Water cooler and triangular chairs
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. UK’s Data Protection and Digital Information Bill Version 2

SHARE:

UK’s Data Protection and Digital Information Bill Version 2

Published on 31 March 2023

The question

What has changed in the second version of the Data Protection and Digital Information Bill (the Bill)?

The key takeaway

Very little has changed in the second version of the Bill, aside from a few amendments designed to reduce the compliance burden on businesses. The Bill is now awaiting its second reading in Parliament.

The background

The original version of the Bill was introduced to Parliament last summer as a progressive, business-friendly framework that will cut down on costs and paperwork. See our Summer 2022 Snapshot pack for a summary of the original version.

This original version was withdrawn within a few months alongside the UK’s leadership changes to allow ministers to consider the Bill further. Since then, there have been inconsistent messages from the Government regarding the extent that the new law will depart from the EU GDPR and, in the interim, businesses have been in a holding pattern.

The development

On 8 March 2023, the Government withdrew the original version of the Bill and introduced the revised version (titled the “Data Protection and Digital Information Bill Version 2”). The recent changes were described by the Government as “expected to unlock £4.7bn in savings for the UK economy over the next 10 years”. However, there is, ultimately, very little that has changed from the original version of the Bill. The key substantive changes are:

  • Legitimate interests: The revised Bill includes examples of processing that may be necessary for a legitimate interest including processing for direct marketing purposes, intra-group transmission of personal data for administrative purposes, and to ensure the security of IT systems. However, controllers must still weigh its legitimate interests in processing for these purposes against the rights and freedoms of the data subjects.
  • Accountability: The requirement to keep records of processing, to appoint a senior responsible individual (the replacement to data protection officers) and to carry out a data protection impact assessment will now broadly depend on whether the processing poses a high risk to rights and freedoms of individuals. The ICO will maintain a list of the types of processing which it considers to be high risk to inform these business decisions.
  • Research exemption: The revised Bill clarifies that the exemption for processing for research purposes also applies to commercial, privately-funded research as long as it can be reasonably described as scientific
  • Automated decision-making: The Bill clarifies when there is meaningful human involvement in any decision (and therefore when the automated decision-making rules do not apply). The Secretary of State may also pass secondary legislation clarifying what “meaningful human involvement” means.
  • Data transfers: The Bill includes transitional provisions to ensure that transfers made under old UK GDPR arrangements but after the new transfer rules in the Bill come into force are permitted subject to certain conditions.

The next stage for the Bill is the second reading in Parliament – the date of which is yet to be announced.

Why is this important?

The Bill represents the fork in the road as the UK breaks away from the EU framework and establishes a model that reflects its own drivers and concerns. However, for the most part, the new regime will still be very similar to the EU GDPR as too great a departure would threaten the UK’s EU adequacy (up for review in 2025). Large businesses that operate across the EU and the UK must soon decide how they go forward: adopt a single legal framework across the business that meets the stricter EU threshold or adopt a dual-track system to take advantage of the reduced compliance burden in the UK.

Any practical tips?

Businesses should remind themselves of the key positions in the original version of the Bill and resume any work they had put on hold on understanding how the new law may affect processes and contracts. Either way, keeping track of the passage of this important Bill through Parliament is clearly a good idea.

Spring 2023