The initial Data Protection and Digital Information Bill (formerly known as the Data Reform Bill) was passed in July 2022. As the UK doesn’t legally have to follow GDPR (General Data Protection Regulation) laws post-Brexit, this new data protection bill intends to cover how digital information should be managed and provides updates to the UK’s data protection regime.
The Data Protection and Digital Information Bill (No.2) (or simply, DPDI Bill 2) is similar to the first Bill. It covers data protection legislation, reforms to the Information Commissioner's Office (ICO), digital verification and smart data schemes.
We examine the key areas of the Bill to guide you in determining the necessary steps to prepare your business for these upcoming legal changes.
What is the Data Protection and Digital Information (No. 2) Bill?
The Data Protection and Digital Information Bill (No. 2) is currently progressing through the parliamentary process. The Bill has been designed to navigate a digital world post-Brexit for UK businesses.
Michelle Donelan, the Secretary of State for Science, Innovation, and Technology, said the goal is to “simplify the legal framework”. She said it should be "easier to understand, easier to comply with, and [allow businesses to] take advantage of the many opportunities of post-Brexit Britain."
Framed as a "common-sense-led UK version of the European Union’s GDPR," the bill aims to streamline data protection law compliance for UK businesses and charities. This includes eliminating barriers to international trade that could potentially unlock £4.7 Billion for the UK economy over the next decade. However, it remains to be seen whether this will be the case.
The importance of the Data Protection and Digital Information Bill (2) was highlighted in the King’s Speech in November 2023, cementing the Bill's status as a governmental priority for the upcoming year.
How will the Bill impact data protection legislation in the UK?
The 2023 Bill doesn't introduce a radical overhaul of data protection but aims to simplify compliance for UK businesses. Amendments include updates to the definitions of personal data, purpose limitation and recognised legitimate interests.
The Bill also addresses data transfers, the role of the Information Commissioner’s Office (ICO), and data protection officers, while extending data-sharing powers under the Digital Economy Act 2017.
There are notable changes, particularly in areas like legitimate interest, processing of personal data, record-keeping, scientific research and international data transfers. However, the overarching objective remains to reduce the administrative burden on UK businesses.
The Bill aligns with the UK GDPR and Data Protection Act 2018, providing much-needed clarity for businesses navigating the intricate landscape of data protection.
What are the ICO reforms?
The ICO (Information Commissioner’s Office) is an independent UK body created to uphold information rights. The structure of the ICO will be changed under the new Bill, replacing it with a body corporate named the Information Commission.
Reflecting the structure of the Financial Conduct Authority (FCA), the Information Commission comprises non-executive and executive members, with non-executive members playing a more substantial role and possessing enhanced enforcement powers, including the ability to request specific documents.
A notable shift is the Information Commission's authority to request interviews with individuals, a power previously unavailable. These reforms aim to instil confidence in data protection laws, fostering trust in the regulator's fairness and independence.
What is digital verification?
Digital verification, currently unregulated for UK businesses, takes centre stage in the Bill. The legislation proposes a regulatory framework facilitating secure and easy verification of individual identities.
Additionally, public authorities would be permitted to disclose personal data to trusted digital identity providers for identification and verification purposes, addressing a critical aspect of contemporary data usage.
Smart data schemes
Smart data schemes, simplifying to "the secure and consented sharing of customer data with authorised third-party providers," are also integral to the Bill. These schemes enable secure data sharing, driven by customer requests, with authorised third-party providers offering tailored services to individual customers.
Examples of smart data working well include things like open banking, HIEs (Health Information Exchanges) for healthcare providers and loyalty programme information that gives more personalised, relevant offers.
How will the transfer of data internationally be affected?
Empowering international trade is a major component of the Bill. The government wants to encourage adequacy decisions with countries such as the United States, Singapore and Australia to remove barriers to data-flows and allow data-driven businesses to thrive in the UK.
How can we transfer data from the UK?
You don’t need any new arrangements for transfers from the UK to the EEA. However, you should update your documentation and privacy notice to expressly cover these transfers. If you transfer personal data outside the EEA now, you should already have arrangements for making a restricted transfer under the UK GDPR.
What about transfers from the EEA into the UK?
Data can still flow freely from the EEA unless you are processing or holding data transferred for immigration control.
How can you prepare your business?
As the Bill navigates through the parliamentary report stage, businesses must remain vigilant, continuing compliance with the existing UK GDPR. For businesses operating in both the EU and the UK, a strategic decision lies ahead – whether to separate UK operations from EU GDPR-aligned processes to leverage flexibility or maintain the status quo.
You will need to assess the cost-effectiveness of such a separation in the long term, weighing the benefits of reduced compliance burdens against the complexities of a dual-system approach. Importantly, adherence to current GDPR laws ensures businesses are well-positioned for compliance with the forthcoming Bill.
Keeping abreast of changes to the Data Protection and Digital Information Bill (No.02) and monitoring its progress through Parliament is advisable for businesses seeking to stay ahead of the legal curve.
Get legal assistance from LawBite
The Data Protection and Digital Information (No. 2) Bill marks a significant stride in the UK's data protection landscape. As we navigate these legislative waters, staying informed and proactive remains the key to ensuring your business is not only compliant but also well-positioned for success in the evolving digital age. The Bill will continue to move through parliament and we’ll continue to share updates on what this means for complying with data protection laws in the UK.
What we can see so far is that if you’re strict on following GDPR laws and take your digital data protection seriously, you’ll more than likely be covered under the Data Protection and Digital Information Bill. The Bill intends to ease some of the burden of current legislation, so if you’re already confident in your compliance, it’s unlikely you have anything to worry about.
Whether you’re assessing your GDPR compliance or looking to the future around how you manage your digital information after the bill has passed, we can help. Book in for a 15 minute consultation call with an expert GDPR and data protection lawyer or call us on 020 3808 8314.
