Headlines...

The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services. The Act will replace the previous data protection regime and formally establish a new framework for how data can be used and accessed in the UK.

At a Glance – Key Points about the Data (Use and Access) Act (DUAA)

• The DUAA is a new Act of Parliament that updates legislation on digital information.

• It reforms data protection laws to encourage innovation and economic growth.

• The Act aims to simplify processes for organisations while still protecting individual rights.

• Most changes are optional shifts in approach, not compulsory

•  compliance measures.

• Implementation will be phased in from June 2025 to June 2026.

In Day-to-Day Use

In practical terms, many professionals and organisations may still refer to “UK GDPR” for a period of time, especially when explaining the transition or making comparisons with the EU system. However, as the new legislation becomes established and its provisions become widely understood, it’s likely that new shorthand terms like “the Data Act” or “the 2025 Act” or ‘DUAA’ will emerge and become the norm.

Summary

While the GDPR label may linger in conversation and documentation for a while, the UK’s legal framework will be defined by the Data (Use and Access) Act 2025, which is set to shape the future of data regulation in the UK. Over time, the new terminology will naturally take its place in common usage.

Implication Going Forward For DSAR’s…

Under the Data (Use and Access) Act 2025, the process for Data Subject Access Requests (DSARs) in the UK is expected to become simpler and more manageable for organisations, while retaining key rights for individuals. Here are the main implications going forward:

1. Easier Grounds for Refusal

The DUAA aligns the UK GDPR’s subject access provisions with existing guidance from the Information Commissioner’s Office (ICO).

• In addition, the DUAA clarifies that controllers are only required to conduct a “reasonable and proportionate” search for information and personal data when responding to a subject access request. This reflects current case law, although the legislation does not define what constitutes a “reasonable and proportionate” search.
• Notably, the DUAA does not adopt the DPDI Bill’s proposal to permit controllers to refuse subject access requests on the grounds of vexatiousness. Controllers must still demonstrate that a request is manifestly unfounded or excessive to justify refusal.

2. Streamlined Identity Verification

The new Act introduces clearer rules around verifying the identity of a requester.

• It formalises the “stop the clock” mechanism, allowing controllers to pause the response timeframe when additional information is needed from the data subject or to verify their identity.

3. Clarified Response Timelines

While the one-month deadline for responding remains, the rules now allow for more structured extensions in complex cases.

• There’s an emphasis on practicality and proportionality, reducing pressure on organisations with limited resources.

4. Broader Exemptions

The legislation expands certain exemptions from providing data in response to DSARs, particularly:

• Where disclosure would prejudice crime prevention, legal proceedings, or certain regulatory functions.

• This gives more flexibility to sectors handling sensitive or investigatory data (e.g., finance, health, law enforcement).

5. Business-Friendlier Framing

The overall framing of DSAR provisions now leans toward balancing individual rights with operational burden.

• This shift is designed to support innovation and efficiency in data handling, particularly for SMEs and digital services.

Summary

The Act preserves the right for individuals to access their personal data but makes it easier for organisations to manage the volume and complexity of DSARs. It reduces compliance strain without removing accountability, aiming to create a more practical and proportionate approach.

Stay tuned. We’ll be keeping all our clients well informed…

The Data Use and Access Act 2025 (DUAA) received Royal Assent on 19 June 2025 and will be implemented in phases over the following year. Key provisions are scheduled to take effect at intervals of approximately two, six, and twelve months after assent. This staggered timetable is designed to give organisations sufficient time to prepare for the changes, including updates to data protection obligations under UK GDPR, the Data Protection Act 2018, and related regulations. Organisations are expected to maintain compliance with existing laws until the relevant DUAA provisions come into force.

The ICO as of 5th July 2025 have the following on the website ‘Our guidance is designed to help and support you to comply with the laws we regulate, and to help people understand their information rights.

As well as detailed formal guidance and Codes of Practice, we also produce checklists, toolkits and position papers. We create all our guidance with you in mind, making it as simple as possible for you to use.

Grouped by the topics below, you’ll find information about all the guidance that we’re working on. You’ll see what we’re developing and when we expect to publish. We’ll update this information regularly so that you can confidently track a product as it develops.’

They also have banners on most pages saying ‘Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen. ‘

So for the timebeing its carry on as normal and keep an eye on the ICO’s website. We’ll be doing that on behalf of all our clients. Stay tuned here for news.

