, Ofgem have been undertaking a review of the regulatory framework for it. They have consulted with industry at each stage of the development of that framework.47 A September 2022 consultation set out the key principles that they were seeking to achieve, together with a series of proposed regulatory options, evaluated against those principles. That consultation culminated in a published document in August 2023 setting out Ofgem’s decisions on the overarching regulatory framework. A wide variety of industry stakeholders, including the incumbent, were engaged in and responded to that consultation. 82. The proposed measure does not impact on the regulatory framework for the future licence which Ofgem will implement using its existing powers. Rather the measure aims to provide flexibility in how the process to appoint the licensee is carried out. Amendments made to the preferred package of reforms (October 2024 – June 2025) 83. Since the Bill’s introduction in October 2024, a number of amendments were proposed, reflecting stakeholder feedback and further policy development. These are set out in the amendment papers for the Bill. These amendments were made as the Bill progressed through the Lords and Commons. The impact analysis section has assessed these amendments where there are additional economic or wider impacts to UK businesses, the public sector or data subjects. For substantial technical and policy amendments, we have included an outline of their rationale for inclusion. These include the following: Table 8: List of all amendments since the DUA Bill’s introduction (October 2024) Amendment Rationale for inclusion Lawfulness of Processing & Rights of Data Subjects: This amendment adds an express reference to children meriting specific protection with regard to their personal data when the SoS is considering whether to use regulations to add to During Lords Committee stage, peers raised concerns about what they saw to be a lack of specific protections for children’s personal data. They emphasised children’s unique vulnerabilities and the need for stringent safeguards across educational, social media, and health platforms. A key issue was the omission of the opening part of Recital 38 of the UK GDPR, which states, 'Children merit specific protection with regard to their personal data,' from Clause 46 DSIT Internal analysis estimating the UK’s data enabled services trade using ONS experimental estimates for proportion of UK services trade delivered remotely. 47 https://www.ofgem.gov.uk/decision/dcc-review-phase-1-decision 43 the list of ‘recognised legitimate interests’ 91 of the Act, which provides the ICO with a duty to consider that children may be less aware of the risks of consequences of processing and their rights in relation to it in all its data protection activities where relevant. To address these concerns and ensure consistency in areas where similar language was used, the amendment adds the opening wording from recital 38 to the start of the existing duty in Clauses 70 (recognised legitimate interests) and 91 (the ICO’s duties). The amendment was designed to improve the clarity of an existing Act provision in Clauses 70 and 91. Information Commissioner’s Office - Privacy by design: children’s higher protection matters This amendment builds on existing duties under Article 25 of the UK GDPR to design their processing activities in a way that complies with the data protection principles. It requires Information Society Services that are likely to be accessed by children (and are already subject to the Age-Appropriate Design Code) to consider how best to protect and support children when designing their services; and to take account of the fact that children merit specific protection because they may be less aware of the risks of the processing, and may have different needs at different ages. During Lords stages of the Bill, peers raised concerns that the ICO duty alone would not sufficiently increase protections for children, unless data controllers were also under a clear legal obligation to consider children’s interest in the design of their processing activities. Direct Marketing - Regulation 22 of the PEC Regulations prohibits the transmission, by means of electronic mail, of unsolicited communications to individual subscribers. This amendment creates an exception from the prohibition for direct marketing carried out by a charity for charitable purposes. Regulation 22 of the PEC Regulations applies to the transmission of unsolicited communications by electronic mail to individual subscribers. Electronic mail covers, among others, communication by email or text messages. Under this regulation unsolicited communication by such means is in principle prohibited without the recipient’s consent, unless exceptions apply. Currently regulation 22 of the PEC Regulations provides for one exception. It allows anyone (companies, charities, or other organisations) to send electronic marketing communications to an individual (recipient) without their explicit consent, if their contact details were collected during the sale of a product or service, or negotiations of a sale. The direct marketing materials benefiting from this exception may only concern similar products and services and the individual recipient must be offered a simple means of opting out of receiving marketing communications, both at the time the contact details are collected and in all subsequent communication sent. Both safeguards are aimed at limiting an individual’s exposure to spam and nuisance communications. This exception is commonly known as the ‘soft opt-in'. The current exception does not enable charities to send direct marketing messages to individuals in order to fundraise or promote campaigns, which is a core activity for some charities in helping them to deliver their charitable purpose(s). The government engaged with stakeholders, listening to the concerns raised by the sector over the difficulties it has experienced through covid and cost of living situation and has taken steps to support charities resilience. 44 Smart Data During the Act’s passage through the House of Commons, the government introduced amendments to Part 1 which are summarised below under four groups. These amendments were accepted and now form part of the Act. Group 1 – These amendments expressly allow regulations to require business data to be provided to a third party appointed by a public authority and to require that third party to publish or disclose the business data. Group 2 – This group of amendments contains changes to fee charging under section 11. The amendments have the following aims: a. Allowing regulations to provide for charging of fees that exceed expenses where appropriate. Under the initial drafting, regulations could only enable persons listed in section 11(2) (including data holders, decision makers, interface bodies, enforcers and others) to charge fees to cover the costs of performing duties or exercising powers conferred by or under Part 1 regulations. The amendment ensures that Smart Data schemes can operate on a commercial basis if necessary. b. Enabling regulations to clarify whether or not powers to charge arising outside of regulations made under Part 1 can be used to charge fees in connection with performing duties or exercising powers conferred by or under those regulations. The amendment also provides that section 11 does not prevent or limit what third-party recipients can charge (with some exceptions). The policy intention has always been that the basis of charging arrangements between third party recipients and customers is a commercial matter for them to determine. c. The amendments to section 15, mirror the changes above, ensuring that the Treasury’s power to confer rule-making powers on the FCA regarding fees is consistent with the general fee charging power under section 11. Group 3: This group contains amendments regarding The Treasury’s power to confer rule making powers to the FCA. The amendments to section 14, allow the Treasury to delegate powers to the FCA to set rules around interface requirements for persons who are enabled by regulations to take action on behalf of a customer (sometimes referred to as action initiation). This amendment brought the drafting of the Act in line with the policy intention and will ensure that Open Banking-enabled payments continue to work effectively. Group 4: The government also introduced further amendments that are either clarifying amendments or have otherwise been assessed to have minimal impact. 45 New section 251ZC of the Health and Social Care Act 2012 (public censure of relevant IT providers) if that would contravene the data protection legislation. Government minor and technical amendment – details are captured in the commons amendments48 NUAR - Devolved Government Consent The NUAR measures legislate in a devolved area. Amendments tabled during Bill passage mean that the Secretary of State will be required to gain the consent of devolved governments before regulations can be made, where the regulations relate to apparatus in the street in Wales and Northern Ireland, or otherwise touch on devolved competencies. NUAR - Requirement to produce guidance This amendment requires The Secretary of State to produce guidance for persons gaining access to NUAR through regulations made under section 106C and article 45C informing them on how to protect information kept in, or obtained from, NUAR. Adds references to investigating crime to existing references in the Data Protection Act 2018 to detecting or preventing crime. Government minor and technical amendment Copyright works and artificial intelligence systems This clause commits the government to publishing a report and Impact Assessment within 9 months of Royal Assent: • The Impact Assessment will cover the options laid out in the consultation, as well as any alternative options that are under consideration. • The Report will cover the policy options from the consultation as well as any other options the Secretary of State considers appropriate following the consultation. The report must consider and make proposals with regard to; • Technical measures and standards that may be used to control use of works, or accessing works by webcrawlers • The effect of copyright on access to and use of data by AI developers, including SMEs • The disclosure of information by AI developers about their use of copyright works and how they have accessed them (transparency) • Licensing of copyright works for AI training • Potential approaches to models trained overseas Approaches to enforcement of rules relating to copyright, AI and web crawlers, including potential future regulatory options. 