The Data Protection and Digital Information Bill (No. 2) (DPDI) Everything we know so far

Looking for advice?

The Data Protection and Digital Information Bill (No. 2) (DPDI) is set to be the beginning of UK GDPR’s divergence from EU GDPR, on which it is presently modelled. The Bill is currently making its way through the Houses and is expected to be brought into law by the middle of 2024, according to James Snook of the Department for Science, Innovation and Technology. 

The purpose of the Bill is to change aspects of current UK legislation to make data compliance less of an obstacle for UK businesses while ensuring that high standards of data protection remain. Below is a breakdown of all the changes proposed by the Bill and what areas of current UK legislation they aim to amend.

Comparing the previous bill to the new version

Accountability and compliance obligations

Those already familiar with UK GDPR will know that accountability is a core data protection principle. The DPDI proposes significant changes to key aspects of the accountability principle, mainly the role of the Data Protection Officer and the records kept by an organisation. 

The new risk-based approach

The Bill proposes various changes that would lead UK GDPR away from current accountability obligations to a new, risk-based system of accountability. A detailed breakdown of these changes can be found below. The government proposes that this risk-based approach will be more flexible and less bureaucratic, which is in line with the government’s desire to reform data compliance away from being a ‘box-ticking’ exercise. 

When considering how an organisation will implement effective measures, the risk-based approach means that organisations should consider the volume and sensitivity of personal data that they process. Key elements at the core of its accountability include:

  • Leadership and oversight
  • Risk assessment
  • Policies and processes
  • Transparency
  • Training and awareness of staff
  • Monitoring, evaluation, and improvement

Replacement of Data Protection Officers (DPOs) by ‘Senior Responsible Individuals’ (SRIs)

Current position of UK GDPR

Article 37-39

The controller must designate a DPO when it is a public body or is a private organisation that undertakes processing which would require regular and systematic monitoring on a large scale. Other organisations could still choose to implement a DPO as good practice.

A DPO is required to have ’expert knowledge of data protection law and practice’ and must be involved in all issues relating to the protection of personal data.

The DPO must be independent but supported in their tasks by the organisation, reporting directly to the highest management level.  A list of relevant tasks is provided under Article 39.

Change proposed by DPDI

Clause 15

Removes the requirement to designate a DPO and replaces it with the need to designate an SRI. 

An SRI must be appointed in a public body, but a mandatory SRI would only be required in a private organisation if the processing ‘is likely to result in a high risk to the rights and freedoms of individuals…,’ ‘taking into account the nature, scope, context, and purposes of the processing’.

The sole requirement for appointing an SRI is that they are a person who is part of ‘senior management’. In broad terms, the SRI shares many of the same responsibilities of the DPO, though these responsibilities differ depending on whether the organisation is a data controller or processor.

The SRI must either perform the tasks or take responsibility for them being performed by another person. In the case that these tasks could cause a conflict of interest, they must be undertaken by another person.

Our Analysis

The requirement of the SRI’s position may be intended to make data protection compliance seen as less of an obstacle by having them as part of the decision-making process, though it does raise concerns with their ability to operate independently.

The requirement to delegate tasks where a conflict of interest may arise does ease some concerns in this regard. Moreover, the ability to delegate the tasks of the SRI to another person is helpful to those organisations who require one, as the pool of individuals who could be appointed an SRI is likely to be limited.

If your organisation requires support in this area, DPAS can offer assistance. Find out more here.

Replacement of Data Protection Impact Assessments (DPIAs)

Current position of UK GDPR

Articles 35 & 36

An organisation must undertake a DPIA if they are processing data that is likely to result in a high risk to individuals. 

The DPIA must:

  • Describe the nature, scope, context, and purposes of the processing;
  • Assess necessity, proportionality, and compliance measures;
  • Identify and assess risks to individuals; and
  • Identify any additional measures to mitigate those risks.

When assessing risk level, a high risk is something that could result in a high possibility of some harm or low possibility of serious harm. Any high risk that cannot be mitigated must go through consultation with the ICO prior to processing. 

Change proposed by DPDI

Clause 16

Removes the requirement to undertake a DPIA.

Organisations will still be required to identify and manage risks but will have more flexibility to do so. At minimum written records will need to include:

  • A summary of the purpose of processing;
  • An assessment of necessity only;
  • An assessment of the risks to individuals;
  • A description of how the controller proposes to mitigate those risks.