As global sport accelerates into the digital age, data is becoming its most valuable asset. With the rise of AI-powered analytics, wearable technology, biometric monitoring, and interconnected devices (IoT), the sports industry is undergoing a seismic shift. But at the heart of this transformation lies a critical consideration: data privacy. Enter the General Data Protection Regulation (GDPR) — a legal framework that is reshaping how global sport must operate.

What is GDPR?

The GDPR is the European Union’s comprehensive data protection law that governs how personal data is collected, processed, and stored. It applies to any organisation — regardless of location — that handles the data of UK/EU citizens. This has direct implications for international sporting bodies, leagues, teams, tech companies, and broadcasters who deal with athlete and fan data.

AI, IoT, and Sport: A Data Goldmine

From AI-driven talent scouting and performance prediction to smart stadiums and biometric fan experiences, data flows constantly in modern sport. Wearables and sensors can track every heartbeat, sprint, or fatigue level of an athlete. AI algorithms use that data to optimise training or even detect injuries before they occur. Meanwhile, fans engage via personalised experiences delivered through IoT-enabled platforms.

Where GDPR Comes In

GDPR mandates explicit consent, transparency, minimal data use, and the right to be forgotten. This creates several challenges — and opportunities:

• Athlete Data Management: Teams and tech companies must get clear consent before collecting biometric or health data. Data must be securely stored and used only for agreed purposes.

• Fan Engagement: Personalised marketing and tracking technologies need opt-in consent. IoT devices in stadiums or apps must clearly disclose what data is collected and why.

• Global Compliance: Even non-EU organisations must comply with GDPR if they handle UK/EU citizen data. This forces sports entities to adopt universal data governance standards, potentially improving trust globally.

The Road Ahead

GDPR is not a barrier to innovation — it’s a framework for responsible innovation. As AI and IoT become the backbone of modern sport, those who embed data privacy into their infrastructure will build deeper trust with fans and athletes alike. Forward-thinking organisations will not just comply with GDPR — they’ll see it as a blueprint for ethical leadership in a tech-driven sports future.

In a world where every step, heartbeat, and click is data, GDPR ensures that sport remains not just smart — but fair, secure, and human.

For more on how CCS are helping Sports Organisations Click Here

Michael Ashley v Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB)

Mike Ashley’s recent High Court win against HMRC highlights the responsibilities organisations have when responding to data subject access requests (SARs) in the UK. Content Capture Services can help you understand the challenges and implement the solutions.

The Court addressed several issues in Mr. Ashley’s claim, including HMRC’s failure to:

• Properly interpret his SAR’s scope

• Conduct adequate searches

• Provide intelligible personal data

• Properly apply the tax exemption under the Data Protection Act 2018

• Correctly define “personal data”

This article focuses on the tax exemption and the definition of “personal data,” as well as the court’s ruling.

The Dispute

The dispute began over the sale of properties linked to Mr. Ashley, he later made a SAR requesting information about his tax enquiry, including data from HMRC’s Wealthy and Mid-Size Business Compliance department.

The Tax Exemption

Data access rights aren’t absolute; exemptions apply when personal data concerns tax assessment or collection. HMRC argued that disclosing certain data could reveal its settlement strategies, potentially helping taxpayers in future disputes. However, the Court found that no significant likelihood of prejudice existed, as the tax dispute was already resolved. The ruling emphasized that the potential for harm must be backed by evidence, not mere assertion.

What is “Personal Data”?

The UK GDPR defines personal data as information about an identified or identifiable person. HMRC initially withheld all of Mr. Ashley’s data, but after challenge, disclosed some. Mr. Ashley argued that the information regarding his tax liability should be included, even if it involved data from the Valuation Office Agency (VOA).

The Court ruled that information relating to tax liability was not automatically personal data, but could be if it met criteria like content, purpose, or effect. This means HMRC may need to reconsider its SAR response and potentially release more data.

Impact of the Decision

This case highlights the importance of robust data protection practices. The ruling clarifies that organizations must ensure SAR searches and exemption applications are conducted properly, with the “relating to” criterion applied appropriately. It also sets a precedent for future legal challenges, which could lead to more disputes over personal data rights.