48 Data (Use and Access) Bill [HL] 46 Summary of preferred option with description of implementation plan 84. This section and the rest of this Impact Assessment reflects the original preferred package of reforms combined with the changes made throughout the policy development of the DUA Bill. The table below provides a list and summary of all of these reforms. Table 9: All policy reforms and measures included in the preferred package Reform measure Reform Summary Original measures as introduced October 2024 Research Purposes ● Consolidating research provisions into a single chapter Research Purposes ● Creating a statutory definition of scientific research Research Purposes ● Incorporating broad consent for scientific research into legislation Research Purposes ● Extending the “disproportionate effort” exemption on information provision requirements for further processing for research purposes of personal data collected directly from the data subject Research Purposes ● Extending the exemptions from the regime when conducting scientific research to include when that research is carried out in a commercial setting. Further Processing ● Clarifying how personal data can be further processed for research purposes Further Processing ● Clarifying that further processing for an incompatible purpose may be lawful when based on a law that safeguards an important public interest or when the data subject has re-consented Further Processing ● Exempt archives from further processing rules where personal data was originally obtained in reliance on consent. Legitimate interests ● Recognised Legitimate Interests. The Act will introduce a new lawful ground for non-public bodies when processing personal data for “recognised legitimate interests”. This is limited to a small number of public interest objectives, such as the prevention of crime, safeguarding vulnerable individuals and responding to emergencies. Under the current law, data controllers have to do a detailed assessment of whether their interests are outweighed by the rights of data subjects when processing personal data for such purposes AI and Machine Learning ● Future proofing Article 22 AI and Machine Learning ● Enhancing the approach to explainability and accountability for fair processing in the context of AI AI and Machine Learning ● Clarifying the circumstances in which safeguards apply to significant decisions that are taken about individuals on the basis of profiling. Data Adequacy ● Underpinning the UK’s future approach to data adequacy regulations with principles of risk-assessment and proportionality Data Adequacy ● Relaxing the requirement to review data adequacy regulations every 4 years Alternative Transfer Mechanisms ● Power for SoS to formally recognise new ATMs Alternative Transfer Mechanisms ● Changes to the standard approach to alternative transfer mechanisms. (Art 46) 47 Alternative Transfer Mechanisms ● Ensuring businesses are able to continue to use their pre-bill existing transfer mechanisms without a requirement for further checks and avoiding additional costs. Public Interest ● Lawful ground for transferring personal data under the UK-US Data Access Agreement ● Clarifying that private organisations & individuals asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground for processing the personal data under Art 6(1)(e) Digital Economy Act 2017 (CDDO) ● To extend powers under section 35 of the Digital Economy Act 2017 aimed at improving public service delivery to business undertakings, beyond the current scope of solely individuals and households Public Safety and National Security (Home Office): Part 4 ● Amendments to Part 4 of the DPA 2018 - Joint processing by intelligence services and competent authorities Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● National security exemption (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Data subjects’ rights to information: legal professional privilege exemption (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Consent to law enforcement processing (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Law enforcement processing and codes of conduct (DPA 2018 part 3) Public Safety and National Security (Home Office): Law Enforcement Data Reform Proposal ● Logging of law enforcement processing (DPA 2018 part 3) Automated decision making (DPA 2018 part 3) Public Safety and National Security (Home Office): International Transfers ● Transfers based on special circumstances (Schedule 6 DPA, Section 76) Subsequent transfer's (Section 78 DPA) Public Safety and National ● Clarify conditions on the use of international processors by UK competent authorities (Part 3 DPA) 48 Security (Home Office): International Transfers Public Safety and National Security (Home Office): Biometrics ● Retention of biometric data and recordable offences Public Safety and National Security (Home Office): Biometrics ● Retention of biometric data from INTERPOL Public Safety and National Security (Home Office): Biometrics ● Retention of biometric data from other international partners The National Underground Asset Register ● National Underground Asset Register Legislation to underpin a national register of underground assets (cables etc.) The National Underground Asset Register ● Create powers to ensure the full participation by all owners of underground assets in NUAR and enable a sustainable charging regime. Data Preservation Notices ● Establishing a data preservation process which will require OFCOM, following instruction by a coroner, to issue data preservation notices to online service companies to ensure they retain data that may later be requested by a coroner when carrying out an inquest into a child's death. Smart Meter Data (DESNZ) ● Create new power to give Ofgem more flexibility in the process it needs to follow to identify the successor holder of the Smart Meter Communication Licence. ● Enable Ofgem to modify conditions of existing licences and industry codes if it considers that it is necessary or expedient to do for the purpose of granting a Smart Meter Communication Licence. Online safety researchers access to data ● Create powers for the Secretary of State (SoS) to place a duty on platforms to comply with any regulations later passed by SoS allowing researchers access to certain data held by platforms. Electoral Purposes ● Amend Schedule 1 of the Data Protection Act 2018 so that the 4-day threshold in which outgoing elected representatives have to process special category data on behalf of their constituents without explicit consent, is changed to 30 days, to overcome these operational barriers. Electoral Purposes ● Amending exemptions in Sch 1 DPA 2018 (special category data) to permit elected representatives to process political opinions data. Subject Access Requests (Joint DSIT/HO) ● Clarifying that controllers are not required to make disproportionate searches in response to subject access requests - necessary as a result of the loss of the EU principle of proportionality under the REUL Act Subject Access Requests (Joint DSIT/HO) ● Time limits for responding to requests by data subjects (SAR) (DPA 2018 Part 3/4) Privacy and electronic communications ● To add three low privacy risk exceptions to the prohibition on storing information, or accessing information stored, on a user’s connected device. For example, collecting statistical information to improve the service/website requested by the user Privacy and electronic communications ● Empowering ICO to take action against organisations for the number of unsolicited direct marketing calls 'sent' as well as calls 'received' and connected. 49 Privacy and electronic communications ● Amending the regulations’ enforcement tools and sanctions so that they are aligned with the regime under the Data Protection Act 2018, including fine levels, whilst keeping bespoke tools such as third-party information notices. Privacy and electronic communications ● Extending approved code of conduct provisions under Article 40 UK GDPR to the PEC Regulation Privacy and electronic communications ● Extending the reporting period for breaches under reg 5A PEC Regulation from 24 to 72 hours Updating Special Category Data ● Create a new power for the Secretary of State to add new types of data to the list of special categories of data that get extra protection. This will provide the flexibility to add new types in the future including in response to new technological developments, to ensure heightened protections for citizens. Digital Identity ● eIDAS/trust services Digital Identity ● Data checking gateway Digital Identity ● Trust framework accreditation and certification Digital Identity ● Trust framework governance Digital Identity ● Validity of digital identity Digital Identity ● Mutual recognition of digital identities Digital Identity ● Mutual recognition of trust services Digital Identity ● Welsh and Scottish safeguards for Digital Verification Services Digital Identity ● Include a power for DSIT SoS to approve additional rules for particular sectors or use cases which build on the rules in the UK digital identity and attributes trust framework; to make provision for organisations to be certified against those additional rules; and to make provision for the DVS Register to note which sets of additional rules (if any) an organisation has been certified against in addition to the trust framework. In policy terms, we refer to a set of additional rules as a ‘scheme’, and we expect the equivalent term in the Act to be ‘supplementary code’. Digital Identity ● To amend the Immigration Act 2014 and the Immigration Asylum and Nationality Act 2006 to permit regulations to specify that, where digital checks are undertaken, these are undertaken by a DVS provider on the DVS register. Smart Data (DBT) ● Smart Data: Introduction of primary legislation, creating new “regulation- making” powers to enable Smart Data schemes to be introduced in any given sector.