The test for assessing risk remains the same.

Clause 19

Removes the requirement to notify the ICO of high-risk processing that cannot be mitigated.

Our Analysis

This can be seen as a positive change for organisations that use well-established risk assessments as this can be used to streamline the process. 

There is no need for organisations to divert from maintaining their DPIA if they wish to keep a more detailed assessment of their data protection activities. Those organisations needing to comply with EU GDPR must still maintain a DPIA for those operations.

Overall, these changes will reduce the administrative burden of maintaining compliance for UK operations.

Replacement of Record of Processing Activities (ROPAs)

Current position of UK GDPR

Article 30

Controllers and processors are required to keep records of their data processing activities.

Businesses with under 250 employees are exempt from this requirement unless the processing is:

  • Likely to result in a risk to the rights and freedoms of data subjects;
  • Not occasional, or
  • Includes special categories of personal data or criminal conviction and offence data.

Organisations are required to record, as a minimum:

  • The organisation’s name and contact details, whether it is a controller or a processor;
  • The purposes of the processing;
  • A description of the categories of individuals and of personal data;
  • The categories of recipients of personal data;
  • Details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
  • Retention schedules; and
  • A description of the technical and organisational security measures in place.

Change proposed by DPDI

Clause 16

The Bill encourages a more flexible approach towards processing activities (ROPAs). In instances where high-risk processing is undertaken, a Record of Processing of Personal Data should be maintained.

‘Appropriate’ records should record, at a minimum:

  • The location of the data;
  • The purpose of the processing;
  • The categories of personal data;
  • Retention period;
  • Any special categories of personal data.

In deciding what ‘appropriate’ records to keep, organisations should use the following principles:

  • The nature, scope context and purposes of processing;
  • The risks for the rights and freedoms of individuals, including the likelihood of risks arising and their severity;
  • The resources available to the organisation. 

Our Analysis

Article 30 reports can be time-consuming to complete and keeping them up to date can be challenging when organisations have competing interests and a strain on their resources. Such organisations will likely welcome the more flexible approach taken here. 

However, ROPAs are excellent for the worst-case scenario when a company comes under scrutiny from the ICO. In these situations, an organisation must be able to explain the data it holds, where it is used and who it is shared with which the new report does not fully cover.

ROPAs provide further organisational benefits by allowing organisations to establish precisely what they are doing with personal data and where. This allows for more effective working relationships with other organisations and transparency for customers. As such some organisations may choose to continue the practice of keeping a ROPA.

For those who need assistance with their accountability frameworks, DPAS can help.

Removal of requirement for UK Representative

Current position of UK GDPR

Article 27

Organisations that operate in the UK are bound by UK GDPR and require a UK representative if they process personal data in relation to the provision of goods or services.

This representative may be a ‘natural or legal person’ and serves as the contact for data subjects and the ICO in the UK. This representative is separate from the obligations concerning the DPO. The two individuals cannot be the same.

Change proposed by DPDI

Clause 14

Removes the entirety of Article 27.

Our Analysis

This aligns with the government’s goal of removing the administrative ‘red tape’ imposed by UK GDPR currently. 

Will only impact those organisations not based in the UK.

Organisations based outside the UK will still need to respond to UK data subject right requests.

Responding to Subject Access Requests (SARs)

The Bill makes a couple of small changes aimed at bringing existing guidance into law to clear up confusion, while expanding the scope for organisations to refuse SARs that are deemed ‘vexatious’.

Current position of UK GDPR

Article 12 (s. 5)

Information provided to data subjects under Articles 13 and 14 are to be provided free of charge. Where requests from data subjects are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

a) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

b) Refuse to act on the request.

The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

Change proposed by DPDI

Clause 8

This changes the ‘manifestly unfounded or excessive’ aspect of Article 12 to ‘vexatious or excessive’. 

Clause 9 

Addresses the grace period for an organisation to respond to a SAR. While verifying the identity of the person making the request that the organisation has reasonable doubts about, the ‘clock’ is paused while their identity is verified.

Our Analysis

These changes largely echo existing ICO guidance in this area, serving to bring the guidance into law.

This is a welcome change, particularly for organisations that receive SARs aimed at pre-litigation disclosure, such as employment tribunals, or from individuals aiming to be a nuisance by causing administrative headaches.

The grace period was a source of confusion for some organisations, having it explicitly stated in the legislation provides clarity. This grace period is not an extension of time organisations have to respond to these quests. If your organisation requires assistance in this area, DPAS can offer support.

