Blog First Impressions of the Data Protection and Digital Information (No. 2) Bill

What does the bill look like?

The bill is just over two hundred pages long and is structured in six parts:

• Part 1 – Data Protection
• Part 2 – Digital Verification Services
• Part 3 – Customer Data and Business Data
• Part 4 – Other Provision About Digital Information
• Part 5 – Regulation and Oversight
• Part 6 – Final Provisions

There are also fifteen schedules which occupy roughly a third of the pages. These contain a lot of the specific detail of the changes.

As is often the case with such legislation, the bill basically consists of a long series of edits to existing laws in the general format of “in this named bill, in section three, paragraph four, take this bit out and replace it with that”. This makes reading the bill from beginning to end a non-starter and means you have to have a copy of the original law to hand to make any sense of it at all. Unfortunately it’s worse than that, because some of the legislation it amends (such as the UK GDPR) is itself a series of amendments to an earlier document. No wonder lawyers are so expensive.

What is the bill intended to achieve?

According to the government’s press release, the positioning of the bill is firmly around the post-Brexit agenda, emphasising the reduction of red-tape and therefore costs for British businesses, enabling international trade and saving four billion pounds over ten years, whilst protecting our privacy and data. As such, the bill is intended to be a simplification of the UK GDPR (which is of course the same as the EU GDPR in virtually all respects) whilst introducing enabling technologies such as digital verification and artificial intelligence (AI) and revamping the Information Commissioner’s Office (ICO).

So what are the simplifications?

It’s a long bill, but let’s pick out some of the simplifications that might be of interest to an organisation needing to comply with UK data protection law as it currently stands:

• The need to keep records of processing activities under Article 30 of the UK GDPR is reduced to cover only data controllers who perform high risk processing. This could reduce the administrative overhead somewhat for the majority of organisations in the UK, although that depends on how much processing you do and the level of detail of the records you currently keep. There may also be good business reasons for continuing to keep such records.
• The exemptions to consent pop-ups on websites are widened, so you can keep statistics of website usage more easily without asking for consent. However, you will still need to ask for consent to use cookies for other purposes, so how much difference this will make is open for debate.
• Profiling rules are aligned with those covering automated decision-making, so if a human is not involved in any form of decision-making, there is a right to ask for one. This is more of a clarification than a significant change to the rules.
• No need to do a balancing test for legitimate interest if the purpose is on the approved list, however, this list is fairly short and covers reasons related to public bodies rather than any common commercial activities.
• Organizations not established in the UK no longer need to appoint a representative in the UK for data protection purposes. This would reduce the admin overhead and cost for organisations outside the UK, but not within it.
• The Data Protection Officer is replaced with the role of Senior Responsible Individual, which could potentially be someone with a lower degree of autonomy and independence than that of the DPO role in the GDPR. Again, this is probably of more relevance to a public body which previously had to appoint a DPO.
• The rules for refusing “manifestly unfounded or excessive” data subject requests are replaced with a “vexatious or excessive” approach, to some extent lowering the bar for an organisation to refuse or charge for a data subject access request that they consider to be unreasonable. This will of course be helpful if your organisation suffers from this problem, but we have to wonder how widespread it actually is.

What does this mean for UK organisations?

The first thing to say is that if you currently comply with the GDPR you won’t need to do anything further to comply with the bill. However, there are perhaps a few areas in which you could relax your compliance, if it’s only UK law you need to worry about. If you trade with the EU, you will still need to meet the GDPR’s standards anyway.

As is often the case with this type of legislation, the vast majority of the bill is taken up with changes affecting the government and public bodies, rather than the obligations of private sector companies. This is certainly not a wholesale rejection of the GDPR, far from it; in many respects it is a simple tinkering around the edges and it may be hard for many commercial organisations to see the immediate benefits of its provisions.

What effect the other provisions of the bill such as digital verification services will have remains to be seen.

Written by CertiKit’s Managing Director and founder, Ken Holmes CISSP, CIPP/E. Ken is the lead author of the toolkits and is continually striving to improve the products.

This blog was first published in March 2023, and has been updated in May 2024.

Our Data Protection Toolkits

If you’re looking to improve your data privacy compliance, we have the following toolkits available to assist:

• UK Data Protection Toolkit
• EU GDPR Toolkit
• ISO27701 Toolkit

Each toolkit comes with unlimited email support with our consultants, and a lifetime subscription to the updates service so when a new version is released you will be notified to download.