On 18 July 2022, the Data Protection and Digital Information Bill (DPDI) was introduced to Parliament. The Bill, which was previously known as the Data Reform Bill, is the result of the Department for Culture, Media and Sport (DCMS) consultation of last year. David Edwards and Charles Mather from our regulatory and compliance team outline the main features in the new bill.
The aim of DPDI is to update and simplify the UK’s data protection framework. A second reading of the bill in Parliament will take place in the autumn.
The objectives of DPDI include, reducing barriers to responsible innovation, reducing burdens on business while delivering better outcomes for individuals, and boosting trade and reducing barriers to data flows. All with the intention of making the UK a world-leading data marketplace, where individuals are empowered by the responsible use of personal data.
The Bill will impact upon businesses’ approach to collecting and processing personal data, and reform some of the lawful avenues for processing personal data in the public sector.
The practical implications that businesses will face, include the following:
- Changes to the accountability framework – DPDI enables businesses to take a more risk-based and flexible approach to accountability, underpinned by a privacy management program (PMP). For instance:
- The requirement for mandatory data protection officers will be replaced with the requirement to appoint a designated senior individual (DSI), who will be responsible for embedding a culture of data protection across the business
- Businesses will still be required to identify, manage and mitigate data risks, but the requirement to carry out data protection impact assessments (DPIAs) will be removed.
- As a part of their PMP activities, businesses will be required to maintain personal data inventories. However, in contrast to the current requirement to maintain records of processing activities, businesses will be granted greater flexibility; and the Article 30 UK GDPR requirement to maintain records of processing activities will be removed.
- Legitimate interests – DPDI will introduce a limited set of circumstances in which businesses/organisations can rely upon legitimate interests as a lawful means for processing personal data without applying the ‘balancing test’ (the balancing of legitimate interests against the fundamental rights and freedoms of individuals), and without resorting to consent. The current list is largely limited to processing activities that are carried out for important reasons of public interest; however, the Bill grants the Secretary of State powers to add categories to the list.
- Research and anonymous data – given that anonymised personal data does not fall within the scope of the UK’s data protection regime, DPDI clarifies the test for anonymisation, along with the definition of research.
- Data Subject Access Requests (DSARs) – DPDI harmonises the threshold for businesses that refuse to act on DSARs (or charge a reasonable fees to do so), where the request is manifestly unfounded or excessive, with the Freedom of Information regime: vexatious or excessive. This may be welcome to businesses; however, some will likely be disappointed that the costs cap for responding to DSARs has been dispensed with.
- Automated decision making and special category personal data – the general prohibition on automated decision making in relation to special category data has been removed and replaced with sets of specific conditions and safeguards.
- ICO fines – ICO fines under the Privacy and Electronic Communications Regulations (PECR) are brought in line with GDPR, to increase the penalties for nuisance calls and marketing.
- Cookies – DPDI amends PECR and removes the requirement for cookie consent when using analytics.
In light of the reforms, and given the flexible and risk-based approaches entailed in the Bill, businesses would be well advised to review their data protection related risk management systems and procedures in the run up to the enactment of DPDI; and ensure requisite changes to systems, procedures and policies are in place before the end of any period of transition to the new regime.
DCMS has indicated that it has briefed and updated the EU Commission regarding the Bill, with a view to providing assurance that retaining EU adequacy is important to the government.
However, whether or not the EU Commission’s adequacy decision in respect of the UK may be threatened by the proposed reforms remains to be seen, and any barriers to the flow of data between the UK and EU arising from the reforms will, of course, be unwelcome.
The ICO has the power to penalise organisations that do not adhere to the GDPR and fines can be substantial. If you require guidance regarding the management of your organisation’s personal data or need help with any other data protection matter, please contact Harrison Drury’s regulatory team on 01772 258321.