Organisations based outside the UK will still need to respond to UK data subject right requests.

Want to learn how the proposed changes will impact you?

Legitimate Interests

The Bill proposes some modest reforms to the lawful bases under Article 6 of UK GDPR.

Recognised Legitimate Interests (RLIs) – A new lawful basis

Current position of UK GDPR

Article 6(f)

The UK GDPR sets out six lawful bases for justifying the processing of personal data, the sixth of which is legitimate interests.

In order to rely on legitimate interests as a lawful basis for processing, the controller must:

  • Identify a legitimate interest;
  • Show that the processing is necessary to achieve it;
  • Balance it against the individual’s interests, rights, and freedoms; particular weight must be given to protecting children’s data.

Change proposed by DPDI

Clause 5

Proposes a prescribed list of activities for which the legitimate interests balancing test would no longer be required. These would be known as RLIs.

Schedule 1

This contains an extensive list of RLIs and when they would apply to processing. They can be briefly surmised as being necessary for:

  • National security, public security, and defence;
  • Responding to emergencies;
  • Detecting, investigating, or preventing crime, and apprehending or prosecuting offenders;
  • Safeguarding vulnerable individuals;
  • Participating in democratic engagement;
  • Disclosures of personal data for the purposes of a task carried out in the public interest

Our Analysis

This change means that in certain circumstances organisations will not have to conduct a legitimate interests assessment before relying on Article 6(1)(ea) as a lawful basis. It is likely to be most beneficial for non-commercial or third-sector organisations, particularly those working with the public sector.

Public bodies cannot rely on RLIs in the performance of their tasks. 

Organisations will still need to have processes and procedures that demonstrate their accountability regarding the new provision.

Examples that can be used to rely on legitimate interests

Current position of UK GDPR

Recitals 47-49 GDPR

These recitals were added to highlight certain purposes that ‘should be regarded’ as a legitimate interest:

  • Direct marketing;
  • Making intra-group transmissions of personal data where necessary for internal administrative purposes;
  • Ensuring the security of network and information systems.

For the purposes of direct marketing the right to object is absolute and you must stop processing when someone objects.

Change proposed by DPDI

Clause 5 Article 9

The Bill adds an additional article, listing examples of processing that ‘may’ constitute ‘processing that is necessary for the purposes of a legitimate interest’. These include processing that is necessary for the purposes of:

  • Direct marketing;
  • Ensuring the security of network and information systems;
  • Making intra-group transmissions of personal data where necessary for internal administrative purposes.

Unlike RLIs, these scenarios still require a legitimate interests assessment to be carried out before they can be relied upon as lawful basis.

Our Analysis

The changes proposed by the DPDI mirror those made in Recitals 47-49. This will be helpful as these examples will now be in the body of the legislation which will provide greater clarity for organisations that are looking to rely on a legitimate interest.

The example of direct marketing for legitimate interests represents a major departure for direct marketing, which previously relied on the legal basis of consent. The change means that by processing the data for a third-party marketing purpose, organisations could rely on the ‘opt-out’ model rather than the ‘opt-in’ preferred by GDPR. This in turn could result in an influx of spam marketing which would be legal under the legitimate interests basis.

International Transfers

The Bill reforms the approach to international transfers from a stricter, EU-based approach to a more risk-based approach.

Reforms to support international transfers of personal data

Current position of UK GDPR

Article 73-76

Personal data can be transferred from the UK using tools or mechanisms similar to those under EU GDPR:

  • Adequacy: transfers can be made freely to any country that is “adequate” for UK purposes. This includes any country in the EEA or countries that have agreed adequacy with the EU.
  • Appropriate safeguards: Such as standard contractual clauses (SCCs) under a relevant EU decision.
    – Alternatively, transfers can be legitimized using a UK international data transfer agreement (IDTA).
    – SCCs alone are not sufficient.
  • Special circumstances: Where the transfer is necessary to protect specific public interests. Must be approved by the Commissioner on request.

Change proposed by DPDI

Clause 23, Schedules 5-7

The Bill clarifies that international transfers taking place before the new law comes into force remain lawful; any alternations to the rules do not apply retrospectively.