[ Smart Data (DBT/HMT) • That the Smart Data primary legislation includes the four groups of Smart Data amendments introduced throughout the Data (Use and Access) Act’s passage through parliament, as set out in Table 8. Data Architecture (DHSC) ● Enabling legislation to prepare, publish and mandate standards that apply to the products and services provided by IT suppliers Data Architecture (DHSC) ● Enabling legislation to prepare, publish and mandate standards that apply to the products and services provided by IT suppliers, to ensure that those products and services enable and support data to be accessed, interrogated and processed in real time by anyone with the basis to appropriately access that data, irrespective of the system used by the health or social care provider who collated, produced or otherwise processed that data. Public Safety and National Security (Home Office): Birth and Deaths ● Remove the requirement for paper birth and death registers moving to an electronic register Strategy, Objectives and Duties ● ICO's Objectives and Duties Strategy, Objectives and Duties ● Statement of Strategic Priorities 50 Governance Model and Leadership ● Remove the Information Commissioner corporate sole structure. Introduce a Board structure with Chair/CEO. Governance Model and Leadership ● Remove the requirement for Parliament to agree to a change to the IC salary. Accountability and Transparency ● Accountability and Transparency - require publication of key documents Accountability and Transparency ● Statutory codes of practice - ICO required to undertake and publish an impact assessment and consult with a panel of experts when developing or updating statutory codes of practice, unless exempt Complaints ● Complaints - organisations required to have a complaint handling process Enforcement Powers ● Enforcement - power to commission technical reports Enforcement Powers ● Enforcement - power to compel witnesses to attend interview Enforcement Powers ● Enforcement - notice of intent extension Enforcement Powers ● Enforcement - without attending premises clarification Measures introduced via amendments National Underground Asset Register • Guidance will be required to be provided to end users to about how to protect information kept in or obtained from NUAR National Underground Asset Register • Changes made to reflect agreement with devolved government establishing how the devolved governments will be engaged in the delivery of NUAR regulations. Express reference to children meriting specific protection with regard to their personal data • Provides ICO with a duty to consider that children may be less aware of the risks of consequences of processing and their rights in relation to it in all its data protection activities where relevant. Data protection by design: children’s higher protection matters • Provides ICO with a duty to consider that children may be less aware of the risks of consequences of processing and their rights in relation to it in all its data protection activities where relevant. Creating, or requesting the creation of, purported intimate image of an adult • Criminalising the creation, or requesting the creation of, a purported intimate image (deepfake) of another person aged 18 or over without the adult’s consent or reasonable belief in consent. Copyright works and artificial intelligence systems • The Act requires that a set of reports on the use of copyright works in the development of AI systems are published within 9 months, and that a statement of progress is provided within 6 months Direct Marketing • Allowing charities to send direct marketing for the purposes of furthering one or more of their charitable purposes. 51 85. A theory of change sets out how policies have direct and indirect effects that contribute to achieving final intended outcomes and objectives. We have developed a theory of change for our preferred package of policies using economic principles and evidence of the impact of comparable policies. 86. The figure below sets out the theory of change for the group of reforms. Where we have sufficient evidence and we have been able to make reasonable assumptions, we have quantified the net impact in terms of changes relative to the baseline. We assume the baseline is where the status quo remains in place with respect to the current data protection regime. 87. The preferred package of policy options is designed to correct for the current market failures by encouraging greater responsible data use, reducing costs for businesses and encouraging more effective use of personal data in public organisations. As a result of this we expect to see an increase in productivity across businesses in the UK and an increase in trade as international data transfers increase. 88. More detailed theory of change for the Smart Data initiatives49, Digital Identity50, National Underground Asset Register51 and Interoperability of Health Care Systems52 reforms can be found in their respective impact assessments. We have simplified these here to provide an overview of the impacts and outcomes. 49 Smart Data Impact Assessment 2024 - DBT 50 Digital identity and attributes - De Minimis Assessment, 2024 DSIT 51 NUAR Impact Assessment, 2024 DSIT 52 DHSC Open Data Architecture Information Standards Impact Assessment, 2024 52 Figure 1: Theory of change for preferred option 53 89. The policies included in this package will be primary legislation and some will be followed up by further secondary legislation. Analytical evidence for the reforms that are likely to be followed up by secondary legislation tends to be limited in these early stages, though we have included all that is available. More analytical detail will be provided in the secondary legislation Impact Assessments. The table below details the reforms in the Act that will likely be followed by secondary legislation and whether these are likely to include any direct costs or benefits to business – further details can be provided as policy develops. Table 10: List of all reforms that are being followed up with secondary legislation Reform Heading Reform subheading Will secondary legislation include direct costs and benefits to UK businesses? Who will be responsible for the secondary legislation IAs? AI and Machine Learning Future proofing Article 22 Enhancing the approach to explainability and accountability for fair processing in the context of AI Yes DSIT Delivering better public services To extend powers under section 35 of the Digital Economy Act 2017 aimed at improving public service delivery to business undertakings, beyond the current scope of solely individuals and households (CDDO) No CDDO Digital Identity Digital Identity: Create a governance framework and enable checks against government-held data53 No DSIT Smart Data Smart Data: Introduction of primary legislation, creating new regulation-making powers to enable Smart Data schemes to be introduced in any given sector54 Yes This will be sector specific Health and Social Care Create primary legislation for a new power for the Secretary of State for Health and Social Care to direct suppliers to adopt an open data architecture approach55 Yes DHSC National Security and Law Enforcement Joint processing by intelligence services and competent authorities Yes Home Office NUAR National Underground Asset Register Legislation to underpin a national register of underground assets (cables etc.). Only some of the NUAR policy is subject to secondary legislation. Yes DSIT 53 This is the preferred option in the Digital identity and attributes - De Minimis Assessment 2024 published by DSIT 54 This is the preferred option in the Smart Data initiatives Impact Assessment 2024 published by DBT 55 An overview of how this policy will be implemented can be found in the DHSC Open Data Architecture Information Standards Impact Assessment, 2024. 54 Reform Heading Reform subheading Will secondary legislation include direct costs and benefits to UK businesses? Who will be responsible for the secondary legislation IAs? Online Safety Researchers’ Access to Data Amend the OSA via the DUA to provide SoS with a regulation making power regarding researchers’ access to data. Yes DSIT 90. In order to measure the continued success of these reforms, we are building a monitoring and evaluation framework that will ensure that we measure and monitor the changes to the key impact variables including GVA and business costs throughout the life of the policies. 55 Impact Analysis Assumptions and methodology 91. The preferred package of reforms has been analysed and estimations of the potential costs and benefits can be found below. These are assessed over a period of 10 years from 2024 to 2033, and are discounted using the Green Book’s suggested discount rate of 3.5%.56 92. Where analysis has already been published with respect to some of the policies included in the Act, this is referenced accordingly. This is the case for the Digital Identity measures57, the Smart Data policies58, the NUAR measures59, the Interoperability of Health Care systems measures60 and the Researchers’ Access to Data provisions61. In these cases, where appropriate, all costs and benefits have been appraised over 10 years and the same base year has been applied. Where other government departments have fed into this analysis, this is also the case. 93. The expected impact of the policies will fall on private organisations that use data and those that currently face barriers in doing so. Public sector organisations will also be impacted by reforms designed to improve the efficiency of data transfers across government departments and increase the interoperability across health and social care systems. Many of these reforms are also designed to make data use for Law Enforcement Agencies (LEAs) and Intelligence Services more efficient. 