UK Data Protection and Digital Information Bill no. 2 – What is Changing for UK Organisations?

Background to the Data Protection and Digital Information Bill No. 2

The Data Protection and Digital Information Bill no. 2 was introduced to the UK Parliament on 8 March 2023, marking a significant shift in the UK's approach to data protection and digital information management. After its second reading in the House of Lords on 19 December 2023, the bill is now in the committee stage and is anticipated to be finalised in Spring 2024. The bill aims to alleviate the regulatory burdens on businesses, particularly small and medium-sized enterprises (SMEs), and to remove impediments faced by scientific researchers. The government is also expecting the Bill to boost the UK economy by more than £4 billion over the next decade.

In May 2023, the government also issued Keeling schedules and other supportive documents detailing the proposed amendments based on the bill that was introduced in the House of Commons, though updates reflecting recent amendments are still pending. For UK organisations, these changes represent an evolving landscape of data management and protection, which, when enacted, will require adaptability and compliance with the new compliance framework.

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.

What are the proposed key changes under the Data Protection and Digital Information Bill No. 2?

When compared to the current UK data protection legislation (UK GDPR) the bill only introduces minor changes to the key concepts and data protection principles and whilst the effect is expected to be relatively modest, there are some more significant proposals that will position themselves as key points of consideration for UK organisations once the law comes into effect.

Below, we provide a summary of the key changes that UK organisations will need to consider in light of the Data Protection and Digital Information Bill no.2 proposal:

One of the key areas of reform under the new bill is the exemption of all controllers and processors from the duty to maintain a Record of Processing Activities (RoPA) unless they are carrying out high-risk processing activities.

If your organisation is not involved in high-risk processing activities, you will no longer be required to maintain a detailed RoPA. It is worth noting that the bill shifts the emphasis towards high-risk processing activities, but it does not set specific criteria for what constitutes 'high-risk' processing. The Information Commissioner's Office (ICO)—which is also being rebranded to the “Information Commission”—is expected to publish examples of processing types it considers to be high-risk for this purpose.

Furthermore, it is important to note that organisations that are subject to the EU GDPR will still need to maintain their record-keeping obligations in respect of their data processing exposures in EU jurisdictions.

It will be interesting to see how this amendment plays out in practice as the visibility of data processing activities across an organisation plays a fundamental role in any data protection compliance framework. By virtue of this being taken away as a mandatory requirement begs the question on how an organisation will be able to evidence accountability that internal data protection policies and procedures are fit for purpose and effective and we expect that a number of organisations that have invested heavily in the development of the RoPA document will continue to maintain as a live document.

Under the new bill, there will be a significant change in the requirement for appointing a data protection leader within organisations. The traditional role of the Data Protection Officer (DPO) is set to be replaced by a new position known as the Senior Responsible Individual (SRI). This change has implications for both public authorities and organisations, particularly those involved in high-risk data processing.

Unlike the DPO, the SRI is specifically mandated to be a member of senior management, emphasising the strategic importance of data protection within the organisation. According to the bill, the obligation to appoint an SRI applies particularly to entities engaged in high-risk data processing activities, echoing a shift in focus towards more significant data protection risks. This means that organisations currently employing a DPO need to prepare for this transition by understanding the new requirements, responsibilities, and strategic implications of having an SRI.

We note, however, that whether or not an organisation will be required to appoint an SRI, it is important to make sure it continues to operate an effective data protection programme that complies with the law. In fact, under the current regime, the requirement to appoint a DPO applies in limited cases only. Despite this, many organisations choose to appoint a DPO even when not caught by this requirement to ensure better compliance. We expect that organisations will (and would encourage them to) continue to embrace a similar approach after the DPO is replaced with an SRI.

The proposed changes in the bill regarding Data Protection Impact Assessments (DPIAs) will transition to a system of "Assessments of High-Risk Processing." This change is expected to simplify the process and make it less prescriptive.