For HMRC, the case may prompt changes in how data is managed during tax investigations, potentially slowing down the process. In the broader economic context, the ruling could influence perceptions of the UK as a business-friendly environment.

The case also emphasises the need for organisations to balance the cost of updating data systems with the challenges posed by SARs. With more businesses likely to face such requests, adopting more efficient and secure data systems will be crucial. Content Capture Services can help with all aspects.

Harrison v Cameron: What This Case Means for Responding to Subject Access Requests (SARs)

A recent High Court ruling in Harrison v Cameron has clarified an important question in data protection law: when responding to a Subject Access Request (SAR), do you have to reveal the names of individuals who received the requester’s personal data?

The short answer? Sometimes—but not always.

Background

Mr. Harrison, a property investor, hired ACL, a landscaping company run by Mr. Cameron. Things turned sour, and after Harrison terminated the contract, Cameron recorded two phone calls and shared them with colleagues, friends, and family. Harrison claimed the recordings damaged his reputation and business and issued SARs demanding to know who had received them.

The Court’s Findings

The judge made a few key rulings that are particularly useful for data controllers:

• Named individuals—not just categories—may need to be disclosed. This includes employees of the controller.

• However, exemptions apply. If naming third parties would infringe on their rights or expose them to harm, controllers can withhold those names.

• A balancing test is required. Controllers must weigh the data subject’s right to access against risks to third parties. Content Capture Services know where this line and is!

• Controllers have discretion. The court emphasised that organisations responding to SARs have a “wide margin of discretion” when applying exemptions.

• The purpose of the SAR matters. Evidence showed Harrison used previous disclosures to send intimidating legal letters, which justified ACL’s refusal.

Why This Matters

This case confirms that while data subjects can expect transparency, their rights are not unlimited. If you’re responding to a SAR, particularly one involving internal communications or sensitive third-party data, this case is a helpful guide on when—and when not—to disclose. Content Capture Services can help you implement the best practice here.

CCS have found that Ai redaction software products over promise and under provide.

All the main options tested struggled with automatic redaction due to the complexity of understanding context and the nuanced nature of sensitive information. Redacting isn’t just about removing predefined keywords or patterns; it requires understanding the context in which a word or phrase is used. For example, Ai might redact a name in one document but miss the same person’s identity in a different context, such as through indirect references. Sensitive information can also be implied through surrounding text, making it hard for Ai to consistently recognise all privacy risks.

Additionally, Ai models were found to lack real-world comprehension, often failing to detect legal, ethical, or domain-specific nuances. Over-redaction, such as removing irrelevant data, and under-redaction, like missing hidden or implied sensitive information, were common pitfalls. Human oversight is still essential to ensure the appropriate balance between privacy protection and maintaining document integrity when redacting complex documents. So a helpful tool to reduce work but not a magic wand!

We’ve developed a state-of-the-art, secure internal video rendering farm that sets the industry standard for efficiently handling large video processing tasks. Leveraging the latest GPU (graphics processing unit) technology, our system can ingest, process, and deliver long-length video clips without the need to break them down into smaller segments. Click here for more Video Redaction Service Description

With the Prime Minister calling a General Election for July 4, 2024, the UK Parliament has entered a ‘wash-up’ period to finalise any uncompleted legislation. Legislation that is not completed by the end of the ‘wash-up’ on May 24 will lapse and may be reintroduced in the next Parliament. The Data Protection and Digital Information (DPDI) Bill did not complete its passage by the end of the ‘wash-up’ and has therefore lapsed.

It is understood that the Bill’s failure was due to disagreements in the House of Lords over controversial late amendments introduced by the Department of Work and Pensions (DWP). These amendments aimed to facilitate data sharing between the DWP and private companies, primarily banks, to prevent fraud. However, they were controversial and faced significant opposition in the House of Lords.

The DPDI Bill was a significant step forward for the UK’s data protection framework, offering a range of opportunities. These included making the UK a more attractive place for AI technology research, development, and deployment, establishing new frameworks for Smart Data and Digital ID, and providing the UK with the flexibility to adapt to a rapidly changing global trade environment.

The failure of the DPDI Bill is therefore disappointing, especially given the broad support in Parliament for its wider reforms.

