Author: Dea Dragashi

The Data (Use and Access) Act receives Royal Assent, bringing change to the UK’s data protection regime

Posted on June 20, 2025June 20, 2025 by Dea Dragashi

On 19 June 2025, the UK’s Data (Use and Access) Act 2025 (the “DUA Act”) received Royal Assent.

This new legislation updates the UK’s current data protection regime which comprises of the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (the “PECR”). The DUA Act will come into force in phases, expected to commence at two, six and twelve months after Royal Assent, giving you time to implement the necessary data protection related changes to your organisation.

What does the DUA Act change and how does it impact organisations?

New ‘recognised legitimate interests’ lawful basis: when you use personal data for legitimate interests, you need to balance the impact on the people whose personal data you use, against the benefits arising from that use – this is commonly done by way of a legitimate interest assessment (“LIA”). However, the DUA Act now includes a list of recognised legitimate interests which means for such interests you don’t need to complete an LIA. This list will be in Schedule 4 to the DUA Act which inserts a new annex to the UK GDPR and includes interests such as:

Sharing personal data if a public authority confirms it’s needed for their public task
Using personal data to safeguard national security, public security, or defence
Using personal data to respond to emergencies under the Civil Contingencies Act 2004
Using personal data to detect, investigate, prevent crime, or prosecute offenders
Using personal data to protect vulnerable individuals from physical, mental and emotional harm or neglect and support their well-being

A new ‘assumption of compatibility’: under the purpose limitation principle, if you re-use personal data you have already collected for a different purpose, you must ensure the new purpose is compatible with the purpose you initially collected it for. However, the DUA Act now includes a list of reuses of personal data that are assumed compatible with the original purpose. This list will be in Schedule 5 to the DUA Act which inserts a new annex to the UK GDPR. You can reuse previously consented personal data for a new purpose if necessary for one of the reasons below, but only if it’s not reasonable to obtain fresh consent, such as using personal data to:

assess or collect taxes or duties; or
comply with legal requirements.

‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail and SMS marketing to people whose personal data you collect when they support, or offer support or express an interest in, your work – providing you offered them a chance to opt out when you collected their personal data and you provide them with a chance to opt out in every electronic communication thereafter.

New cookie exemptions: the DUA Act allows you to set some types of cookies without having to get consent. Currently, you must get consent for all non-strictly necessary cookies. The list of exemptions will be in Schedule 12 to the DUA Act which inserts a new schedule to PECR, so you won’t need consent where the cookie or similar technology is for:

the sole purpose of carrying out transmission of a communication over an electronic communications network;
the non-exhaustive examples of strictly necessary purposes listed in the schedule, including security, fraud prevention, fault detection and authentication;
the sole purpose of enabling a service provider to collect information for statistical purposes about how their online service is used;
the sole purpose of enabling a service to adapt its appearance or functions in accordance with someone’s preferences; and
the sole purpose of working out the subscriber or user’s geographical location when they request emergency assistance.

Reasonable and proportional search under data subject access requests (DSARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal data.

Complaints: individuals have certain rights such as the right to be informed, access, object, erase, restrict and rectify their personal data. The DUA Act introduces a right for people to complain to organisations and competent authorities if they think that they’ve used their personal information in a way that doesn’t comply with the law. This is similar to the complaints procedure under Freedom of Information Requests under FOIR. It places an obligation on organisations and competent authorities to:

help people to make complaints, requiring them to take steps such as providing an electronic complaints form; and
acknowledge complaints within 30 days and advise the complainant of the outcome without undue delay.

They must also take appropriate steps in the meantime, such as making enquiries into the subject matter of the complaint and keeping the complainant informed about progress.

Using personal data for scientific research: the DUA Act makes it clearer when you can use personal data for the purposes of scientific research, including commercial scientific research. It makes the following clarifications:

People can give “broad consent” to an “area of scientific research” rather than “specific” consent – as long as: the exact purpose was unknown at the time of consent, the consent aligns with recognised ethical standards for the research area, and individuals are given the option to consent to only part of the processing.
You can re-use people’s personal data for scientific research without giving them a privacy notice, if that would involve a disproportionate effort, so long as you protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.

Automated decision making – personal data: previously, decisions based solely on automated processing of personal data were restricted unless they were necessary for a contract between you and the individual, permitted by UK law or done with consent from the individual. Now, the DUA Act removes this restriction and allows an organisation to make solely automated decisions in a wider range of situations as long as it has appropriate safeguards in place – such safeguards include:

providing the individual with information about the decision;
allowing that person to make representations about the decision;
enabling that person to obtain human intervention about the decision; and
enabling that person to contest the decision.