94. Where sufficient robust data is available, we have estimated the monetary impact of the various reforms, both direct and indirect. Where this evidence is not yet available, we have provided an in-depth outline of the potential costs and benefits and ensured that any evidence gaps will be referenced in our monitoring and evaluation plan which can be found at the end of this IA. 95. This section begins by looking at the direct monetised benefits of implementing the package of reforms, this includes the saving in compliance costs for UK businesses and a deep dive into the benefits of increased regulatory oversight and data-use in national security and law enforcement. This is followed by qualitative analysis of the direct benefits where monetary evidence is currently limited. 96. Following the analysis of the direct benefits, we look at the indirect benefits. Using analysis, we have estimated the potential impact on UK productivity levels of an increase in data use resulting from these reforms. We have also conducted analysis that looks at the potential impacts to consumer trust and privacy as well as the reduction in ambiguity for businesses and the delivery of better public services. 97. We expect the package of reforms to have a net positive impact overall, however we provide an overview of the direct and indirect costs that could be faced by UK businesses as a result of these policies. These costs are likely to consist mainly of familiarisation costs faced by 56 HMT: The Green Book, 2022 57 DSIT: Digital identity and attributes - De Minimis Assessment, 2024 58 DBT: Smart Data Impact Assessment, 2024 59DSIT: NUAR Impact Assessment, 2024 60 DHSC Open Data Architecture Information Standards, 2024 61 DSIT: Researchers’ Access to Data Impact Assessment, 2024 56 businesses and public sector organisations having to update any processes and systems to be in line with the new guidance. 98. As well as looking at the costs and benefits to UK businesses we have also estimated the impact on international trade. For this analysis we have used a variety of approaches however as the modelling uses many variables and assumptions that create uncertainty, we are excluding this from the total estimated NPV for the package of reforms. 99. Alongside the potential trade impacts of the reforms, we are also aware that any changes to the UK’s current data adequacy regulations are likely to have an impact on these results. We have used consultation responses to build upon the analysis previously conducted, and refined our methodology to present a possible range of the monetary impact to the UK if Adequacy with the EU were to be removed. 100. As there is a wide array of reforms in the package the cost benefit analysis is split out in table 11 and the reforms are classified as being either monetisable or not, having direct or indirect impacts, whether or not they will be followed by secondary legislation or not, and who is likely to be impacted. 101. Some of the measures assessed here are enabling only and given the uncertainty over the contents of the secondary legislation, will be assessed more fully at that stage (scenario two in the RPC’s primary legislation guidance). The impacts of these secondary measures are either indirect or unquantifiable at this stage. Usually where this is the case, an impact assessment would present two EANDCBs. However, in this case they are the same and therefore the EANDCB figures presented here cover the set of policies as a whole. 102. Throughout this section references are made to data controllers, data processors and joint controllers. Data controllers are understood to be the individual or organisation who determine the purpose and means of processing personal data, they exercise overall control over the data being processed and are ultimately responsible for the processing. Data processors are understood to be the individual or organisation that processes personal data on behalf of the controller, they act under the authority, and in the interests of, the data controller. Joint controllers are where two or more data controllers jointly determine the purpose and means of processing; they have the same shared purposes. Controllers are not considered joint controllers if they are processing the same data for different purposes62. Impact of Criminalising the creation, or requesting the creation of, a purported intimate image (deepfake) of another person aged 18 or over without the adult’s consent or reasonable belief in consent. 103. We expect low levels of police recorded crime: as this offence relates solely to the creating or requesting of these images, often without any intention that the person in the image is aware, many instances may not be reported to the police. 104. Conversely, where the new offences are reported, it is likely that this will occur along with the offences of sharing or threatening to share the image which has been created. If an intimate image deepfake were to be shared without consent or threatened to be shared it would be captured under existing legislation in the Sexual Offences Act 2003, carrying a sentence of up to two years in custody. We expect that the police would pursue this more 62 ICO: What are ‘controllers’ and ‘processors’? 57 serious charge as well as the “creating” offence, and that the offender would be sentenced for the totality of their offending behaviour. 105. To estimate the costs to the Criminal Justice System (CJS) of this measure, data from South Korea was used, where the creation and sharing of sexually explicit deepfakes was criminalised in 2021, alongside data from the Security Hero ‘State of Deepfakes’63 report, which covers the ‘reality, state and impact’ of online deepfakes over the period 2019 to 2023. 106. South Korea is used as a comparison as it is one of the few countries where sexually explicit deepfakes have been criminalised for long enough for there to be useful data. However, this data is suggestive only, due to differences in the relevant criminal law and the wider cultural environment. 107. For the “requesting” offence there is even more limited data as it is a novel offence. We assume that, since the law in South Korea is even more comprehensive (possession of sexually explicit deepfakes is criminalised), our methodology using volumes in South Korea as a base covers both offences. 108. To estimate the impacts of Option 1, we have used the following scenarios: a. The ‘low’ scenario assumes the increase in sexually explicit deepfakes has been linear between 2019-2023 (17,422 and 95,820 respectively - the two given data points in the Security Hero report) and has increased at a rate of roughly 13% per year. It also applies the Security Hero observational data which shows South Koreans to be the victims of 53% of online deepfakes, whilst UK victims form 6% of the total. This gives a ratio of 8.83, which has then been applied to South Korea’s police recorded crime figures. b. The ‘high’ scenario adjusts the South Korea police recorded crime figures with the ratio of voyeurism offences observed in South Korea to the UK between 2013-2018 (3.17). It applies the compound growth rate of police recorded crime in South Korea between 2021 and 2024 (62%), which could approximate the observed trend in the UK due to the expected trajectory of detection and policing changes after criminalisation, as well as technological and accessibility improvements. 109. The ‘best’ estimate takes the average of the high and low scenarios, which are calculated as above and presented in Section F, and form a wide range reflecting the lack of robust evidence to base estimates off: 110. In both the ‘high’ and ‘low’ scenarios, the prevalence of sexually explicit deepfakes is assumed to increase for 5 years following the last observed data point (2024 for police recorded crime in South Korea) before reaching a steady state. This is to reflect likely technological and accessibility improvements over the appraisal period 111. These assumptions result in baseline 2024 UK police recorded crime figures of around 80 in the low estimate and around 210 in the high estimate. We expect these to serve as an overestimate. 63 2023 State Of Deepfakes: Realities, Threats, And Impact 58 Impact of reporting on copyright works and artificial intelligence systems 112. The Act requires that an impact assessment is carried out on the four options consulted on in section B.4 of the Copyright and AI Consultation Paper and is published within 9 months, and that a statement of progress is provided within 6 months. As part of the Better Regulation Framework, it is a requirement for government departments to carry out final- stage impact assessments for measures which are brought forward for legislation, including the short-list options considered. Work on producing an impact assessment can therefore be considered business as usual, and would not add significant additional public costs compared to the counterfactual. However it does guarantee than an economic assessment is published in this time period, and it will be of benefit to stakeholders who engage with the results of the assessment. This is not monetised. 113. The Act requires that a set of reports on the use of copyright works in the development of AI systems are published within 9 months, and that a statement of progress is provided within 6 months. These reports would provide the public with more detail several issues regarding the use of copyright works in AI model training. Work on these subjects is expected to be conducted by government officials with consultation from stakeholders. This work will be absorbed into business as usual resource, therefore there will be limited additional public cost to producing the reports. This is not monetised. 