Main Menu

Data Protection and Digital Information Bill KEY POINTS

The government published the Data Protection and Digital Information Bill outlining provisions to amend the existing UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003, with the overall framework based on the GDPR.

The purpose of the Bill is to streamline requirements on UK firms and to provide clarification on existing legislation. The UK’s adequacy with the US may be at risk given the proposed powers for the Secretary of State (relating to standards setting) that may be regarded as impeding the independence of the regulator and should UK reforms diverge significantly from the EU this raises the risk of inhibiting cross border data flows.

Changes PIMFA members should be aware of relate to:

  • the role of the data protection officer being replaced by a designated senior responsible individual.
  • the Bill proposes powers for The Treasury and the Secretary of State to issue regulations requiring data holders to submit customer and business data – the proposals are similar to provisions in the EU Digital Markets Act.

A focus of the government’s new data protection rules is to reduce unnecessary burdens on businesses. It therefore plans to proceed with the requirement for organisations to implement privacy management programmes to ensure they are accountable for how they process personal data. The same high data protection standards will remain but organisations will have more flexibility to determine how they meet these standards’.

The government plans to proceed with removing the requirement to designate a data protection officer (DPOs). Most of the tasks of a data protection officer will become the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme. Organisations that previously used a data protection officer can continue to do so, as long as there is appropriate oversight from the senior accountable individual. This new requirement to designate a senior responsible individual from the organisation’s senior management, however, could be seen as incompatible with the existing (General Data Protection Regulation) GDPR obligation to avoid conflicts of interest for the DPOs.

Organisations will be required to undertake data protection impact assessments (DPIAs) as prescribed in the UK GDPR.  They are required to ensure there are risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation. 

There will be changes to record keeping under Article 30. The government plans to proceed with removing the requirement for record keeping provisions. Privacy management programmes will still require organisations to document the purposes of processing, but in a way which is more tailored to the organisation.

The government plans to proceed with changing the current threshold for refusing or charging a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’, which will bring it in line with the Freedom of Information regime. The government does not intend to introduce a cost ceiling for subject access requests nor the nominal fee for processing.

The Information Comissioner’s Office (ICO) will be modernised to have a chair, chief executive and a board and will have new objectives which will give Parliament and the public better ability to hold the regulator to account. Strategic objectives will be set out in the Bill. They will underline the importance of the regulator continuing to uphold data rights and encouraging the responsible use of personal data, but will have greater emphasis on taking into account growth, innovation and competition.

The amendment intends to clarify which information data protection law is applicable to and restrict the scope of personal data.

A risk-based approach (e.g. assessment of the impact of transferring personal data internationally) is intended to maintain the free flow of data with Europe, but the divergence could result in the UK losing its EU adequacy status (this would create significant uncertainty for firms).

When the threshold for notification is met under the UK GDPR firms will have to notify the ICO and data subjects of personal data breaches (including those of loss of access to data). Firms may be aware the ICO issued a checklist for business: Ransomware and data protection compliance (March 2022).

The government intends to scrap the existing balancing test for some activities and has proposed a list of recognised legitimate interests to help firms, e.g., when processing data is necessary to identify, scrutinise, or deter fraud and money laundering.

His Majesty’s Government propose to reform existing provisions relating to automated decision-making and the extent of human oversight, e.g. a positive right to human intervention, however, there is a risk that the proposal to restrict the right to significant decisions could threaten the UK’s adequacy status.

Statutory provisions provide a basis for the Secretary of State or Treasury to issue data sharing obligations to data holders, e.g. to publish, produce or collect specific data (similar to obligations on providers of digital core platforms (gatekeepers) under the EU’s Digital Markets Act.[1]  s.64, Power to make provision in connection with business data, page 80).

It was made clear that organisations that are currently compliant with the UK GDPR would not need to significantly change their approach to be compliant with the new requirements, unless they wanted to take advantage of the additional flexibility that the new legislation will provide.

Click on the guides below to learn more about data protection.

Click to expand.

Almost there...

Complete the quick form below to download the Membership Brochure