UK Data Protection and Digital Information Bill no. 2 – What is Changing for UK Organisations?

One of the key areas of reform under the new bill is the exemption of all controllers and processors from the duty to maintain a Record of Processing Activities (RoPA) unless they are carrying out high-risk processing activities.

If your organisation is not involved in high-risk processing activities, you will no longer be required to maintain a detailed RoPA. It is worth noting that the bill shifts the emphasis towards high-risk processing activities, but it does not set specific criteria for what constitutes 'high-risk' processing. The Information Commissioner's Office (ICO)—which is also being rebranded to the “Information Commission”—is expected to publish examples of processing types it considers to be high-risk for this purpose.

Furthermore, it is important to note that organisations that are subject to the EU GDPR will still need to maintain their record-keeping obligations in respect of their data processing exposures in EU jurisdictions.

It will be interesting to see how this amendment plays out in practice as the visibility of data processing activities across an organisation plays a fundamental role in any data protection compliance framework. By virtue of this being taken away as a mandatory requirement begs the question on how an organisation will be able to evidence accountability that internal data protection policies and procedures are fit for purpose and effective and we expect that a number of organisations that have invested heavily in the development of the RoPA document will continue to maintain as a live document.

Under the new bill, there will be a significant change in the requirement for appointing a data protection leader within organisations. The traditional role of the Data Protection Officer (DPO) is set to be replaced by a new position known as the Senior Responsible Individual (SRI). This change has implications for both public authorities and organisations, particularly those involved in high-risk data processing.

Unlike the DPO, the SRI is specifically mandated to be a member of senior management, emphasising the strategic importance of data protection within the organisation. According to the bill, the obligation to appoint an SRI applies particularly to entities engaged in high-risk data processing activities, echoing a shift in focus towards more significant data protection risks. This means that organisations currently employing a DPO need to prepare for this transition by understanding the new requirements, responsibilities, and strategic implications of having an SRI.

We note, however, that whether or not an organisation will be required to appoint an SRI, it is important to make sure it continues to operate an effective data protection programme that complies with the law. In fact, under the current regime, the requirement to appoint a DPO applies in limited cases only. Despite this, many organisations choose to appoint a DPO even when not caught by this requirement to ensure better compliance. We expect that organisations will (and would encourage them to) continue to embrace a similar approach after the DPO is replaced with an SRI.

The proposed changes in the bill regarding Data Protection Impact Assessments (DPIAs) will transition to a system of "Assessments of High-Risk Processing." This change is expected to simplify the process and make it less prescriptive.

The bill removes the specific list of circumstances requiring a DPIA and instead will rely on guidance from the ICO (or the Information Commission, as it will be referred to if the bill is enacted) about which processing activities necessitate such an assessment. Additionally, consulting the ICO in cases of high-risk processing will become optional, a shift from the previous mandatory requirement.

The bill amends the criteria for handling Subject Access Requests (SARs) under the UK GDPR. The terms "manifestly unfounded" or "excessive" are replaced with "vexatious" or "excessive". This change includes the provision of explanations and examples to guide the interpretation of what constitutes a vexatious or excessive request. This amendment aims to clarify the grounds on which organisations can refuse or limit their response to SARs.

The proposed changes in the bill introduce a new "data protection test" for assessing the adequacy of data protection in other countries for international data transfers. This test will consider if the protection level is "not materially lower" than that provided under UK GDPR.

The changes proposed in the bill could affect the adequacy status of the UK's data protection laws with the EU, potentially complicating EU-UK data transfers. If the EU revokes the UK's adequacy finding, it might necessitate additional measures for such transfers.

The new bill introduces changes to the management of complaints. Data controllers must acknowledge data subject complaints within 30 days and provide a substantive response promptly. A significant shift is that the ICO will not be obligated to accept a complaint if the data subject hasn't first approached the data controller.

The new bill modifies the approach to 'legitimate interests' as a legal basis for data processing. It allows organisations to rely on legitimate interests without a balancing test against the rights and freedoms of data subjects in certain "recognised" cases, such as national security and public security. However, for other cases like direct marketing, a balancing exercise is still required.

The proposed change in the bill redefines the concept of personal data by limiting the assessment of identifiability. The assessment will focus on whether the controller or processor and individuals likely to receive the data can identify the subject rather than considering anyone in the world.

The bill amends the definition of scientific research to include research for commercial purposes. This change broadens the scope under which data processing for research can occur, offering a more expansive consent mechanism and exemptions to the fair processing requirement.

The new bill specifies that restrictions on automated decision-making under Article 22 of UK GDPR should apply only when decisions result from automated processing without "meaningful human involvement." It further clarifies that profiling is a significant factor in determining whether there has been meaningful human involvement in the decision-making process. This change aims to provide clearer guidelines for assessing when automated decision-making falls within the regulatory scope.

Under the new provisions, the Secretary of State and the Treasury will have the authority to enact regulations that compel "data holders" to provide access to "customer data" and "business data" to customers or third parties. These regulations may also include provisions enabling or requiring data holders, amongst others, to produce, collect or retain customer data. This represents a move towards greater data accessibility and transparency, potentially impacting how organisations manage and share customer and business-related data.

Proposed amendments to the PECR include allowing the use of cookies without consent for web analytics and automatic software updates. Non-commercial organisations, like charities and political parties, will be able to use the "soft opt-in" for direct marketing. The fines under PECR will also be increased to align with UK GDPR levels, up to £17.5 million or 4% of global annual turnover, whichever is higher.