59 Table 11: Breakdown of all costs and benefits by category Benefits Benefits Reform Monetised? Direct? Followed by secondary legislation? Who is impacted? Compliance cost savings Harness the power of data for economic growth Monetised Direct No UK Businesses Compliance cost savings Improve people’s lives Monetised Direct No UK Businesses Support a modern digital government Relaxed requirement to review data adequacy decisions Monetised Direct No Government (ICO) Support a modern digital government Enforcement Powers Monetised Direct No Government (ICO) Support a modern digital government Complaints Monetised Direct No Government (ICO) Harness the power of data for economic growth Harness the power of data for economic growth Monetised Indirect No UK Businesses Creation of Innovative and Secure Smart Data Schemes (DBT): Increase in use of Smart Data schemes indirect benefits Introduction of primary legislation, creating new “regulation-making” powers to enable Smart Data schemes to be introduced in any given sector Non- Monetised Indirect Yes - to be followed up with sector specific legislation Consumers, businesses, data holders and data recipients Support a modern digital government Increased Interoperability and Trust of Digital Identity Systems - Create a governance framework and enable checks against government-held Monetised for four Indirect Yes - to be followed up UK businesses and consumers 60 Benefits Reform Monetised? Direct? Followed by secondary legislation? Who is impacted? data examples use cases with sector specific legislation Support a modern digital government Increased Interoperability and Trust of Digital Identity Systems - Create a governance framework and enable checks against government-held data  Indirect Yes - to be followed up with sector specific legislation UK businesses and consumers Improve peoples’ lives: Privacy, trust and individual data rights Harness the power of data for economic growth Non- Monetised Indirect No UK consumers Improve peoples’ lives: Privacy, trust and individual data rights Improve people’s lives Non- Monetised Indirect No UK consumers Support a modern digital government: Delivery of better public services Clarifying that private organisations & individuals asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground for processing the personal data under Art 6(1) Non- Monetised Indirect No UK businesses and public sector organisations Support a modern digital government: Delivery of better public services Exemption for Archives from further processing rules Non- Monetised Indirect No Data subjects, Archives and public sector organisations Support a modern digital government: Delivery of better To extend powers under section 35 of the Digital Economy Act 2017 aimed at improving public service delivery to business undertakings, beyond the current scope of solely individuals and households (CDDO) Non- Monetised Indirect Yes UK businesses and Government 61 Benefits Reform Monetised? Direct? Followed by secondary legislation? Who is impacted? public services Improve peoples’ lives: Improved Customer Outcomes All reforms Non- Monetised Indirect No Consumers Improve peoples’ lives: Improved Interoperability across Health and Social Care Systems Improved Interoperability across Health and Social Care Systems: Create primary legislation for a new power for the Secretary of State for Health and Social Care to direct suppliers/suppliers to adopt an open data architecture approach through the use of ISNs. 64 Non- Monetised Indirect Yes Healthcare providers, patients and third-party providers Improve peoples’ lives: Improved Interoperability across Health and Social Care Systems Improved Interoperability across Health and Social Care Systems: Create primary legislation for a new power for the Secretary of State for Health and Social Care to direct suppliers/suppliers to adopt an open data architecture approach through the use of ISNs.64 Non- Monetised Direct Yes Healthcare providers, patients and third-party providers Improve peoples’ lives: Improved Interoperability across Health and Social Care Systems Improved Interoperability across Health and Social Care Systems: Create primary legislation for a new power for the Secretary of State for Health and Social Care to direct suppliers/suppliers to adopt an open data architecture approach through the use of ISNs. 64 Monetised Indirect Yes Healthcare providers, patients and third-party providers Improve peoples’ lives: Improved Interoperability across Health and Social Care Systems Improved Interoperability across Health and Social Care Systems: Create primary legislation for a new power for the Secretary of State for Health and Social Care to direct suppliers/suppliers to adopt an open data architecture approach through the use of ISNs. 64 Monetised Direct Yes Healthcare providers, patients and third-party providers Support a modern digital government: Law Enforcement Logging of law enforcement processing (Part 3 DPA) Monetised Direct No Government (LEAs) and private sector 64 This is the preferred option in the DHSC proposed reforms 62 Benefits Reform Monetised? Direct? Followed by secondary legislation? Who is impacted? Agencies LEAs Support a modern digital government: Law Enforcement Agencies Data subjects’ rights to information: legal professional privilege exemption (Part 3 DPA) Data subjects’ rights to information: legal professional privilege exemption (Part 3 DPA) Non- Monetised Direct No Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies Time limits for responding to requests by data subjects (Part 3 and 4 DPA) Non- Monetised Indirect No Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies National security exemption (DPA 2018 part 3) Non- Monetised Indirect No Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies Amendments to Part 4 of the DPA 2018 - Joint processing by intelligence services and competent authorities Non- Monetised Direct Yes Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies Consent to law enforcement processing (DPA 2018 part 3) Non- Monetised Indirect No Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies Transfers based on special circumstances (Schedule 6, Section 76 DPA) Non- Monetised Indirect No Government (LEAs and UK Intelligence Services) 63 Benefits Reform Monetised? Direct? Followed by secondary legislation? Who is impacted? Support a modern digital government: Law Enforcement Agencies Subsequent transfer's (Section 78 DPA) Non- Monetised Indirect No Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies Retaining biometrics disseminated by Interpol and other international exchange routes Monetised Direct No Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies Remove the requirement for paper birth and death registers moving to an electronic register Monetised Indirect No Government (LEAs and UK Intelligence Services) Support a modern digital government: Law Enforcement Agencies Remove the requirement for paper birth and death registers moving to an electronic register Non- Monetised Indirect No Government (LEAs and UK Intelligence Services) Harness the power of data for economic growth Introduction of provision to operationalise the National Underground Asset Register (NUAR), which is a digital map of underground pipes and cables. Monetised Direct Yes UK businesses and government Harness the power of data for economic growth Introduction of provision to operationalise the National Underground Asset Register (NUAR), which is a digital map of underground pipes and cables. Monetised Indirect Yes UK businesses and government 64 Benefits Reform Monetised? Direct? Followed by secondary legislation? Who is impacted? Harness the power of data for economic growth Introduction of provision to operationalise the National Underground Asset Register (NUAR), which is a digital map of underground pipes and cables. Non- Monetised Indirect Yes UK businesses and government Support a modern digital government Create powers for the Secretary of State (SoS) to place a duty on platforms to comply with any regulations later passed by SoS allowing researchers access to certain data held by platforms. Non- Monetised Indirect Yes Individuals, businesses and government Improve peoples’ lives: Privacy, trust and individual data rights Compliance benefits from charities having a clearer legal basis to send direct marketing for the purposes of furthering one or more of their charitable purposes. Monetised Direct No Businesses Improve peoples’ lives: Privacy, trust and individual data rights Allowing charities to send direct marketing for the purposes of furthering one or more of their charitable purposes leading to additional donations. Non- Monetised Direct No Individuals, businesses Strengthen the criminal law and increase confidence in Criminal Justice System Introduction of two new offences to protect individuals and educate the public about the unacceptability of the creating and requesting intimate deepfakes, and intimate image abuse more generally. Non- Monetised Direct No Individuals, Criminal Justice System Increase public knowledge of the key issues, factors and impacts to be considered ahead of potentially legislating on AI and copyright. Producing reports and an economic impact assessment on AI and Copyright. Non- monetised Indirect No Individuals, UK businesses and government. 