The UK government wants to reform data protection laws, removing administrative burden and helping to promote innovation. The challenge is to achieve this without causing disruption or risking trading relationships. So how far is the Data Protection and Digital Information Bill (DPDI) along the road to becoming law, and what changes will it make to your organisation?
Data Protection and Digital Information Bill
What is it?
The Data Protection and Digital Information Bill (DPDI) presents post-Brexit reforms to the UK’s data protection laws.
The government claims the new legislation will:
- Retain the best elements of the EU General Data Protection Regulation (GDPR)
- Provide greater flexibility
- Reduce costs by £4.7 billion over 10 years
- Facilitate global trade
- Be simple, clear and business-friendly
The challenge for the legislation is to help support innovation and reduce administrative burden, without making changes that: - Impinge on individual data rights
- Require businesses to create new data systems
- Create barriers to trade with the EU and other international jurisdictions
When was it introduced?
DPDI was initially introduced to the UK Parliament on 18 July 2022. A second reading of the bill anticipated for September 2022 was put on pause after the resignation of Boris Johnson as Prime Minister.
On 8 March 2023, a revised version of the legislation, known as DPDI (No 2) Bill was presented by Secretary of State Michelle Donelan. It is likely to proceed to a second reading in the House of Commons in autumn 2023.
Who does it affect?
DPDI will affect organisations of all sizes and sectors, from the smallest charity to huge corporations. It will also impact international organisations that trade within the UK or manage data from UK citizens.
Key Highlights of the DPDI
The DPDI could introduce:
- A new definition of personal data that helps describe the level of anonymity required to put an individual beyond identification by ‘reasonable means’
- A category of legitimate interest data (e.g. crime, safeguarding) that removes the requirement to undertake a legitimate interest assessment
- Factors to be considered in reusing personal data for a new purpose, and specific situations in which re-use will be lawful
- Making it easier for organisations to refuse Data Subject Access Requests where they are vexatious or excessive, given the full range of circumstances
- Clarifying circumstances where AI can be used for automated decision-making without meaningful human involvement
- Replacement of Data Protection Officers (DPO) with Senior Responsible Individuals (SRI) who must be senior managers
- Data Processing Impact Assessments replaced with Assessments of High Risk Processing to be carried out where data processing activities are identified to be high risk
- Removal of requirement to keep Records of Processing Activities, replaced with obligation to maintain appropriate records
- A new data protection test to apply to arrangements for personal data transfer mechanisms outside the UK
- The Information Commissioner will be restructured into an Information Commission, with new enforcement powers and a remit that includes recognising the need to promote innovation and competition
- Complaints procedures aimed at increasing the number of complaints resolved without involvement of the Information Commission
- A shake-up of GDPR compliance to reduce pop-ups, permitting them where an individual has consented or data is used for specific purposes such as website improvement
GDPR vs. DPDI
DPDI is not a wholesale replacement for GDPR data protection legislation. Instead, it amends existing legislation (Data Protection Act 2018 and UK GDPR) so there will be plenty of work for lawyers cross-referencing different pieces of legislation.
When the legislation is finalised, the EU will apply an adequacy test to determine whether the new UK data protection regime provides suitable data protection, allowing data flows to continue between the EU and the UK.
DPDI: Bill no.1 vs Bill no.2
What are the changes that were made to DPDI (No 1) published in July 2022, and DPDI (No 2) in March 2023?
DPDI (No 1)
Research purposes
Clarification of how personal data can be used for research, statistical and historical purposes, assisting scientists in using personal data for the public good
Legitimate interest
Changes to scope of legitimate interest (where personal data can be used by a data controller or third party, so long as individual rights and freedoms are not breached)
Introduces ‘recognised legitimate interests’ that do not require legitimate interest assessment
Records of Processing
Reduced obligations and exemption for organisations with fewer than 250 employees where processing is not high risk. Risk level to be determined by looking at nature, scope, context and purpose of data processing
International data transfers
Data protection test for assessing protection provided by rules in recipient country when transferring data
Cookies
Use of cookies permitted without obtaining consent for defined purposes such as assessing how a website is used.
Automated decision making
Clarification that meaningful human involvement must be judged with consideration to how extensively profiling is used in making a decision
DPDI (No 2)
Research purposes
Addition of ‘scientific research purposes’ working to include commercial and non-commercial usage and broadening definition of ‘scientific research’
Legitimate interest
Addition of examples of legitimate interest data, such as direct marketing and IT security
Records of Processing
Removal of reference to number of employees, now requirement is to assess whether processing is likely to result in a high risk to rights and freedoms of individuals
International data transfers
Clarification that personal data transfer mechanisms established before law comes into force will be valid
Cookies
No further changes
Automated decision making
Definition of automated decision making is where there is no meaningful human involvement in a decision
Are you ready for DPDI?
Change is coming to UK data protection legislation within the next few years. This includes reform of rules that govern cookies on your site. Make sure your cookie policy is compliant with the law and gain an overview of your data collection by using our cookie scanner tool on your site.
If you need help to ensure you are compliant and making the most of any new rules, CookieHub can help.
Sign up today for a free trial.