On 8 March 2023 the UK Government published draft legislation, known as the Data Protection and Digital Information (No.2) Bill ("DPDI Bill"), to amend the UK GDPR. The Government claims that this change will save businesses and charities up to £4.7bn over the next ten years, while also bolstering data protection and privacy.
According to the Government, the DPDI Bill will reduce compliance "paperwork" without impacting data adequacy with the EU or global confidence in the UK. As the UK aims to protect and grow its digital economy, the Government claims that the new legislation will provide businesses with greater flexibility in complying with data laws, while reducing the overall compliance burden. However, please see our concluding comments in relation to this.
The proposed law includes a requirement that only organisations whose processing activities are likely to pose "high risks" to personal rights and freedoms need to keep processing records, such as health data, which is a significant change to the current position. It also seeks to allow commercial organisations to benefit from the same freedoms as academics to carry out innovative scientific research, making it easier to reuse data for research purposes.
Additionally, it aims to bolster business confidence about the scenarios in which they can process personal data without consent and increase confidence in AI by clarifying when safeguards apply to automated decision-making.
The draft legislation also includes provisions to increase fines for nuisance calls and texts to either up to 4% of global turnover or £17.5m, reduce the number of cookie consent pop-ups people see online, and introduce a new framework for optional digital identity verification. Furthermore, the Information Commissioner's Office (ICO) will be strengthened by creating a new statutory Board for the regulator. Much of this has been seen in version 1 of the Bill, published in 2022. However it will be interesting to see which provisions have changed and to what extent following the Government's consultation period since postponement of version 1 of the Bill.
Overall, the Government's position on the new legislation is that it aims to strike a balance between protecting citizens' personal data and allowing businesses to operate more efficiently. Its success will depend on its implementation and enforcement, but it is a step towards creating a fluid and agile digital economy that prioritises data protection and privacy.
However, it is important to consider the potential implications on the UK's EU adequacy status. The EU conducts a review of adequacy with the UK every four years, and the UK's reform plans have already faced criticism from members of the European Parliament. The next adequacy decision is due on 27 June 2025. It remains to be seen how the EU will respond to the publication of the DPDI Bill and the version which ultimately may enter into force in the UK.
Organisations operating globally or at least across the UK and EU will still of course be bound by the EU GDPR, so to the extent there are differences, organisations will need to decide what their baseline standard of compliance is and the differences to be applied (if any) on a regional basis. This strategy setting is something we often assist clients with.
Should you wish to consider your position as the DPDI Bill progresses, determine which laws apply to your data processing, and/or assess your data protection compliance strategy.