Significant changes have been made to the role and powers of the Secretary of State, such as:

  • Wider discretion in deciding whether to make an adequacy regulation;
  • Removed requirement of reviewing adequacy regulations every four years;
  • Power to present legislation, or pass temporary legislation, placing restrictions on certain categories of personal data being transferred for importance reasons of public interest;
  • Power to present legislation to approve new safeguards under Article 46 of the UK GDPR.

A new data protection test is introduced for when a new adequacy decision needs to be made. This test is a departure from the EU’s restrictive approach and instead requires a country, or international organisation, to have data protection not ‘materially lower’ than the UK’s. Factors that are considered are:

  • Respect for the rule of law and human rights;
  • The existence and powers of an authority responsible for enforcing the rights of data subjects against it;
  • Its rules about onward transfer of data;
  • Its relevant international obligations;
  • Its constitution, traditions, and culture.

Our Analysis

The Bill stating that previous lawful transfers will remain lawful is a relief for organisations as they will not have to scramble to update existing agreements. DPAS can help with both data transfer agreements and contractual clauses.

The approach of a risk-based assessment echoes previous guidance issued by the ICO in 2022 as the UK looks to diverge from the EU approach.

There is some concern that the UK approach being ‘not materially lower’ than the equivalent approach that the EU takes could put the UK’s adequacy status in jeopardy, however both the ICO and government have affirmed their belief that this will not adversely affect the UK’s adequacy status.

Need further advice on the proposed changes to the dpdi Bill?

PECR 2003 (reforms to cookies, marketing, nuisance calls and enforcement)

The Bill proposes a series of changes for PECR, dealing with cookie fatigue, direct marketing and bringing enforcement in line with punitive measures similar to that available under GDPR.

Removal of cookie banners

Current position of UK GDPR

Regulation 6

All cookies must explicitly state their purpose and be positively affirmed to by the user before they can be placed. There are some exemptions:

  • For the sole purpose of transmitting a communication over an electronic communications network;
  • Where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Compliance with PECR 2003 is usually achieved through a consent request mechanism, typically a pop-up window or a banner, which provides the information for the purpose of the cookies and allows the user to accept or decline their placement.

Change proposed by DPDI

Clause 83 

Proposes removing the requirement for positively affirmed user consent in specified scenarios where the cookies are considered low risk. Low risk cookies are those that solely:

  • Collect analytics to measure and improve website performance;
  • Remember user preferences when accessing the website;
  • Are necessary for security.

It is still compulsory to provide users with the ability to easily opt-out. 

Our Analysis

This is a small change that is not unlikely to have much impact in reducing cookie fatigue and is unlikely to change cookie banners at this time.

It has been labelled as the groundwork for further work to come on reforming cookies in the UK though significant change is unlikely to materialise until technology to support browser-based opt-outs is released. 

It is also important to remember that this would only apply to the UK, notification and affirmed consent to these specific cookies would still be required for someone accessing the website outside the UK.

Direct Marketing

Current position of UK GDPR

Regulation 22

PECR 2003 permits the marketing of similar services/goods to existing contacts via email, known as the ‘soft opt-in’.

For a ‘soft opt-in’ to apply, the following conditions must be met:

  • The contact details of the recipient were obtained in the course of the sale (or negotiations for the sale) of a product or service to the recipient;
  • The proposed marketing is in respect of similar products and services only;
  • The recipient has been given a simple means of opting out both at the time the details were collected and at the time of each subsequent communication.

Change proposed by DPDI

Clauses 85-86

These clauses propose to:

  • Extend the ability to rely on ‘soft opt-in’ to non-commercial organisations such as charities;
  • Grant powers to the Secretary of State to make secondary legislation reforming this area in the future.

The recipient must be provided a simple means of opting out of contact both initially and at each time of subsequent communication. 

Clause 89

Proposes allowing the Information Commission (IC) to base enforcement action on the number of calls generated rather than the number of calls connected.

Our Analysis

The ability for non-commercial organisations to market in this way is a welcome change and will aid the likes of charities in raising funds with the ability to contact previous donors.

The increased number of powers given to the Secretary of State is a concern throughout much of the Bill and this is no different. For further analysis on this see the ICO reforms.

Another welcome change that will mean the IC can more regularly take enforcement action against organisations that make many nuisance calls.


Current position of UK GDPR

Serious breaches of PECR can result in a fine of £500,000, in line with the measures under the Data Protection Act 1998.