65 Costs Costs Reform Monetised ? Direct? Followed by secondary legislation? Who is impacted? Familiarisation costs Harness the power of data for economic growth Monetised Direct No UK businesses Familiarisation costs Improve people’s lives Monetised Direct No UK businesses Familiarisation costs Enhancing the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO) Monetised Direct No Government (LEAs and UK Intelligence Services) Familiarisation costs New ICO Duty to consult Monetised Direct No Government (LEAs and UK Intelligence Services) Familiarisation costs Mandatory IAs for statutory codes and guidance Monetised Direct No Government (LEAs and UK Intelligence Services) Familiarisation costs Setting up expert panels for statutory codes and guidance Monetised Direct No Government (LEAs and UK Intelligence Services) Governance changes Monetised Direct No Government 66 Costs Reform Monetised ? Direct? Followed by secondary legislation? Who is impacted? Familiarisation costs (LEAs and UK Intelligence Services) Support a modern digital government (Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO)) Introduce the ability to actively review automated decisions Monetised but not included in calcs Direct No Government (LEAs) and UK businesses Support a modern digital government (Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO)) Time Limits for responding to requests by data subjects (Part 3 and 4 DPA) Non- monetised Direct No Government (ICO, LEAs and UK Intelligence Services) Support a modern digital government (Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public Law enforcement processing and codes of conduct (Part 3 DPA) Non- monetised Direct No Government (ICO, LEAs and UK Intelligence Services) 67 Costs Reform Monetised ? Direct? Followed by secondary legislation? Who is impacted? security (HO)) Support a modern digital government (Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO)) Amendments to Part 4 of the DPA 2018 - Joint processing by intelligence services and competent authorities Non- monetised Direct Yes Government (ICO, LEAs and UK Intelligence Services) Support a modern digital government (Enhance the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security (HO)) Remove the requirement for paper birth and death registers moving to an electronic register Monetised Indirect No Government (ICO, LEAs and UK Intelligence Services) Support a modern digital government (Creation of Robust and Secure Smart Data Schemes (DBT): Increase in use of Smart Data schemes indirect costs) Introduction of primary legislation, creating new “regulation-making” powers to enable Smart Data schemes to be introduced in any given sector Non- Monetised Indirect Yes - to be followed up with sector specific legislation UK businesses and consumers 68 Costs Reform Monetised ? Direct? Followed by secondary legislation? Who is impacted? Improve people’s lives (Increased Interoperability and Trust of Digital Identity Systems) Create a governance framework and enable checks against government- held data Monetised for 4 examples use cases Indirect Yes - to be followed up with sector specific legislation UK businesses and consumers Improve people’s lives (Increased Interoperability and Trust of Digital Identity Systems) Create a governance framework and enable checks against government- held data Non- Monetised Indirect Yes - to be followed up with sector specific legislation UK businesses and consumers Improve people’s lives (Delivery of better public services) To extend powers under section 35 of the Digital Economy Act 2017 aimed at improving public service delivery to business undertakings, beyond the current scope of solely individuals and households (CDDO) Non- Monetised Indirect Yes UK businesses and Government Improved Interoperability across Health and Social Care Systems Prepare, publish and mandate standards that apply to the products and services provided by IT suppliers, to ensure that those products and services enable and support data to be accessed, interrogated and processed in real time by anyone with the basis to appropriately access that data, irrespective of the system used by the health or social care provider who collated, produced or otherwise processed that data.65 Non- Monetised Indirect Yes Healthcare providers, patients and third-party providers Improved Interoperability across Health and Social Care Systems Prepare, publish and mandate standards that apply to the products and services provided by IT suppliers, to ensure that those products and services enable and support data to be accessed, interrogated and processed in real time by anyone with the basis to appropriately access that data, irrespective of the system used by the health or social care provider who collated, produced or otherwise processed that data.65 Monetised Direct Yes Healthcare providers, patients and third-party providers Operationalise the National Underground Asset Introduction of provision to operationalise the National Underground Asset Register (NUAR), which is a digital map of underground pipes and cables. Monetised Direct Yes UK businesses and government 65 This is the preferred option in the DHSC proposed reforms 69 Costs Reform Monetised ? Direct? Followed by secondary legislation? Who is impacted? Register Operationalise the National Underground Asset Register Introduction of provision to operationalise the National Underground Asset Register (NUAR), which is a digital map of underground pipes and cables. Monetised Indirect Yes UK businesses Operationalise the National Underground Asset Register Introduction of provision to operationalise the National Underground Asset Register (NUAR), which is a digital map of underground pipes and cables. Non- Monetised Indirect Yes UK businesses and government Facilitate Researchers’ Access to Online Safety Data Create powers for the Secretary of State (SoS) to place a duty on platforms to comply with any regulations later passed by SoS allowing researchers access to certain data held by platforms. Non- Monetised Direct Yes UK Businesses Costs to relevant agencies in the Criminal Justice System New offences will increase volumes flowing through the Criminal Justice System, resulting in additional costs. Monetised Direct No Agencies relating to the Criminal Justice System Public costs of researching, drafting and publishing. Producing reports and an economic impact assessment on AI and Copyright. Non- Monetised Direct No UK government Wider impacts 70 Wider Impacts Reform Monetised ? Direct? Followed by secondary legislation? Who is impacted? Impact on Competition All reforms Non- Monetised Indirect N/A N/A Impact on Equalities All reforms Non- Monetised Indirect N/A N/A Impact on Individuals ICO Taxonomy of Harms Artificial Intelligence Ethics Increased Interoperability and Trust of Digital Identity Systems Use of data for purposes relating to electoral services Non- Monetised Indirect N/A N/A Environmental Impacts All reforms Non- Monetised Indirect N/A N/A National Security Impacts All reforms Non- Monetised Indirect N/A N/A 71 Benefits Summary Analysis of the benefits of the proposed package of reforms has been split in the following way, and further details can be found in the continuing sections. 1. Direct Benefits a. Monetised i. Compliance cost savings ii. Improved regulatory oversight iii. Enhancement of the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security iv. Delivery of the National Underground Asset Register v. Improved interoperability across health and social care systems b. Non-monetised i. Enhancement of the work of the UK intelligence services and Law Enforcement Agencies in the interest of public security ii. Improved interoperability across health and social care systems iii. Strengthening of the criminal law to protect victims, reduce abusive conduct and prevent emotional distress and adverse physical health impacts associated with being a victim of abuse, thereby also increasing confidence in the Criminal Justice System. iv. Direct marketing carried out by a charity for charitable purposes. 2. Indirect Benefits a. Monetised i. Impact on UK business productivity and innovation ii. Increased interoperability and trust of digital identity systems iii. Remove the requirement for paper birth and death registers moving to an electronic register iv. Improved interoperability across health and social care systems v. Delivery of the National Underground Asset Register b. Non-monetised i. Creation of innovative and secure Smart Data schemes ii. Privacy, trust and individual data rights iii. Delivery of better public services 72 iv. Exemption for Archives from further processing rules v. Improved customer outcomes vi. Improved interoperability across health and social care systems vii. Enhancement of the work of the UK Intelligence Services and Law Enforcement Agencies in the Interest of Public Security viii. Remove the requirement for paper birth and death registers moving to an electronic register. ix. Powers relating to verification of identity or status (DSIT & Home Office) x. Power to add categories of sensitive processing (DSIT & Home Office) (DSIT & Home Office) xi. Processing in reliance on relevant international law (DSIT & Home Office) xii. Searches in response to data subjects(DSIT & Home Office) xiii. Clarify conditions on the use of international processors by UK competent authorities (Part 3 DPA) xiv. Delivery of the National Underground Asset Register xv. Ied interoperability and trust of digital identity systems xvi. Facilitating online safety researchers’ access to data 114. Benefits arise from a variety of impacts including an estimated increase in responsible data use and a reduction in compliance costs. We estimate the whole package of reforms will generate benefits of between £3.2 billion and £20.1 billion over ten years, discounted and in 2024 prices. These benefits arise mostly from the measures relating to reducing barriers to responsible innovation and reducing burdens on business and delivering better outcomes for people. The rest of this section sets out our approach and evidence used to quantify these benefits. 73 Direct benefits - Monetised 115. The preferred package of reforms is designed to be beneficial to both the private and public sector, where evidence is available, we have calculated monetised estimates of some of the direct benefits of the policies below. These include efficiency benefits from the use of NUAR, the compliance cost savings firms will experience, the efficiency benefits of the reforms to the ICO and the benefits to Law Enforcement Agencies of removing the need to log the ‘justification’ for consulting / disclosing data disclosure. Compliance cost savings 116. We have identified the reforms within the package that are likely to impact UK business compliance costs and updated these to reflect any post-consultation stage policy changes. Using data from the UK Business Data Survey,66 we have estimated the total number of businesses likely to be impacted following implementation. 117. The table below sets out some of the key compliance requirements and activities that we assume result from the current UK GDPR/DPA requirements, and the associated unit-costs or time-cost (costs incurred by organisations to undertake such activities or complete requirements). 