8 March 2023 saw the introduction of the Data Protection and Digital Information (No. 2) Bill (DPDI 2) by the newly formed Department for Science, Innovation and Technology. The Bill aims to simplify and update data protection laws in the UK. It was originally introduced in July 2022, only to be withdrawn later for further review and the second draft makes several changes from its original form. This new draft also contains a number of changes to EU data protection laws – some significant, some minimal.
What are these changes and what do they mean for data protection in the UK? We’ve set out some of the key changes below – and what these may mean for you and your business.
- A more subjective test is proposed for whether an individual is “identifiable” and, therefore, whether data is personal data and within the scope of data processing laws
- Certain types of non-intrusive cookies may now be used without consent, meaning that the pop-up cookies banner may be removed. However, most websites use analytic cookies which will still require consent as before
- The mandatory requirement to have a Data Protection Officer (DPO) has been replaced with a requirement for “senior responsible individuals” which applies to public authorities and organisations engaged in high-risk processing only
- Organisations which are not established in the UK will no longer need to appoint a UK representative
- No balancing test will be required to assess whether certain activities are of legitimate interest between data controller’s legitimate interests and the rights and interests of the data subject. This will reduce the time organisations will need to take in assessing whether processing of personal data is permitted on this basis
- Only organisations whose data processing activities are classed as “high risk”, e.g., processing health data, will be required to keep processing records. Previously, this exemption applied only to organisations with less than 250 employees
- Restrictions on when decisions can be made based solely on automated decision making, will only apply when a significant decision is made without meaningful human involvement. This may allow businesses to increase automated processing
- The reforms intend to make it easier for businesses, as well as academic institutions, to process personal data for research purposes. New wording clarifies that this applies only to scientific research, which is defined as activities which can “reasonably be described as scientific in nature”.
What does this mean for your business?
The good news for businesses is that if your organisation already complies with GDPR, it is unlikely that any significant changes will be needed to your processes. UK businesses with operations within the EU will need to continue to comply with the EU’s GDPR.
Businesses which transfer personal data internationally will not have to make any changes and existing compliant transfer mechanisms can continue to be used. If DPDI 2 comes into force, international data transfers will need to be considered against the new test.
What happens next?
Following the UK’s departure from the EU, national data protection legislation has been very closely aligned to the EU’s GDPR. This assisted the UK in obtaining an adequacy decision which has meant that personal data has continued to move freely between the EU and the UK post-Brexit.
These changes indicate some divergence from the EU’s gold standard of data protection. This creates a risk that the EU will find the UK’s data protection regime lacking and decline to grant a future adequacy decision, which will make the sharing of personal data with the EU much more complex. The adequacy decision is to be reviewed every four years and is next due for review on 27 June 2025. Some MEPs have already criticised the proposed reforms.
The new Bill is still in the infant stages of legislation – the date for its’ second reading in the House of Commons is yet to be announced. For all businesses, this will be an interesting regulation to look out for as it takes form more fully in the upcoming months.