There is no change to the restrictions around decision based solely on automated processing of special categories of personal data – they are still restricted unless you have consent from the individual or it was necessary for substantial public interest under the Data Protection Act 2018.

International transfers: various changes have been made to help make transferring personal data internationally easier. For example:

The protection standard for transferring data now requires that it “is not materially lower” than UK GDPR and Data Protection Act 2018 standards (previously, it required that “the protection of natural persons guaranteed by the UK GDPR is not undermined”). This is referred to as the data protection test.
Schedule 7 of the DUA Act form formalises the requirement for an organisation to do a transfer risk assessment for transfers subject to appropriate safeguards (such as standard contractual clauses). It does this by saying that an organisation must meet the data protection test “reasonably and proportionately”.

There are some operational and terminology changes such as: adequacy decisions are now called “transfers approved by regulations”, with the Secretary of State required to consider specific factors for the data protection test, implement ongoing monitoring instead of a four-year review period, gain new powers to recognise and introduce other transfer mechanisms, and make minor adjustments and restructuring to existing transfer requirements.

PECR breaches and enforcement: there are changes to the rules under PECR, including:

the time period within which communications providers need to inform the ICO of a personal data breach from without undue delay or within 24 hours, to ”without undue delay and where feasible, not later than 72 hours after having become aware of it”, aligning it with the UK GDPR requirement to report a personal data breach;
removing the requirement to establish that a contravention under PECR has caused substantial damage and distress; and
allowing the ICO to impose monetary penalties up to a maximum of £17.5m for certain failures to comply, aligning it with the UK GDPR monetary penalty cap.

Changes to the ICO: there are multiple changes around the structure and powers of the UK’s data protection regulator, the Information Commissioner’s Office, such as:

The ICO can compel individuals working for or on behalf of organisations to attend interviews and answer questions if there is suspected non-compliance or an offence under data protection law.
An extension to the time for the ICO to issue penalty notices after a notice of intent from six months to six months or as soon as reasonably practicable.

Are there any new compliance requirements you have to meet?

Yes:

If you provide an online service that is likely to be used by children, the DUA Act explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO’s Age Appropriate Design Code.
If you don’t already do so, the DUA Act requires you to take steps to help people who want to make complaints about how you use their personal data, such as providing an electronic complaints form. You must to acknowledge complaints within 30 days and respond to them ‘without undue delay’.

Next steps

Familiarise yourself with the changes that the DUA Act makes to data protection laws.
Map out how the DUA Act can make your organisations compliance with data protection laws easier – such as “should do” and “must do” lists.
Introduce a complaints escalation mechanism to allow individuals to complain to your organisation if they feel that the organisation has not complied with data protection laws.
Implement a data protection compliance programme accordingly.

If you would like more information, please feel free to reach out to one of our dedicated data protection lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our quarterly newsletter, The Data Download.

Harbottle & Lewis advises on the sale of performance-io to private equity firm Apiary Capital

Posted on June 19, 2025June 19, 2025 by Dea Dragashi

We have advised the sellers of performance-io, a leading life sciences performance marketing, SEO and GEO agency, on its sale to private equity firm, Apiary Capital.

Founded to deliver cutting-edge performance marketing solutions, performance-io has established itself as a key player in the industry, working with clients to enhance their marketing strategies through data-driven insights and expertise. Headquartered in London, the business now operates globally with teams in the UK, US, India, Japan and South Africa.

Founder and CEO Matt Lowe and his senior management team will remain with the business, focusing on driving performance-io’s further growth and development.

Our team was led by partner Ed Lane, with support from senior associate Alex Gays, and associates Elizabeth Compton and David Jones. Co-managing partner Tony Littner provided strategic support throughout, with partner David Scott advising on corporate tax matters. Partner Yvonne Gallagher and associate Harry Wade also advised on employment matters.

On working with Harbottle & Lewis, Matt Lowe commented: “I’d not worked with lawyers on a PE backed deal before, and frankly the mood music about the experience wasn’t great. However, the experience with Harbottle and Lewis was. From the first meeting with Tony and Ed, through to working with the broader team through some complex curve balls, we had a superb experience; working in a collaborative manner, learning loads and always with a calming, assured temperament. I can’t recommend H&L enough.”

