What the UK’s New Data Protection Law Means for Microsoft 365 Users

Key takeaways from the UK’s New Data Protection Bill and how SharePortals helps you stay compliant

The UK’s long-anticipated data protection reform is entering its final stages. The Data (Use and Access) Bill (DUA Bill) is set to become law in the coming weeks, bringing targeted changes to UK GDPR, the Data Protection Act 2018, and PECR.

For businesses using Microsoft 365 to manage personal data, the changes bring fresh obligations, particularly around direct marketing, data transfers, and subject access requests. With significantly higher fines on the table for PECR breaches, compliance isn’t optional.

That’s where SharePortals can help: by turning your existing Microsoft 365 tools into a secure, streamlined environment for managing data responsibilities, without the need to switch systems or retrain your team.

1. PECR Fines Are Increasing: Direct Marketing Compliance Under Pressure

The DUA Bill aligns Privacy and Electronic Communications Regulations (PECR) penalties with those under UK GDPR, meaning fines of up to £17.5 million or 4% of global annual turnover for non-compliance.

This is a major shift, particularly for businesses relying on:

• Email campaigns

• SMS marketing

• Website tracking tools (cookies, pixels)

Historically, the ICO has taken more enforcement action under PECR than UK GDPR, and now that the stakes are higher, businesses need to double down on consent management and evidence-based compliance.

How SharePortals Helps:

While SharePortals isn’t a marketing automation tool, it plays a key role in supporting marketing compliance from an internal governance perspective:

Log the lawful basis for each marketing activity

• Consent, soft opt-in, or legitimate interest and link it to contacts, campaigns, or data processes.

Store opt-in records centrally

• So you can quickly demonstrate when and how consent was collected, especially helpful if you’re managing data across multiple departments or platforms.

Maintain an internal audit trail of approvals

• Decision-making, and policy updates, so you’re not caught off guard during an investigation or audit.

Track policy reviews and internal workflow sign-offs

• Whether for a new campaign, a cookie policy update, or a new data collection form.

2. Subject Access Requests (SARs): New Protections for Controllers

The DUA Bill aligns SAR handling with current ICO guidance, giving organisations more flexibility, but also more accountability.

Key updates include:

• The ability to pause the 30-day response clock if further ID verification or clarification is needed from the requester

• A legal recognition that only a “reasonable and proportionate” search is required, not an exhaustive trawl through every record system

While these changes are helpful, they also introduce ambiguity. What’s “reasonable”? What’s “proportionate”? Without a documented process, businesses may still be at risk of non-compliance or challenge.

How SharePortals Helps:

SharePortals gives your team a repeatable, auditable, and scalable system for handling SARs across departments, without needing to leave Microsoft 365.

Automate intake with templated workflows

• Trigger internal tasks when a SAR is received, assign ownership, and track status in real time.

Log deadlines and key actions

• Including when the request came in, when the clock was paused, when documents were reviewed, and when the response was issued.

Validate ID and manage communication templates

• So teams respond consistently and in line with internal policy.

Standardise redaction processes

• Using checklists or linked documents for what to redact, who approved it, and how it was delivered.

Keep a complete case file

• Every communication, document, and action is logged automatically for future audits or legal reviews.

3. Legitimate Interests Clarified: New Examples in Law

Under the DUA Bill, the UK GDPR will include a non-exhaustive list of examples where the “legitimate interests” lawful basis can be used more confidently. These include:

Internal administrative purposes

• Such as sharing employee or client data within a corporate group

Direct marketing

• Where it doesn’t override the data subject’s rights or expectations

Emergency response and public protection

• Such as preventing crime or safeguarding vulnerable individuals

This clarity gives organisations more certainty, but also places the onus on them to document they believe a legitimate interest applies and they balance it against the rights of the individual.

How SharePortals Helps:

SharePortals enables you to build this accountability into your everyday operations by giving you a structured way to log and justify processing decisions within the Microsoft 365 environment.

• Record the lawful basis used for each data processing activity, including legitimate interest, and link it to the associated contacts, cases, or team.

• Attach a justification document or balancing test to each entry, showing how you assessed the potential impact on the data subject and mitigated risks

• Link these decisions directly to your Record of Processing Activities (ROPA) creating a clear audit trail for compliance reviews or regulator requests

• Provide organisation-wide visibility so that everyone—from marketing to HR—works from the same legal framework, reducing inconsistency and risk.

4. Further Processing Rules: A New Article 8A

The DUA Bill introduces Article 8A, which sets clearer rules around when personal data can be used for a new purpose beyond the one it was originally collected for.

Under the new rules, further processing is permitted if:

• The data subject provides fresh consent

• The processing is for scientific or historical research, archiving in the public interest, or statistical purposes

• The new use meets one of the specified legal exemptions, such as safeguarding, public safety, or legal obligations listed in Annex 2 of the Bill

This change codifies flexibility into the UK GDPR framework, but with it comes a heightened expectation of transparency and accountability. Organisations must be able to justify how the new purpose aligns with the original one or fits within a lawful exemption.