Change proposed by DPDI

Proposes changes to:

  • The level of fines for serious breaches are to be increased from £500,000 to GDPR levels (higher of £17.5 million or 4% global turnover);
  • The IC being given powers to serve assessment notices and carry out audits in connection to PECR;
  • The Secretary of State being able to present legislation to Parliament to increase the maximum fines.

Our Analysis

As the ICO in its current form has been prosecuting organisations under breaches of PECR 2003, the increased level of fines will be welcomed so that organisations are not seen to be prosecuted with lesser punitive measures.

Reforms to the Information Commissioner’s Office (ICO)

The Bill brings some key changes to the role of the ICO. The Information Commissioner will be replaced with the Information Commission (IC), a supervisory body rather than an individual. The changes would bring the IC in line with other regulatory bodies such as Ofcom, while reforming the organisation’s current enforcement powers. There are some concerns that this area of the proposed reforms reduces the independence of the ICO, or as it would be known, the IC.

Name and Structure

Current position of UK GDPR

The ICO is a non-governmental body that offers guidance, rulings, and appropriate action in relation to information rights.

It is supervised by a management board who work with the Information Commissioner, a role appointed by the crown, reporting to Parliament.

Change proposed by DPDI

Clauses 107-109

Proposes changing the ICO from a ‘corporation sole’ to a ‘body corporate’, introducing a board, a chair, chief executive, and a change in name to the IC.

Functions of the ICO will pass to the IC and remain mostly unchanged.

Our Analysis

This brings the ICO in line with other regulatory bodies.

Objectives of the IC

Current position of UK GDPR

The ICO’s remit consists of:

  • Helping the public;
  • Providing advice for organisations;
  • Enforcing the law;
  • Regulating the UK GDPR and Data Protection Act 2018.


Change proposed by DPDI

Clause 30

Introduces a new statutory framework of objectives:

  • A new ‘principal objective’ to secure appropriate levels of protection for personal data and to promote public trust and confidence in data use;
  • A set of secondary duties to consider the impact on innovation, competition, prevention of and dealing with criminal offences, and safeguarding public and national security

Clause 31

The Secretary of State can set the priorities of the IC, though these priorities are not legally enforceable and must be presented before Parliament.

Our Analysis

The expansion of the IC’s duties to include considering the impact on innovation and competition echoes the government’s desire for the UK to be at the forefront of innovation in data usage.

There are concerns that this level of government involvement with the IC will threaten its stance as an independent regulator, which in turn would be a threat to the UK’s position of adequacy with the EU.

The ICO has issued a statement in which it claims that these reforms are not likely to result a change in EU adequacy.

Increased powers of the Secretary of State and greater involvement with the IC further undermines the independence of the regulatory body.


Current position of UK GDPR

The ICO is able to take the following actions:

  • Conduct assessments to check organisations are complying with the relevant statutory instrument;
  • Serve information notices requiring organisations to provide the ICO with specified information within a certain time period;
  • Issues undertakings committing an authority to a particular course of action to improve its compliance;
  • Serve enforcement notices where there has been a breach requiring organisations to take specified steps to ensure compliance;
  • Issue recommendations specifying steps the organisation should take to comply;
  • Issue decision notices detailing the outcomes of ICO investigations to the public;
  • Prosecute those who commit criminal offences under the relevant statutory instruments.

For breaches of the DPA 2018, the ICO can issue fines of up to 4% of global turnover or £17.5 million, whichever is higher.

For breaches under PECR 2003, the ICO are able to issue fines of up to £500,000.

Change proposed by DPDI

Clause 90

Proposes changes to:

  • The level of fines for serious breaches are to be increased from £500,000 to GDPR levels (higher of £17.5 million or 4% global turnover);
  • The IC being given powers to serve assessment notices and carry out audits in connection to PECR;
  • The Secretary of State being able to present legislation to Parliament to increase the maximum fines.

Clauses 35 & 42

The IC will be allowed to decide how and when it investigates complaints, though it must produce guidance about how its discretion is to be exercised.

Clauses 36-40

The Bill proposes new enforcement tools:

  • Requiring organisations to commission technical reports of an ‘approved person’ in relation to their data use;
  • Compel witnesses to attend interviews and answer questions, where the IC ‘suspects’ there has been a breach of the UK GDPR or DPA 2018;
  • Under certain circumstances issue penalty notices beyond the usual six-month deadline following a notice of intent, where it is not reasonable for the second note to be served within six months.