Ed Lane added: “We are delighted to have supported Matt and his team on this milestone, and we look forward to seeing performance-io’s continued success in its partnership with Apiary Capital.”

Harbottle & Lewis launches dedicated hub for startups

Posted on June 18, 2025June 19, 2025 by Dea Dragashi

We are pleased to introduce The Vault, our startup portal designed specifically for founders and emerging companies.

The Vault offers a range of resources, carefully crafted to support startups. Understanding the financial constraints and resource limitations that many startups encounter, a core element of The Vault is the document hub. This offers a suite of template documents for founders, available for free download.

Commenting on The Vault, Tom Macleod, partner and co-head of the venture capital and emerging companies practice, said: “We are delighted to introduce The Vault. We understand the unique challenges faced by early stage founders; The Vault is designed to provide accessible resources and practical insights that can make a real difference to their journey.”

Register for The Vault

For further information contact us at: info@harbottle.com

The UK’s Data (Use and Access) Bill passes as Lords’ concede on a push for AI transparency to protect creative industries

Posted on June 12, 2025June 12, 2025 by Dea Dragashi

On 11 June, the House of Lords debated amendments to the Data (Use and Access) Bill (the Bill) and marked the culmination of an extensive “ping-pong” process between the House of Lords and the House of Commons regarding the protections for copyright holders in the context of artificial intelligence (AI).

What was the debate about?

The Government’s commitment to protecting copyright holders remains but it argues it cannot act prematurely without completing consultations on the issue. Emphasising the importance of transparency, enforcement and remuneration, it insisted on following due process, which includes analysing over 11,500 consultation responses and establishing technical and parliamentary working groups.
Several Lords, including Baroness Kidron and Lord Berkeley of Knighton, expressed frustration at the Government’s inaction. They argued that immediate transparency measures are needed to protect copyright holders from exploitation by AI companies. The creative sector fears that AI systems are using copyrighted works without consent or compensation, which could undermine the livelihoods of artists, writers, musicians and others.

What happened?

In efforts to ensure transparency and incentivise AI developers to comply with copyright law Lord Berkeley of Knighton introduced a new amendment to the Bill requiring AI developers to disclose which copyrighted works they use for training and how they access them, unless a licence has been agreed with rights holders.

Lord Berkeley ultimately withdrew his amendment, citing a desire to maintain the dignity of the House and avoid further unnecessary divisions. However, he and others urged the Government to take the concerns of the creative industries seriously and act swiftly to address them.

What will happen next?

The Bill now awaits Royal Assent and once in force, it will reform elements of the UK GDPR and Privacy Electronic Communications Regulations – from introducing a list of recognised legitimate interests to adding new exceptions to the consent requirements for cookies and similar technologies.

It should be noted that while the UK’s adequacy decision from the EU to allow a free flow of personal data transfers has been extended to 27 December 2025, the Bill does introduce changes to the UK GDPR which ultimately leads to a departure from the EU GDPR. As such, we wait eagerly to see if it decided whether or not the UK’s data protection regime will continue to offer materially equivalent protections in order to maintain the free flow of transfers between the UK and EU.

Shireen Peermohamed awarded three individual rankings by IP Stars

Posted on June 11, 2025June 11, 2025 by Dea Dragashi

Partner and head of our intellectual property group Shireen Peermohamed has been recognised by IP Stars in three categories in its latest rankings, including its global list of the top 250 women in IP for 2025.

Shireen has been given the following rankings:

Top 250 women in IP 2025
Trade mark star 2025
Transactions star 2025

IP Stars, part of the Managing IP media group, is a specialist guide covering legal practitioners who deal with contentious and non-contentious intellectual property issues. Its rankings assess and rank law firms and practitioners globally in a range of IP practice areas. Its list of top 250 women in IP recognises senior IP practitioners from more than 50 jurisdictions across the world, who consistently go above and beyond for their clients and firms.

This recognition follows the firm’s and Shireen’s recently awarded ‘Recommended’ status by WIPR.

Click here to view the full rankings on the IP Stars website.

Protecting business assets on divorce: article published in Tatler Address Book

Posted on June 10, 2025June 10, 2025 by Dea Dragashi

An article authored by managing associate Emily Miles and senior associate Emma Williams on how to protect business assets during a divorce has been published in Tatler Address Book’s Experts’ Corner.

A divorce can pose a significant risk to the stability of even the most robust owner-managed business, especially if critical safeguarding measures have not been taken. The article explores common business scenarios that may be impacted by a divorce, including where there are joint business owners, family businesses and early-stage startups, and sets out some practical suggestions of steps that can be taken to protect business assets in these circumstances.