118. The full list of legal activities, estimated costs and sources can be found in the table below. We have updated our modelling to use a more up to date exchange rate,67 and uplifted fees to 2024 prices. These are derived from the best available evidence, however, there remains a large degree of uncertainty. For example, we assume that the baseline cost of some compliance activities varies depending on the size of the organisation (e.g. establishing a lawful ground for data processing) whereas others do not (e.g. cost of seeking legal advice). 119. We have updated the impact assessment with all the relevant material as of Autumn 2024 made further updates to the modelling. These updates include changes to the estimated number of businesses in each sector and size category using 2023 ONS Business Population Estimates and use of the 2024 UK Business Data Survey to estimate the proportion of businesses affected by each measure. 120. Where data was available, we have updated the modelling to the 2024 edition of the UK Business Data Survey (UKBDS). UKBDS 2024 did not suggest many significant changes since 2022, however several smaller changes have had a cumulative impact on some of the model results. For this reason, we scrutinised all instances in which we used updated UKBDS figures. In some cases, we found that 2024 results were not sufficiently comparable to previous iterations of the UKBDS, for example due to different survey routing. In these cases, we tried to find compromise solutions, usually involving trying to draw and combine insights from previous survey iterations. For example, estimates for the number of businesses who handle digitised data and personal data were calculated by finding the average response to these questions across the three editions of the UK Business Data Survey (202168, 202269 and 202470). While the estimate for the proportion of businesses who analyse data to generate insights or 66 DSIT: UK Business Data Survey 67 We assume that 1 EUR = £0.85 which is the 2024 Q2 European Central Bank average 68 DSIT: UK Business Data Survey, 2021 69 DSIT: UK Business Data Survey, 2022 70 DSIT: UK Business Data Survey, 2024 74 knowledge was calculated using an average between the 2021 and 2024 releases, as the question was not asked in 2022. 121. The modelling assumes full compliance with legislation, both pre-and post We have updated the impact assessment with all the relevant material as of autumn 2024 implementation. Over or under compliance can occur as a result of complexity of legislation. While this is not accounted for in our modelling, we acknowledge that this could, in theory, impact the compliance cost savings to a business. For example, if a business is currently non-compliant either will experience no impact as a result of the changes, or an increase the costs for that business if they become compliance as a result of clarification of the requirements. Similarly, a business that is over compliant, could continue to do so after the changes and not see a reduction in compliance costs. Table 12: A list of all compliance activities and their estimated cost Activity Description Annual cost per activity per business (£) Seeking legal advice Businesses often require external legal advice in order to maintain their compliance with regulation. This includes advice on how and whether data can be used. (Excludes the cost of establishing a legal basis for data processing) £1,278/year cost of legal advice (equivalent to 4 hours of a legal professional and 2 hours of a clerical worker)71 Acquiring consent to store or access information There is a prohibition on businesses storing information, or accessing information, on a user’s connected device unless they obtain the user’s consent or they can rely on two further exceptions. They often fulfil this requirement by having ‘opt-in’ functionality on their website £80.54 cost per business per year to run opt-in72 Preparing Data Protection Impact Assessments (DPIAs) DPIAs must be completed by businesses where data processing is likely to result in a high risk to individuals. They describe the nature and scope of processing, identify the risks to individuals of processing and ways to mitigate those risks. DSIT confirmed that under each of the measures a DPIA would still be required £1,278/year cost of legal advice (equivalent to 4 hours of a legal professional and 2 hours of a clerical worker)73 Other internal compliance activities Other internal compliance activities not listed above include, but are not limited to, notifying the authorities of processing of data which might represent specific risks to individuals, and responding to consumer questions about how the business is following data protection principles Annual wages for DPO (medium and large enterprises): £50,000 for medium and large enterprises; annual labour costs for DPO- type functions: £900 for small and micro enterprises74 71 Proposal for an EU Data Protection Regulation, Ministry of Justice, (2012) 72The EC evaluation of Directive 2002/58 conducted by Deloitte estimated that technical implementation of the opt-in / opt-out solution on a businesses website costs 75 EUR, once uplifted to 2024 prices and converted to GBP, this figure is £80.54 73 Proposal for an EU Data Protection Regulation, Ministry of Justice, (2012) 74 Data Protection Officer Salaries - Glassdoor (2021) 75 Activity Description Annual cost per activity per business (£) Direct marking for charities Charities save in legal costs in understanding regulation when they use data to gain donations On average £946/year 122. We have updated these activities to reflect the fact that ‘establishing a legal basis for data processing’ forms part of ‘seeking legal advice’. As a result, our estimation for the total annual cost of compliance saved by firms can be seen in the table below split by reform. Table 13: Estimated compliance cost savings by reform, 2024 prices Reform Average Annual Compliance Costs (£million) Low Scenario Average Annual Compliance Costs (£million) Medium scenario Average Annual Compliance Costs (£million) High scenario Legitimate Interests 0.4 2.5 6.5 AI and Machine Learning 0.7 7 19.4 Research Purposes 1.1 4.7 10.7 Privacy and electronic communications 8.6 17.1 25.7 Direct marketing for charities 0.1 0.5 1.3 Total 10.9 31.8 62.3 123. These results can be broken down by reform and compliance activity. For example, the table below sets out the estimated annual compliance cost saving from creating a limited non- exhaustive list of legitimate interests for which businesses can use personal data without applying the balancing test. We also estimate the savings for businesses by clarifying that activities, such as direct marketing or ensuring network and information security, fall into the scope of the legitimate interest basis for processing personal data. We estimate these reforms to result in a total cost saving for businesses of between £0.4 and £6.5 million and the central estimate is presented in the table below. 76 Table 14: Breakdown of compliance cost saving calculations as a result of creating a limited non- exhaustive list of legitimate interests, 2024 prices Compliance Activity Number of organisations potentially impacted Proportion of these organisations actually affected Baseline Cost Percentage change in compliance cost resulting from measure Estimate d effect (£m per year on average) Effect on legal advice costs 1.0 million businesses that use data to generate new insights or knowledge75 On average 41% of the organisations that have sought legal advice on GDPR/DPA20 18 use data to improve marketing or sales performance76 and 6% have sought legal advice in the last year to comply with UK data protection77 £37.9 million annual costs of legal advice for these organisations 6.3%: assuming that 25% of legal advice costs are related to issues clarified by this measure78, and that for those issues the cost of legal advice will fall by 25% as a result of the measure79 2.4 Reduction in customer complaints about data use relating to non- permissible uses of data Number of customer complaints: 2,976, according to ICO - data on number of complaints to ICO on how data is being used/collected Not applicable Cost of responding to legal complaints: £91381 6.3%: assuming that 25% of all data uses are affected and there is a 25% reduction in complaints as a result of the measure82 0.2 75 DSIT: UK Business Data Survey, 2024 76 UK Business Data Survey, 2024 77 DSIT: UK Business Data Survey, 2024 78 This is an assumption made in the model. As there is currently a lack of evidence available of the true number of issues this is something that is tested in the sensitivity analysis section and a proposal of how this will be measured going forward will be included in the Monitoring and Evaluation plan. 79In the model we assume that clarification can reduce costs in around 25% of cases where legal advice would have been sought. As this is an assumption we test this in the sensitivity analysis section and propose a way of monitoring this in the M&E plan. 81 Average cost of each ICO investigation (2016/17), uplifted to 2024 prices 82We assume that 25% of data uses will be affected by this measure and that the measure will impact 25% of these. We understand that this measure will not eliminate all of the complaints under the categories listed above. Businesses are less likely to do things that break the law and if the guidance is clearer, but we assume this will be minimal based upon consultation responses. We test this assumption in the sensitivity analysis section. 