Posted on: 22nd July 2025, by Tracey Wright
Data – it’s a word we hear constantly in our modern lives and this year in particular it feels like we have talked about little else what with all the work we are doing to try and establish simpler data sharing for the purposes of combatting fraud and scams.
However, the passing of a new bit of legislation – the Data (Use and Access) Bill 2025 – has brought on a slight sense of déjà vu to 2018 when GDPR caused widespread consternation. All these years later you still hear conflicting advice and painful stories about how GDPR has or has not complicated doing business. The concerns around privacy and protecting our citizens has always made this a tricky area to navigate.
Data protection rules are, of course, very important and one of the intentions of this new bill is to reform existing Data Protection and GDPR laws to make them simpler, at the same time as enabling more flexible use of data to match the modern data driven world we live in and help support business opportunities that will contribute growth to the economy.
An extremely tricky balance without doubt and one that has taken its time to pass through the various stages to reach royal assent this year.
What did we learn from GDPR?
For a fairly straight forward business like ours, compliance is fairly simple, if not easy! The principles are to only obtain data you really need, and only keep it as long as you really need it. If you have collected data, you must store it securely and only share it for very good reasons.
However, it’s not always that black and white particularly when it comes to demonstrating what you need to obtain and keep and what you need to share. This can be quite subjective and that’s why many a consultant created a career out of guiding companies through compliance.
Each time you want to share personal data you are must be sure that it meets the legitimate interest test.1 The test is three-fold:
- There must be a legitimate interest (e.g. commercial, individual or societal)
- The processing must be necessary (i.e. if you could achieve the same result without sharing data, you must)
- You must balance interest with individuals’ interests (i.e. if it would cause harm their interest is likely to override yours)
Fear of getting this wrong is a common concern we hear in relation to data sharing across the telecoms sector. Not only are there some potentially hefty fines, the risk to all of our personal data is critical too.
How does the new bill help?
The Data (Use and Access) Bill introduces ‘Recognised Legitimate Interest’ (RLI). This is essentially a list of scenarios in which it is automatically considered acceptable to share data, these are things such as issues of public safety or preventing crime.
There are of course still some protections, you have to be able to show it is justified to share data and you cannot share ‘sensitive’ information (e.g. biometrics or health data) even in these situations. And of course, everything must be done transparently too.
This is just one example of where the intention is to make it simpler to use and share data. Another example is support for ‘smart data’ schemes, similar to open banking. Enabling consumer to securely share data with third parties to gain price and service comparisons and similar.
What are the concerns about the new Bill?
As I said at the start, with greater flexibility and lower barriers to use comes the balancing act with protecting human rights of privacy and freedoms. The Bill introduces a new flexibility for the Secretary of State to add more RLI scenarios with limited parliamentary oversight, which campaigners are very concerned about. There is also already an RLI for ‘democratic engagement’ meaning politicians have access to some data for campaigning.
Another key concern is that the EU may decide our rules are no longer stringent enough and could remove the adequacy decision. The adequacy decision has enabled UK businesses to continue exchanging and storing data since Brexit with minimal change, if this is withdrawn it will undoubtedly result in a greater burden on UK companies to comply with EU laws on data storage and sharing.
What do the new rules mean specifically for our sector?
The key areas that we think all of our clients should be aware of are as follows:
The National Underground Asset Register (NUAR)
Despite a voluntary scheme being in place for a while, lack of input means it’s become necessary to mandate updates to the NUAR. The availability of this data is expected to result in massive savings in terms of reduced infrastructure damage and safer working.
Smart data. Sets out regulatory framework to enable data sharing to provide new and better services. Similar to Open banking, consumers will be able to authorise the sharing of their data for price comparisons and similar.
Information Commissioners Office (ICO)
The ICO is to be modernised as a result of the DUAA with a new structure to encourage independence and accountability. They have also been given new powers and new reporting requirements as well as a clear remit to consider innovation alongside crime prevention and national security.
Clearer guidance is expected later this year to reduce ambiguity around lawful data sharing.
Digital Identity Framework
A trust framework for providers of Digital ID services is now codified in law. These services give citizens the choice to use such a service, but they are not required to do so.
This is an entire topic worthy of separate discussion and more about the plans can be read easily found on the government website2. However, as many people are already using digital ID to simplify their personal admin, we think it realistic to imagine a time that such a scheme will help us with our due diligence process when onboarding new customers in the telecoms space.
Smart Data Schemes
The Act opens the path for sector specific schemes to allow secure sharing of customer data with authorised third parties. This will open up a number of schemes such as price comparison services and service switching.
Summary
With calls from across our sector, and others, to improve data sharing in order to detect and prevent fraud we have to assume this new legislation is a step in the right direction. This, combined with clearer new guidance expected from the ICO, we anticipate more comms providers being willing to share and act upon information shared from banks, other providers and law enforcement.
Another step in the right direction is around identities. Whether you are a supporter of Digital IDs or not, having some way of verifying an individual is who they claim to be has to be a solid starting point for eliminating criminals from our networks.
Having attended a number of meetings recently involving government, law enforcement, telco companies and other sectors – it is very clear that we are all highly motivated to stamp out fraud and that using the advanced technical capabilities the criminals rely on is the only way we can begin to get ahead.
We must ensure data is used responsibly, but also proactively, to stay ahead of fraudsters who don’t hesitate to exploit our personal information at every opportunity.