You can read the full article here.

Reel trouble: the ICO reprimands Greater Manchester Police for CCTV failings

Posted on May 30, 2025May 30, 2025 by Dea Dragashi

On 29 May 2025 the ICO reprimanded Greater Manchester Police (GMP) for failures in handling sensitive CCTV footage of a custody detainee, exposing gaps in data protection practices. The case highlights outdated policies, inadequate training, and procedural failings that led to missing footage.

Background

The data subject was held in custody at Pendleton Police Station for 48 hours in February 2021 during which CCTV was in operation. GMP became aware of serious allegation made against officers via local media and requested that Pendleton Police Station retain the personal data of the data subject. This was beyond the documented period of 90 days and the procedures in place at the time allowed for retention of a period of up to six years.

During the process of retaining the personal data, the personal data was quality checked to ensure its security. GMP had received multiple Data Subject Access Requests (DSARs) from the individual concerned. When GMP was able to comply with the request to release the footage captured, it was then quality checked.

Following a resolved technical issue, where one of the discs containing some of the data would not initially play and it was established on 19 May 2022 that two hours of footage was missing from the personal data set originally retained in 2021.

On 23 August 2023, GMP stated that, despite all attempts, it was unable to recover the missing two hours of footage. This led GMP to self-report a personal data breach to the ICO on 5 September 2023.

Findings

Following the assessment of information provided by both the Independent Office for Police Conduct and GMP who were conducting separate investigations with a different scope, the ICO has identified two main failures leading to this lack of quality check:

A misunderstanding at the time between staff, each believing that the other had conducted a quality check
A lack of any policies or guidelines at the time within GMP, identifying that quality checks were required, coupled with a lack of appointed responsibility for this task

Therefore, the ICO considers that the GMP failed to take the following actions:

Provide the data subject with their personal data without undue delay and by the end of the applicable period of one month. This is because following the expiry of any exemptions in place to the right of access, GMP was not able to release all applicable personal data to the individual within the timeframe or to date. GMP did not provide the ICO with any evidence that it notified the data subject of any such extension.
Ensure that the appropriate technical or organisational measures were in place to protect the accidental loss of the CCTV data it was processing in 2021. The ICO considers that had GMP had an appropriate standard operating procedure (SOP) in place, with clearly defined and delegated responsibilities for quality checking any backed-up personal data. This would have mitigated the risk of this breach. GMP failed to deploy an adequate SOP, designed to encompass the processing and retention of personal data beyond 90 days. The operating procedure that was in place had been developed in 2017 and had not been reviewed or amended since that time. In line with good practice, SOPs should be reviewed and updated, if necessary, once every 12 months.
Conduct a data protection impact assessment (DPIA) in relation to their CCTV systems. A DPIA should have been conducted in compliance with section 64 of DPA 2018. A DPIA would have crucially assisted GMP in identifying shortfalls in their technical and organisational measures at the time.
Provide the GMP’s custody officer with data protection training despite having a data protection training regime in place, which was supposed to have provided all staff members with data protection training during induction periods.

There were issues with the CCTV system itself such as:

The CCTV system, in operation at the time, was only able to download captured footage for retention in half-hour or one-hour segments. This placed GMP staff at substantial risk of human error.
The CCTV system did not save the half-hour/one-hour segments in chronological order, resulting in it being difficult to identify if all required footage had been captured.
The CCTV system did not have any inbuilt alerts, identifying any errors that may have occurred during the back-up process.

Mitigating and remedial steps taken by GMP

The ICO took into account the following:

GMP, at the time of the breach, had a requirement for a form of authorisation in place. This required the signed authorisation of an officer, ranked inspector or above, to allow the appropriate team access to the footage recorded on the server (held for 90-days before automatic overwrite).
Any footage retained was stored by GMP in sealed evidence bags at the time. This ensured there was no break in the evidence chain, during the period the footage was held by GMP and Pendleton Police Station.
GMP has undergone a proactive investment in their surveillance and security system infrastructure in 2023. This resulted in a significant upgrade to their system capabilities.
GMP has introduced a strictly regulated process to ensure that only authorised force personnel had access to the footage held within the CCTV server. Access was restricted to qualified officers within the criminal justice and custody branch of GMP.
GMP has informed the ICO of improvements to their security when managing DSARs from individuals. GMP advised that these requests are now administered centrally within their Information Access team. Where a DSAR is submitted, custody officers contact the relevant custody unit as soon as possible with urgent instructions as to how the footage is to be retained, so this is not overwritten. The footage is automatically uploaded to a dedicated local folder for DSARs. This location can only be accessed by authorised officers within the custody branch.
Auditing of footage has been vastly improved. This provides a comprehensive account of which officers have accessed the footage, copied it to disc or the location of the server, with date stamps.
GMP have already improved their SOP. The operating procedure has undergone a complete rewrite. GMP will ensure that this new procedure will be circulated moving forward across the force. GMP will ensure this procedure is now reviewed on an annual basis.