Our Analysis

As the ICO in its current form has been prosecuting organisations under breaches of PECR 2003, the increased level of fines will be welcomed so that organisations are not seen to be prosecuted with lesser punitive measures.

The ICO already gives direction for how a complaint can be made, this change codifies that guidance.

Clause 36 clarifies that this power to request information does extend to requesting documents.

 Overall, these changes are unlikely to affect most organisations. Keeping up to date and thorough documentation to present to the IC would continue to be best practice should an organisation be investigated for non-compliance. 

Want to learn how these proposed changes will impact your business?

Research Sector

When circulating the Bill, the government raised concerns that the laws around the use of personal data for research purposes were too complex and were spread across different pieces of legislation. The aim of this part of the Bill is to clear up that confusion and provide greater certainty about processing personal data for the purpose of research.


Current position of UK GDPR

Research was not defined in the UK GDPR, but are addressed by recitals:

Recital 159

Introduces the idea of ‘scientific research’. No definition is provided, and the recital encourages this to be interpreted broadly. A list of examples is provided:

  • Technological development and demonstration;
  • Fundamental research;
  • Applied research and privately funded research;
  • Studies conducted in the public interest or in the area of public health.

Recital 160

No definition but stated to include genealogic research.

Change proposed by DPDI

Clause 2

Creates definitions for types of research:

Scientific research includes:

  • Any research that can be reasonably be described as scientific, with some exceptions;
  • Research into public health where this can reasonably be described as scientific, but only where that research is in the public interest;
  • Research carried out for commercial or non-commercial purposes.

Historical research includes genealogical research.

Our Analysis

The amended definition for scientific research in particular is a welcome change and moving them to the operative text of the legislation provides greater clarity for organisations wishing to use research for commercial purposes.

Further processing

Current position of UK GDPR

Article 13(3)

Where the controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller shall provide the data information on the other purpose and any relevant further information. 

Recital 33

Acknowledges that it is often not possible to fully identify scientific research purposes at the time of data collection and states that data subjects should be allowed to give a broader effective consent.

Change proposed by DPDI

Clause 3

Personal data can be further processed (by deeming consent) for a scientific research purpose that differs from the original purpose. The relevant organisation does not need to be informed up-front, in certain circumstances:

  • The only reason there is not explicit consent is due to the definition of scientific research;
  • It was not possible for the organisation to provide the up-front information;
  • Seeking consent to the research is consistent with generally recognised ethical standards relevant in that area of research;
  • As far as possible, the data subject has opportunity to consent to processing for only a portion of the research.

Our Analysis

This further clarifies the confusion around consent that data subjects can give and is likely to be welcomed by those working in this field.

Automated Decision-Making (ADM) and Profiling

As previously mentioned, the UK government has stated its desire to take a flexible approach to the innovation and development of new technology, particularly concerning AI. The previous legislation gave data subjects the right to not be subjected to processing by non-human means, however this area has been changed by the Bill to allow for a greater range of processing by AI.


Current position of UK GDPR

Article 22

Data subjects have a right not to be subject to solely automated decision-making except in specific circumstances.  

Solely automated decision-making is allowable where it is:

  • Based on consent;
  • Necessary because of a contract between data subject and controller;
  • Specifically approved by domestic laws which also provide for safeguarding measures to be applied.

Appropriate safeguarding measures must be implemented in all circumstances.

Change proposed by DPDI

Clause 12

Defines ADM as the processing of data where there is no meaningful human involvement in the taking of a significant decision.

Profiling alone does not count as ADM, but the extent to which the decision reached used ADM will determine the level of meaningful human involvement.

Widens the scope for solely automated decision-making. Rather than being restricted, ADM would be allowed by default and would only be restricted when:

  • Special category data is involved;
  • The lawful basis relied upon is one of the new RLIs.  

Decisions which include the use of special category data and use ADM will still be restricted, but would be permissible where it is necessary:

  • To enter into or perform a contract between controller and data subject, or is required or authorised by law;
  • For reasons of substantial public interest.

An enhanced list of safeguards is present under Clause 12, the most notable of which are those that allow people to contest to the decision, after it has been made, and to request human intervention.

Our Analysis

This is a notable divergence from the EU GDPR’s position on ADM.

There are concerns that this approach will impact on the rights of data subjects, although it has more explicitly stated safeguards then were previously available under Article 2. The onus will be on organisations to ensure these safeguards are in place.