77 Compliance Activity Number of organisations potentially impacted Proportion of these organisations actually affected Baseline Cost Percentage change in compliance cost resulting from measure Estimate d effect (£m per year on average) 80 Total annual reduction in compliance costs (£million): 2.5 124. The table below shows the average annual decrease in compliance costs from all of the AI and machine learning reforms in the Act. We estimate these savings to be approximately between £0.7 million and £19.4 million a year. 125. By including the additional reform that clarifies that profiling is only subject to the safeguards associated with solely automated decision-making when significant decisions are taken about an individual on its basis without meaningful human involvement, firms that use data for AI- driven ADM will have more clarity on the use of data for profiling activities within solely automated decision-making processes. This clarification will reassure firms that may currently be unsure about using data for this purpose and that spend money and time seeking legal advice on the matter. This increase in confidence could therefore lead to a decrease in costs of compliance and employing legal assistance. We assume that there will be a 20% further reduction in the legal advice requested because of the additional measure. Evidence is limited to suggest the exact percentage however we have remained conservative in our estimates as we acknowledge this is not the only reason why these firms would seek legal advice. Because of this the assumption is tested using sensitivity analysis. 126. Assuming that approximately 835,000 businesses use personal data with AI and 13% of these do not find regulatory guidance published by the ICO guidance clear83 applying the assumption above we estimate that this additional reform could lead to an increase in compliance cost savings of £6.9 million a year. Table 15: Breakdown of compliance cost saving calculations as a result of AI and Machine learning measures, 2024 prices Compliance Activity Number of organisations potentially impacted Proportion of these organisations affected Baseline Cost Percentage change in compliance cost resulting from measure Estimated effect (£m per year on average) Effect on legal advice costs 834,722 businesses that use personal data and use AI 13%: organisations that don’t find ICO regulatory guidance clear and easy to £139 m annual costs of legal advice 5%: assuming that 20% of legal advice costs for affected organisations are related to processing personal data to 6.9 80 ICO Complaints and concerns data sets 83 DSIT: UK Business Data Survey, 2024 78 Compliance Activity Number of organisations potentially impacted Proportion of these organisations affected Baseline Cost Percentage change in compliance cost resulting from measure Estimated effect (£m per year on average) understand84 improve accuracy of AI systems, and that 25% of legal costs in these cases could be saved as a result of the measure85 Reduction in customer complaints about data use Number of customer complaints: 2,976, according to ICO - data on number of complaints to ICO on how data is being used/collected 86 8% of organisations associated with research purposes Cost of responding to legal complaints: £91387 6.3%: assuming that 25% of all data uses are affected and there is a 25% reduction in complaints as a result of the measure88 <0.1 Total annual reduction in compliance costs (£million): 7.0 127. The table below shows the average annual decrease in compliance costs resulting from simplifying the use of personal data for research purposes. This includes amending existing legislation to support responsible research activity using personal data as well as extending the exemptions by incorporating ‘research in a commercial setting’ into the definition of research purposes for data protection legislation. 128. Businesses will benefit from the improved legal certainty of definitions. As a result, we predict a reduction in the need for businesses to seek legal advice and a reduction in the number of customer complaints about the use of personal data for commercial research purposes. 84 DSIT: UK Business Data Survey, 2024 Businesses that responded “Strongly disagree” and “tend to disagree” to the question “My business finds the regulatory guidance published by the ICO clear and easy to understand?” 85 We assume that AI is a smaller subset of use cases than with the legitimate interest measure hence 20% is applied. We understand that even with clearer guidance, some legal advice will still be required. The amount of time spent seeking legal advice is an assumption due to the current lack of data. Because of this we test these assumptions in the sensitivity analysis section and make plans for their measurement going forward. 86 ICO Complaints and concerns data sets 87 Average cost of each ICO investigation (2016/17), uplifted to 2024 prices 88 We assume that 25% of data uses will be affected by this measure and that the measure will impact 25% of these. We understand that this measure will not eliminate all of the complaints under the categories listed above. Businesses are less likely to do things that break the law and if the guidance is clearer, but we assume this will be minimal based upon consultation responses. We test this assumption in the sensitivity analysis section. 79 129. Using the 2024 UK Business Data Survey (UKBDS), we estimate that the number of businesses that use data to generate new insights or knowledge, employ someone who leads on R&D and have sought legal advice because of UK GDPR or the DPA 2018 in a year is approximately 42,000. 130. Assuming a constant cost of legal advice of £1,278 for these businesses we estimate that the total cost is approximately £53.1m a year. 131. Initially we assumed that policies designed to amend existing legislation to support responsible research activity using personal data, constitute 10% of the legal costs faced by these firms. By adding this additional reform that further clarifies the businesses that can rely on ‘research purposes’ we assume that an extra 25% of legal costs will be impacted. 132. The total savings are estimated to be approximately between £1.1 and £10.7million a year. Table 16: Breakdown of compliance cost saving calculations as a result of research purposes measures, 2024 prices Compliance Activity Number of organisations potentially impacted Proportion of these organisations actually affected Baseline Cost Percentage change in compliance cost resulting from measure Estimate d effect (£m per year on average) Effect on legal advice costs 41,572 8990 All businesses £53m annual cost of legal advice 9%: assuming that 35% of legal advice costs are related to issues clarified by this measure, and that for those issues the cost of legal advice will fall by 25% as a result of the measure91 4.7 Reduction in customer complaints about data use Number of customer complaints: 2,976, according to ICO - data on number of complaints to ICO on how data is being 3.7% of organisations associated with research purposes Cost of responding to legal complaints: £91393 6.3%: assuming that 25% of all data uses are affected and there is a 25% reduction in complaints as a result of the measure94 <0.1 89 DSIT: UK Business Data Survey, 2021 and 2024 90 DSIT: UK Business Data Survey, 2021 and 2024 91 We assume that Research purposes are a smaller subset of use cases than with the legitimate interest measure hence only 10% is applied. We understand that even with clearer guidance, some legal advice will still be required. The amount of time spent seeking legal advice is an assumption due to the current lack of data. Because of this we test these assumptions in the sensitivity analysis section and make plans for their measurement going forward. 93 Average cost of each ICO investigation (2016/17), uplifted to 2024 prices 94 We assume that 25% of data uses will be affected by this measure and that the measure will impact 25% of these. We understand that this measure will not eliminate all of the complaints under the categories listed above. Businesses are less likely to do things 80 Compliance Activity Number of organisations potentially impacted Proportion of these organisations actually affected Baseline Cost Percentage change in compliance cost resulting from measure Estimate d effect (£m per year on average) used/collected92 Total annual reduction in compliance costs (£million): 4.7 133. Allowing organisations to use cookies or similar technologies by introducing the new low-risk processing exceptions could achieve between £8.6 million and £25.7 million cost savings on average each year. Table 17: Breakdown of compliance cost saving calculations as a result of PEC Regulations measures, 2024 prices Compliance Activity Number of organisations potentially impacted Proportion of these organisation s actually affected Baseline Cost Percentage change in compliance cost resulting from measure Estimated effect (£m per year on average) Obtaining opt- in consent 708,027 organisations that collect personal data through website analytics 95 All businesses £57 m 30% of businesses will no longer offer opt-in consent96 17.1 Total annual reduction in compliance costs (£million): 17.1 134. The estimated figures above rely on many modelling assumptions as a result of the level of evidence available being restrictive at this time. We go on to test these assumptions in our sensitivity analysis section later on in this report. By modelling a low and high scenario where we flex these assumptions, we estimate that the total compliance cost saved will fall between £10.7 and £62.3. 135. The DUA Bill compliance cost model estimates the direct marketing measure could lead to some compliance cost saving of circa £0.5million per annum from creating an exception for which charities can use personal data without applying the balancing test. This will save that break the law and if the guidance is clearer, but we assume this will be minimal based upon consultation responses. We test this assumption in the sensitivity analysis section. 92 ICO Complaints and concerns data sets 95 DSIT: UK Business Data Survey, 2024 96 Businesses that will no longer need to offer opt in/out: 30% of business will no longer need to offer opt-in/out services. The EC evaluation of Directive 2002/58 conducted by Deloitte found that, of the websites that use cookies, 70% use tracking cookies whilst 30% do not use tracking cookies. We have therefore assumed that the portion of businesses that do not use tracking cookies will benefit from this measure.