21 May 2023
On March 8th, 2023, the UK Secretary of State for Science, Innovation and Technology, Michelle Donelan, re-introduced the Data Protection and Digital Information (No. 2) Bill to the UK Parliament. The first version of the reform bill was originally proposed by the UK government in July 2022, but was put on pause during September 2022.
According to the press release of the Department for Science, Innovation and Technology, the improved Bill will “introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws”. The Bill will also “ensure [the] new regime maintains data adequacy with the EU”, and “reduce the amount of paperwork organisations need to complete to demonstrate compliance”.
The objective of the said Bill is to “enable organisations to grow and innovate whilst maintaining high standards of data protection rights”, as John Edwards, UK Information Commissioner, said. Furthermore, as per the press release, the UK version of the EU’s GDPR aims to reduce costs and burdens for British businesses and charities and remove barriers to international trade.
The data protection legislation amended by this Bill applies to data controllers and data processors established in the UK, and those processing on their behalf, and there is some extra-territorial application for certain processing of personal data by controllers and processors established in third countries.
Some of the key takeaways from the Bill include:
- the addition of a non-exhaustive list of activities which may be considered as “legitimate interests”
- increased fines for nuisance calls and texts to be either up to 4% of global turnover or £17.5 million, whichever is greater
- the traditional role of a data protection officer is abolished in favour of a senior responsible individual ("SRI")
- reducing the number of consent pop-ups, which allow websites to collect data about an individual’s visit
- establishment of trusted and secure digital verification services, which allow people to prove their identity digitally if they choose to do so
- conducting records of processing only when the processing operations of an organization are likely to pose high risks to individual’s rights and freedoms e.g. where organisations are processing large volumes of sensitive data about people’s health
- strengthening the Information Commissioner’s Office (ICO) through the creation of a statutory board with a chair and chief executive, so it can remain a world-leading, independent data regulator and better support organisations to comply with data regulation.
Regarding international data flows, the updated Bill, permits the use of existing international data transfer mechanisms to share personal data overseas, which will continue to be valid under the new regime, if they are already compliant with current UK data laws.
The Bill is currently undergoing the Committee stage which is where detailed examination of the Bill takes place.
Privacy Minders is well-equipped to support your organisation in achieving uniform compliance with both the UK GDPR and the EU GDPR.