Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that the proposed Data Protection and Digital Information Bill (the ‘bill’) should bring, according to the government.
The draft legislation was published by the government on 8 March 2023 with a view to reforming the current data protection regime in the UK. This came following a consultation launched by the Department for Digital, Culture, Media and Sport in 2021 and after the initial draft of the proposed legislation was paused last September. The bill now seems to be progressing towards becoming legislation and has just received its second reading in Parliament. Our data protection group have looked at the proposed legislation and highlight below a couple of points that might be of interest for organisations processing personal data.
Under the bill, only those organisations whose processing activities are likely to pose ‘high risks’ to individual rights and freedoms (such as health data) should be required to keep a record of processing activities. It also aims to provide more clarity as to when organisations can process personal data without needing consent, and it removes the need for data processors to balance their own legitimate interest with the data subject’s rights and interests where certain public interest activities are concerned (such as crime prevention or the protection of vulnerable individuals).
The proposed legislation also updates the definition of scientific research to clarify that commercial organisations will benefit from the same freedoms as academics to carry out such research, making it easier to reuse data for those purposes. It should also increase confidence in AI by clarifying when safeguards apply to automated decision-making.
The wider public is likely to welcome the government’s proposals to increase fines for nuisance calls and texts to either up to 4% of global turnover or £17.5m (whichever is higher) and to reduce the number of cookie consent pop-ups in their daily lives.
Certain changes are also proposed in respect of data subject requests. Although they are a crucial right for individuals, subject access requests can also be time consuming and costly to process for many organisations, especially if used as a mean of circumventing strict disclosure protocols in disputes and gaining information for prospective litigation. The bill proposes to change the current threshold for refusing a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. Data subject requests intended to cause distress, not made in good faith or abusing the process are listed as non-exhaustive examples of vexatious requests.
The DPDI (No.2) Bill also proposes reforming the Information Commissioner’s Office (the ‘ICO’) by setting clearer strategic objectives and duties for the ICO while changing its governance model. This should enhance the ICO’s accountability both to Parliament and the public and extend its investigatory powers. The ICO would in future tackle the highest risk data processing activities, while helping organisations to comply with the law from the outset, rather than focussing on penalising them.
In general, organisations that are currently compliant with the UK GDPR should not have to take any steps or make any changes to comply with the proposed legislation. However, the proposed legislation – if implemented as is – would bring organisations more flexibility to choose a more efficient approach to their data privacy. Moreover, those remaining subject to both the UK and the EU GDPR should not be disadvantaged either, as the proposed reform is not likely to create dual or conflicting requirements between the two.
The question is whether all these proposed changes will withstand parliamentary scrutiny. Although the proposed legislation was received positively by the UK Information Commissioner John Edwards, questions have been raised about whether the proposed changes might impact the UK ‘adequacy’ decision obtained from the EU Commission following Brexit, thereby jeopardising the cross-border flow of data between the UK and the European Economic Area. The UK’s data reform plans have previously faced criticism from a member of the European Parliament and the next adequacy decision review is due to take place in June 2025, although a change in the UK’s data protection laws could prompt an earlier review. However, the UK government remains confident that the proposed regime will maintain data protection adequacy with the EU while moving away from the ‘one-size-fits-all’ approach of the EU GDPR.
If you have any questions regarding the proposed legislation or require support, please get in touch. Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of data protection compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact our dedicated team.
Willans Data Protection Services provides organisations operating on a multi-national basis with UK and Article 27 Representative solutions, Data Protection Officer services and GDPR training solutions.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’). Based on the…
This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…
On Christmas Eve, the nation was informed that the UK and EU had struck a Brexit deal. The transition period is now over, and a clearer picture of the future…
By clicking Accept you are agreeing to the use of all cookies which will allow us to provide you with the most relevant experience when visiting or re-visiting this website. This means that your personal preferences will be remembered when you use this website. You can change your consent or choose specific settings by clicking "Cookie Settings". By clicking "Reject All" we will not use any non-essential cookies. Essential cookies will still be used for the website to function properly. Please see our cookie policy and privacy notice for more information about how we process your personal data.
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
mgref
1 year
This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s
1 year
This cookie is associated with Shopify's analytics suite.
G
1 year
Cookie used to facilitate the translation into the preferred language of the visitor.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.