Action

Taking into account all the circumstances of this case, including the mitigating factors and remedial steps, the ICO decided to issue a reprimand to GMP. The ICO set out certain recommendations which do not form part of the reprimand and as such are not legally binding. Such recommendations include:

When formulating a replacement for the current processes, GMP should create an appropriate SOP, detailing how any retained personal data should be quality checked.
When developing the SOP, the roles and responsibilities for such checks should be clearly defined.
Under section 64 of the DPA 2018, GMP is required to have a DPIA in place for this processing. GMP should develop a DPIA for this processing without delay if they haven’t done so already.
GMP should deploy appropriate technical and administrative processes to monitor that all staff receive appropriate data protection training, which is refreshed at least every two years (recommended every year), in line with good practice. Staff should be trained and regularly refreshed on how to identify a personal data breach.
All breaches should be reported to GMP’s Information Access team/Data Protection Officer for assessment and documentation.
GMP should always keep a written record/assessment regarding their rationale not to inform the ICO of a breach.

Comment

While the ICO’s decision to reprimand, rather than fine, GMP reflects its Public Sector Approach – which avoids penalising taxpayer-funded organisations to prevent a “double hit” on victims and the public – this enforcement underscores the critical importance of protecting highly sensitive data, such as CCTV footage, where mishandling can lead not only to a data breach but a failure to respond to a data subject’s request. The key takeaway is to ensure measures are in place to comply with data protection laws in relation to CCTV such as access procedures, retention policies, security measures, staff training and data protection impact assessments.

Finalist for Best Legal Team for Early Stage Deals

Posted on May 15, 2025May 15, 2025 by Dea Dragashi

In recognition of our work advising entrepreneurs, emerging companies and investors on the investment lifecycle, we have been selected as a finalist for the Best Legal Team for Early Stage Deals award at the UK Business Angels Association Angel Investment Awards 2025.

This award recognises the legal firms that have made a significant impact on the ecosystem during the past year, both through actively supporting angel and early-stage investment deals and bringing tangible value to the investment process.

The UKBAA Angel Investment Awards celebrate the high growth and success of the angel and early-stage investment market, recognising the fastest growing brands and acknowledging the founders, angels, crowd funders and early-stage venture capital investors behind them.

The winners will be announced at the awards ceremony taking place at The Brewery in London on Thursday 10 July.

Find out more about the awards and the other finalists here: https://awards.ukbaa.org.uk/.

FAMILY TEAM SHORTLISTED AT THE CHAMBERS HIGH NET WORTH AWARDS 2025

Posted on April 24, 2025April 30, 2025 by Dea Dragashi

We have been shortlisted for the Family Law Team of the Year category at the Chambers High Net Worth Awards 2025.

These awards celebrate firms and teams who are at the top of their profession in key jurisdictions across Europe. They recognise achievements over the past 12 months including outstanding work and impressive strategic growth and are based on interviews and extensive research by over 250 analysts as part of the research for the recent edition of Chambers High Net Worth Guide.

To read the full list of nominees, click here.

Harbottle & Lewis and Shireen Peermohamed awarded recommended status by WIPR

Posted on April 10, 2025May 6, 2025 by Dea Dragashi

We have been awarded ‘Recommended‘ status by World IP Review (WIPR) in their UK trade mark rankings for the second year running. Shireen Peermohamed, partner and head of our intellectual property practice, has also been recognised as a ‘Recommended’ individual for non-contentious IP work.

These rankings recognise the leading law firms and practitioners in the UK’s trade mark landscape. They cover non-contentious work, including trade mark filing, prosecution, strategy, and portfolio management, and contentious work, encompassing trade mark litigation, dispute resolution and enforcement. Those ranked consist of a mix of traditional law firms, specialist IP boutiques and attorney firms.

To read the full list of rankings, click here.