Following on from the Data Protection and Digital Information Bill which was initially proposed last July, the UK government has now updated its previous proposal and on 8 March 2023, published its second version of the bill, the Data Protection and Digital Information (No.2) Bill (the “new bill”).
The first version of the Bill was very much focused on reducing burdens on businesses and establishing the UK “as the most attractive global data marketplace..”. This underlying theme remains with forecasts that the reforms will save the UK economy more than £4 billion over the next 10 years.
The government has said the new bill will:
- Provide an easy-to-implement, cost-effective, clear and business-friendly framework underpinned by the best existing elements of the UK GDPR;
- Ensure the UK maintains its adequacy status – although there are no guarantees, it is positive to see the government express confidence that the UK’s adequacy will be retained as there were concerns amongst privacy professionals that the changes under the previous proposal could impact UK’s adequacy status;
- Reduce the volume of paperwork required for organisations to demonstrate compliance, for example, only organisations whose processing activities are likely to result in high risks to individual’s rights will be required to maintain processing records;
- Further support international trade without creating additional costs for businesses that are already compliant with the UK GDPR;
- Give organisations more clarity in respect of the use of consent and increase confidence in relation to when organisations can process personal data without consent; and
- Bring clarity regarding the application of safeguards to automated decision-making which should increase business and public confidence in AI technologies.
What’s new in the bill?
Key points to note are:
- Updated definition of scientific research – the definition has been extended and makes clear that commercial organisations will share the same freedoms as academics to carry out innovative scientific research.
- Legitimate interest examples – the previous bill introduced a limited list of processing activities for which no legitimate interest assessment would be required. Under the new bill, a non-exhaustive list of processing activities for relying on legitimate interests (as an appropriate lawful basis for processing) has been added which includes direct marketing, intra-group transmission of personal data for internal administrative purposes and ensuring the security of network and information systems; a legitimate interest assessment will be required for these.
- Record-keeping requirements – as mentioned above, only organisations that carry out high-risk processing will need to keep records of their processing activity, for example, where organisations are processing large volumes of personal data about an individual’s health.
- International transfers – businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if such mechanisms already comply with current UK data protection legislation.
- Increase in fines – fines for nuisance calls and texts will increase to either up to 4% of global turnover or £17.5 million, whichever is greater. The current maximum fine is £500,000.
What does this mean for your organisation?
Whilst there are a number of changes in the new bill, none of them are drastically different from the previous proposal. As highlighted above, the government has already stated that organisations will comply with the new bill if they are compliant with the UK’s current data protection framework so hopefully, when the new bill becomes law, the changes should not place a significant burden on organisations that currently have robust data protection programmes in place.
Now the new bill has been presented to Parliament, MPs will need to consider it at a second reading which has yet to be announced. We will keep you updated on any developments in relation to the new bill.
Need help with data protection or GDPR?
As a specialist data protection consultancy, Evalian® is well placed to assist you with any queries you might have on the data protection implications based on the UK government’s proposed changes.
If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.