The bill removes the specific list of circumstances requiring a DPIA and instead will rely on guidance from the ICO (or the Information Commission, as it will be referred to if the bill is enacted) about which processing activities necessitate such an assessment. Additionally, consulting the ICO in cases of high-risk processing will become optional, a shift from the previous mandatory requirement.

The bill amends the criteria for handling Subject Access Requests (SARs) under the UK GDPR. The terms "manifestly unfounded" or "excessive" are replaced with "vexatious" or "excessive". This change includes the provision of explanations and examples to guide the interpretation of what constitutes a vexatious or excessive request. This amendment aims to clarify the grounds on which organisations can refuse or limit their response to SARs.

The proposed changes in the bill introduce a new "data protection test" for assessing the adequacy of data protection in other countries for international data transfers. This test will consider if the protection level is "not materially lower" than that provided under UK GDPR.

The changes proposed in the bill could affect the adequacy status of the UK's data protection laws with the EU, potentially complicating EU-UK data transfers. If the EU revokes the UK's adequacy finding, it might necessitate additional measures for such transfers.

The new bill introduces changes to the management of complaints. Data controllers must acknowledge data subject complaints within 30 days and provide a substantive response promptly. A significant shift is that the ICO will not be obligated to accept a complaint if the data subject hasn't first approached the data controller.

The new bill modifies the approach to 'legitimate interests' as a legal basis for data processing. It allows organisations to rely on legitimate interests without a balancing test against the rights and freedoms of data subjects in certain "recognised" cases, such as national security and public security. However, for other cases like direct marketing, a balancing exercise is still required.

The proposed change in the bill redefines the concept of personal data by limiting the assessment of identifiability. The assessment will focus on whether the controller or processor and individuals likely to receive the data can identify the subject rather than considering anyone in the world.

The bill amends the definition of scientific research to include research for commercial purposes. This change broadens the scope under which data processing for research can occur, offering a more expansive consent mechanism and exemptions to the fair processing requirement.

The new bill specifies that restrictions on automated decision-making under Article 22 of UK GDPR should apply only when decisions result from automated processing without "meaningful human involvement." It further clarifies that profiling is a significant factor in determining whether there has been meaningful human involvement in the decision-making process. This change aims to provide clearer guidelines for assessing when automated decision-making falls within the regulatory scope.

Under the new provisions, the Secretary of State and the Treasury will have the authority to enact regulations that compel "data holders" to provide access to "customer data" and "business data" to customers or third parties. These regulations may also include provisions enabling or requiring data holders, amongst others, to produce, collect or retain customer data. This represents a move towards greater data accessibility and transparency, potentially impacting how organisations manage and share customer and business-related data.

Proposed amendments to the PECR include allowing the use of cookies without consent for web analytics and automatic software updates. Non-commercial organisations, like charities and political parties, will be able to use the "soft opt-in" for direct marketing. The fines under PECR will also be increased to align with UK GDPR levels, up to £17.5 million or 4% of global annual turnover, whichever is higher.

In light of the above, it is clear that the proposed introduction of the bill heralds a significant shift in the data protection and digital information management landscape for UK organisations. The proposed changes are poised to reshape how personal data is processed in the UK, offering potential benefits such as reduced regulatory burdens, especially for SMEs, and enhanced support for scientific research. Organisations that fall under this regulation (which would be most) must stay informed and proactive in aligning their data protection strategies with the upcoming UK legislation, monitor its development and prepare for compliance.

Sign up for Data Protection News and Trends

Stay informed and secure with our Data Protection newsletter. Subscribe below to receive the latest updates, insights, and best practices in safeguarding your data and privacy. Don't miss out on essential tips and industry news to keep your information safe.

Subscribe

Key Contacts

Subscribe: Data Privacy Insights

Please refer to the Introduction to our Privacy Statement and the Contacts section, which tell you what we do with your personal information, your rights and other relevant information.