Have you heard of the ‘Data Use (and Access) Bill’?
Have you heard of the ‘Data Use (and Access) Bill’?
At the time of writing, the draft Data Use (and Access) Bill is currently progressing through the House of Commons. We explore how this might impact not for profit organisations, including charities, and outline some of the key trends in enforcement action issued in 2024 by the Information Commissioner’s Office (ICO), focusing on what this means for the Not for Profit sector.
What is the Draft Data Use (and Access) Bill?
Introduced in October 2024, the draft Data Use (and Access) Bill (‘the Bill’) is the Labour Governments’ take on modernising the UK’s data protection framework, following it’s failed predecessor, the Data Protection and Digital Information Bill. The Bill started in the House of Lords and in mid-March 2025 was pushed through the Committee Stage in the House of Commons, meaning that it could achieve Royal Assent as soon as April 2025.
The intention of the Bill is threefold:
- To harness the power of data to grow the economy.
- To improve public services and to enable and support modern digital government; and
- To make peoples' lives easier.
But what does this mean for the Not for Profit sector?
Broadly, the draft Data Use (and Access) Bill does not propose to derogate too much from the existing requirements of the UK GDPR, due to the potential impact on the UK’s data protection adequacy status (awarded by the European Commission). Organisations in the Not for Profit sector should, therefore, be aware that if they are broadly compliant with the current requirements of the UK GDPR, only minor tweaks will be required to comply with the proposed bill, when it receives Royal Assent.
Good news for charities?
In January 2025, a new clause was inserted into the draft bill allowing charities to send marketing emails and text messages to existing supporters, in the same way that profit-making organisations can. Currently, under the Privacy and Electronic Communications Regulation (PECR), an organisation cannot send an unsolicited direct electronic marketing communication to an individual without their consent, unless the sender collected an individual’s contact details in the course of the sale or negotiations for the sale, of a product or service – in which case, direct marketing can be sent, as long as an opt-out is offered and the direct marketing relates to similar products and services.
Because the exception applies in the context of a "sale" of products or services, charities - whose core business doesn't involve selling, historically haven’t been able to take advantage of this. However, further to input from Lord Vallance, Minister of State for Science, Research and Innovation, the Data Use (and Access) Bill will extend the exception where the marketing is by a charity and where "the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes."
It is worth noting, however, that the amendment is limited to charities, so doesn't extend to other not for profit organisations.
Recent enforcement action: what are the trends?
The ICO issued a total of 50 separate enforcement actions during 2024, including in the Not for Profit Sector. ICO enforcement action is publicly available and can attract adverse media attention, therefore Not for Profit organisations should be aware of the reputational impact of enforcement action and the potential impact that this could have on future funding streams.
We completed some analysis and noted that the three most common reasons for enforcement action were:
- infringements related to marketing, particularly for organisations which were sending unsolicited direct marketing content to individuals, without their consent (38%)
- data breach infringements (security of personal data, data disclosed to unauthorised individuals and the use of ‘cc’ rather than ‘bcc’ etc.) (28%)
- managing data subject rights requests, specifically for not managing such requests within prescribed timescales (12%).
What does it tell us?
Firstly, it tells us of the ICO’s continued focus on direct marketing, especially where this borders into nuisance calls affecting potentially vulnerable individuals. Don’t forget that individuals have the right to lodge a complaint directly with the ICO. On a monthly basis, the ICO publishes statistics on nuisance call trends reported by complainants (by sector, 210 of which related to nuisance calls in the charity sector), which highlights that the ICO is monitoring direct complaints, and potentially using this to inform enforcement action.
It also tells us of the need for regular employee training, clearly defined processes and sufficient time and resource to manage data subject rights requests and data breaches within defined timescales. Given the increased regulatory focus on these areas, we recommend Not for Profit organisations review existing processes sooner rather than later to ensure compliance.
Let us help you navigate data protection at your not-for-profit organisation
Understanding data protection compliance in a changing regulatory landscape can be complicated and time-consuming for any organisation, let alone not for profits which don’t often have the budget or an individual dedicated solely to data protection. When you’re responsible also for finance, IT, HR etc, you could be forgiven for not realising things are changing again. Except, the ICO may not share this view. For further information regarding how to navigate the changes being introduced in the Bill, or if you have any questions relating to data protection within your organisation, please reach out to Christopher Beveridge, Managing Director, Privacy and Data Protection, or Louise Sadler, Senior Manager, Privacy and Data Protection.