Further Processing

There is little change to further processing, though the changes here clarify some scenarios where factors listed under Article 6(4) of the UK GDPR would not need to be considered when making the decision to use personal data for a new purpose.

Data being ‘re-used’ for a new purpose

Current position of UK GDPR

Article 6(4)

Data can be re-used for a new purpose when certain factors are considered:

  • If there is any link between the original and new purpose;
  • The context of the personal data’s collection;
  • The nature of the personal data;
  • Possible consequences for the data subject when processing the data for the new purpose;
  • The existence of appropriate safeguards.

Article 5(1)

Further processing for the following purposes should be considered compatible lawful processing operations:

  • Archiving purposes in the public interest;
  • Scientific research purposes; and
  • Statistical purposes

Change proposed by DPDI

Clause 6

The Bill retains the provisions under the UK GDPR of the factors that must be considered when processing data for a new purpose.

Some scenarios are pre-approved as compatible, meaning the organisations would not need to consider those factors. These scenarios are when the new purpose is for:

  • Protecting public security;
  • Responding to emergences;
  • Detecting, investigating, or preventing crime;
  • Safeguarding vulnerable individuals;
  • Protecting vital interests;
  • Assessing or collecting tax;
  • Complying with a legal obligation;
  • Private organisations undertaking processing after being asked under the ‘public task lawful basis’.

Where the original legal basis for processing was consent, organisations must meet one of the following criteria before being able to continue:

  • The data subject provides consent again, this has to be specifically for the new purpose;
  • The further processing is carried out in order to comply with Article 5(1) of the UK GDPR;
  • The purpose appears on them pre-approved list of compatible purposes and the organisation ‘cannot reasonably be expected to obtain the data subject’s consent’;
  • The purpose falls within narrow exceptions.

Our Analysis

The changes under Clause 6 expand the scope for further processing of personal data and provides clearer guidance for organisations about when they can process data for a compatible purpose.

This area may evolve further through the development of secondary legislation.

Personal Data

Perhaps the area of the Bill that has seen most discussion is the changes made to the definition of personal data. The DPDI proposes to alter the definition in such a way that some kinds of personal data could be excluded from the protections afforded by the UK GDPR.

"Refined" definition of personal data

Current position of UK GDPR

Article 4(1)

Personal data is any information that relates to an identified or identifiable living person.

An identifiable person is one who can be identified, directly or indirectly, by reference to identifiers. 

Some examples of identifiers are given, such as:

  • A name
  • An identification number
  • Location data
  • Physical data
  • Economic data

Change proposed by DPDI

Clause 1

The Bill amends the definition, stating that information being processed is only personal data when:

  • The individual is identifiable by the controller or processor by reasonable means at the time of processing. Or;
  • The controller or processor knows, or ought reasonably to know, that another person will obtain the information and that person, by reasonable means, will be able to identify the individual.


Reasonable means is defined as:

  • The time, effort and costs involved in identification, and;
  • The technology and other resources available to the person.


The Bill adds that an individual can be identified in two ways: directly and indirectly. When processing data, controllers and processors should be aware of:

  • Direct identification: Where an individual can be identified without the use of additional data. 
  • Indirect identification: Where an individual can be identified with only the use of additional information, using reasonable means.

Our Analysis

This change gives more power to the data controller as they are now required to judge whether a third party is likely to obtain the information. Should they judge that it is unlikely, then that data will no longer qualify as personal data. Therefore, that data will have no protections under UK GDPR.

Critics of the Bill believe this to be a fundamental risk to data subject rights. The ICO, in their response to the DPDI, concurs that this would be a privacy risk. In the event that a controller judges that a third party will not see the data but a third party gains access anyway and identifies individuals, then those individuals have no resource under data protection law.

Overall, the Bill is not a significant departure from EU GDPR. How much these changes will affect your organisation will be determined by the scope of your business. SMEs that operate solely within the UK will feel the most benefits of these changes, as their administrative burden has decreased considerably. Larger scale organisations that operate within both the UK and EU will still find that the process has been streamlined for their UK-based operations, though will still need to ensure they comply with the stricter requirements under EU GDPR.

WE WORK WITH FTSE 100s Multi-National Organisations Schools Universities Councils Local Governments Agencies NHS Trusts GP Practices Retailers Charities Multi-Academy Trusts Housing Associations Ambulance Services Insurance Companies Sporting Associations Airports Retail Companies Hospitality Businesses