How SharePortals Helps:

SharePortals provides a structured, traceable way to manage and document further processing decisions inside your Microsoft 365 environment.

Add and label new purposes

• directly within relevant contact records, case files, or data sets, ensuring they are visible and clearly connected to the original purpose.

Record and attach supporting evidence

• such as updated consent forms, internal memos, DPIAs, or references to legal bases

Log who authorised the reuse

• when it was approved, and under which justification, all in a centralised audit trail

Ensure continuity across departments

• by standardising how and where these decisions are recorded, so legal, compliance, and operational teams stay aligned

5. Automated Decision-Making (ADM): Tighter Definitions, Fewer Bans

The DUA Bill updates and clarifies the rules around automated decision-making (ADM), especially when personal data is involved. Under the new framework, ADM is permitted only if:

• The decision is not based on “meaningful human involvement”, meaning a person hasn’t significantly contributed to the outcome

• The processing does not involve special category data (e.g. health, race, religion), unless:

  • The data subject has given explicit consent

  • The processing is required by law

  • or is necessary to enter into/perform a contract

The bill also defines a “significant decision” as one that produces legal effects or similarly impactful outcomes for the individual, such as credit approvals, job screenings, or service eligibility.

Controllers must now be able to show not just decision was made, but it was made, and whether human oversight was genuinely involved.

How SharePortals Helps:

While SharePortals doesn’t replace your AI or automation engines, it provides a transparent layer of documentation that helps ensure ADM processes remain compliant and reviewable.

Log instances where ADM is used

• such as automated eligibility checks, internal scoring systems, or workflow routing decisions based on profiling

Attach documentation that explains the logic

• whether that’s a description of how the algorithm works, its inputs, or the intended outcomes

Add notes detailing human review

• where applicable, for example, when a team member intervened or approved an override

Track consent or lawful basis

• where special category data is involved, and link it to the relevant contact or decision point

Maintain a centralised audit trail

• that shows your organisation is considering and addressing ADM risks proactively

6. International Data Transfers: Risk-Based, Not One-Size-Fits-All

The DUA Bill introduces a new “data protection test” that replaces the current rules under Chapter V of the UK GDPR for transferring personal data to countries outside the UK.

Rather than relying solely on adequacy decisions or standard contractual clauses (SCCs), the updated approach allows the UK government to assess:

• Whether a third country’s data protection standards are “materially lower” than the UK’s.

• Whether the transfer is still acceptable based on risk and appropriate safeguards.

This risk-based model gives organisations more flexibility, but also more responsibility. You need to demonstrate that you’ve carried out the necessary due diligence, documented the rationale, and can produce this information if audited.

How SharePortals Helps:

SharePortals doesn’t move the data for you, but it gives you a system to document and prove how your data transfers are assessed and safeguarded.

Maintain a central record of international transfers

• including what data is shared, where it’s going, and why the transfer is necessary

Attach relevant documentation, such as:

• Standard Contractual Clauses (SCCs)

• Data Protection Impact Assessments (DPIAs)

• Transfer Risk Assessments (TRAs)

• Processor agreements or local law assessments

Log internal approval steps and legal reviews

• , ensuring visibility across legal, compliance, and IT teams

Generate exportable reports

• showing your organisation’s cross-border data transfer activity, safeguards in place, and risk assessments, supporting audit readiness and regulatory enquiries

7. Some GDPR Divergences Dropped — For Now

In a move welcomed by privacy professionals, the UK government has not carried forward several of the more controversial proposals from earlier drafts of data reform. Specifically, the DUA Bill does not:

• Scrap the requirement to appoint a Data Protection Officer (DPO)

• Remove the obligation to conduct Data Protection Impact Assessments (DPIAs)

• Redefine or narrow the scope of personal data

By retaining these core components of the UK GDPR, the government is signalling an intent to remain broadly aligned with the EU’s data protection framework, at least for now.

This decision is particularly important for businesses that receive or process personal data from the EU, as the UK’s adequacy decision from the European Commission is set to expire in December 2025, pending review. Maintaining consistency increases the likelihood of that decision being renewed.

How SharePortals Helps:

For organisations operating across both UK and EU regulatory landscapes, SharePortals supports a unified compliance environment that makes it easier to meet obligations under both regimes, without duplicating effort.

Align internal frameworks

• with the UK and EU GDPR simultaneously by using SharePortals to centralise how your organisation documents and manages its compliance approach

Maintain centralised access for DPOs and compliance officers

• so they can review, update, or investigate processing activities without needing access to multiple disconnected systems

Store and manage DPIAs, ROPA logs, and internal policies

• in one secure, searchable location, ensuring your documentation is accessible, version-controlled, and audit-ready

Ensure organisation-wide consistency

• with linked workflows and task management that help keep your data protection efforts structured, monitored, and up to date

Data Protection - Final Thoughts

While the DUA Bill doesn’t replace the UK GDPR, it does reshape the compliance landscape, especially for businesses relying on Microsoft 365. With SharePortals, you don’t need to overhaul your systems or retrain your team. You get a secure, compliant environment inside the tools your business already uses.

Want to see how SharePortals supports compliance?

Book a free demo today.