The UK tech industry will be frustrated by the Bill’s failure, particularly given the extensive consultation that took place. It will now be the responsibility of the next Government to resume these reforms following the election. Whichever political party wins the election should not miss this opportunity. Instead, they should build on the progress made in this Bill to create a pro-innovation and high-standard data protection regime for the UK. This should also include enabling smart data and digital ID schemes, allowing better management of data and interaction with public services.

We’ve assisted CERN, renowned for the Hadron Collider, in organising decades of unstructured video data with metadata. This valuable resource is now easily accessible.

The “right to be forgotten,” enshrined under Article 17 of the General Data Protection Regulation (GDPR), allows individuals to request the deletion of their personal data when it is no longer necessary, or if it has been unlawfully processed. This right empowers individuals to take control over their online privacy, particularly in a digital landscape where personal information is often stored and shared without clear consent.

Key scenarios for exercising the right to be forgotten include when the data is no longer needed for the original purpose, consent has been withdrawn, or the individual objects to the processing of their data for direct marketing. However, the right is not absolute and must be balanced against other factors, such as freedom of expression, public interest, or legal obligations. For instance, a news outlet may not be required to erase articles that contain personal data if it serves the public’s right to information.

The right to be forgotten is a crucial tool in the GDPR framework, allowing individuals to mitigate the long-term consequences of having their personal data widely available, especially in an age where digital footprints can be permanent and far-reaching.

But how do UK Organisations execute a request? CCS can help Click Here For More…

One sentence changed the CCS mission overnight…

In 1996, Bill Gates famously declared that “content is king,” predicting that the internet would evolve into a dominant platform for the distribution and monetisation of content. He foresaw that, just as in traditional media, quality content would drive traffic, attract advertisers, and generate revenue online. Nearly three decades later, Gates’ statement has largely been proven right, and its relevance continues today, albeit in a more nuanced form.

The proliferation of digital platforms—websites, blogs, social media, and streaming services—confirms that content remains a primary driver of engagement. From written articles and videos to music, podcasts, and online courses, content is the backbone of the internet’s success. Successful platforms like YouTube, Netflix, and Spotify demonstrate that creating and distributing high-quality, engaging content is central to capturing and retaining users.

However, the landscape has evolved. While content is still king, distribution and discoverability have become equally important. The rise of search engine algorithms, social media, and recommendation systems means that even the best content can go unnoticed if not properly optimised or shared. Platforms like Google and Facebook prioritise content that aligns with user preferences, making it essential for creators to understand SEO, algorithms, and audience behavior.

Moreover, content marketing has emerged as a critical business strategy. Companies now focus on providing value through blogs, videos, and infographics to engage consumers and build brand trust. This reinforces the notion that relevant, targeted content is crucial for building relationships and driving business growth.

In today’s world, content is more accessible and diverse than ever. Gates’ prediction holds true, but it’s clear that alongside content, distribution, strategy, and adaptability are key to success. As long as people seek information, entertainment, and value online, content will remain a dominant force in shaping digital experiences.

Responding to a Data Subject Access Request (DSAR) using tools like Microsoft Purview and eDiscovery presents several challenges. While these platforms offer powerful capabilities for searching across Microsoft 365 data, they are not specifically tailored for DSAR workflows, which can make the process cumbersome. CCS can help.

Our clients are having trouble with DSAR searches in Microsoft’s new Purview eDiscovery interface? So CCS have created a free, step-by-step PDF user guide to help you navigate the updated front end with ease. Simplify compliance and boost efficiency. Download your guide now and take control of eDiscovery challenges.

One major challenge is identifying all relevant data across multiple services—emails, Teams messages, SharePoint files, and OneDrive content. Purview’s search functionality can be broad, but filtering results to just those that are truly “personal data” within the scope of a DSAR often requires significant manual review and judgment.

Another difficulty lies in the granularity of the search. Data subjects often expect their full digital footprint, but DSARs typically require the extraction of only personal data about the requester—not about others. This makes redaction and context evaluation essential. While eDiscovery Premium offers review sets and redaction tools, they can be complex to configure and don’t always scale well for high-volume requests or non-standard data types.

Lastly, ensuring completeness and compliance within tight statutory timelines is stressful. Search limitations, complex permissions, and the need to manually validate results can delay responses and increase the risk of errors or omissions. As such, while Purview and eDiscovery are helpful starting points, many organizations find they need additional processes or tools to meet DSAR requirements effectively.