The Data Protection and Digital Information Bill (No. 2) (DPDI) is set to be the beginning of UK GDPR’s divergence from EU GDPR, on which it is presently modelled. The Bill is currently making its way through the Houses and is expected to be brought into law by the middle of 2024, according to James Snook of the Department for Science, Innovation and Technology.
The purpose of the Bill is to change aspects of current UK legislation to make data compliance less of an obstacle for UK businesses while ensuring that high standards of data protection remain. Below is a breakdown of all the changes proposed by the Bill and what areas of current UK legislation they aim to amend.
Those already familiar with UK GDPR will know that accountability is a core data protection principle. The DPDI proposes significant changes to key aspects of the accountability principle, mainly the role of the Data Protection Officer and the records kept by an organisation.
The new risk-based approach
The Bill proposes various changes that would lead UK GDPR away from current accountability obligations to a new, risk-based system of accountability. A detailed breakdown of these changes can be found below. The government proposes that this risk-based approach will be more flexible and less bureaucratic, which is in line with the government’s desire to reform data compliance away from being a ‘box-ticking’ exercise.
When considering how an organisation will implement effective measures, the risk-based approach means that organisations should consider the volume and sensitivity of personal data that they process. Key elements at the core of its accountability include:
Article 37-39
The controller must designate a DPO when it is a public body or is a private organisation that undertakes processing which would require regular and systematic monitoring on a large scale. Other organisations could still choose to implement a DPO as good practice.
A DPO is required to have ’expert knowledge of data protection law and practice’ and must be involved in all issues relating to the protection of personal data.
The DPO must be independent but supported in their tasks by the organisation, reporting directly to the highest management level. A list of relevant tasks is provided under Article 39.
Clause 15
Removes the requirement to designate a DPO and replaces it with the need to designate an SRI.
An SRI must be appointed in a public body, but a mandatory SRI would only be required in a private organisation if the processing ‘is likely to result in a high risk to the rights and freedoms of individuals…,’ ‘taking into account the nature, scope, context, and purposes of the processing’.
The sole requirement for appointing an SRI is that they are a person who is part of ‘senior management’. In broad terms, the SRI shares many of the same responsibilities of the DPO, though these responsibilities differ depending on whether the organisation is a data controller or processor.
The SRI must either perform the tasks or take responsibility for them being performed by another person. In the case that these tasks could cause a conflict of interest, they must be undertaken by another person.
The requirement of the SRI’s position may be intended to make data protection compliance seen as less of an obstacle by having them as part of the decision-making process, though it does raise concerns with their ability to operate independently.
The requirement to delegate tasks where a conflict of interest may arise does ease some concerns in this regard. Moreover, the ability to delegate the tasks of the SRI to another person is helpful to those organisations who require one, as the pool of individuals who could be appointed an SRI is likely to be limited.
If your organisation requires support in this area, DPAS can offer assistance. Find out more here.
Articles 35 & 36 An organisation must undertake a DPIA if they are processing data that is likely to result in a high risk to individuals. The DPIA must:
When assessing risk level, a high risk is something that could result in a high possibility of some harm or low possibility of serious harm. Any high risk that cannot be mitigated must go through consultation with the ICO prior to processing. |
Clause 16
Removes the requirement to undertake a DPIA.
Organisations will still be required to identify and manage risks but will have more flexibility to do so. At minimum written records will need to include:
The test for assessing risk remains the same.
Clause 19
Removes the requirement to notify the ICO of high-risk processing that cannot be mitigated.
This can be seen as a positive change for organisations that use well-established risk assessments as this can be used to streamline the process.
There is no need for organisations to divert from maintaining their DPIA if they wish to keep a more detailed assessment of their data protection activities. Those organisations needing to comply with EU GDPR must still maintain a DPIA for those operations.
Overall, these changes will reduce the administrative burden of maintaining compliance for UK operations.
Article 30
Controllers and processors are required to keep records of their data processing activities.
Businesses with under 250 employees are exempt from this requirement unless the processing is:
Organisations are required to record, as a minimum:
Clause 16
The Bill encourages a more flexible approach towards processing activities (ROPAs). In instances where high-risk processing is undertaken, a Record of Processing of Personal Data should be maintained.
‘Appropriate’ records should record, at a minimum:
In deciding what ‘appropriate’ records to keep, organisations should use the following principles:
Article 30 reports can be time-consuming to complete and keeping them up to date can be challenging when organisations have competing interests and a strain on their resources. Such organisations will likely welcome the more flexible approach taken here.
However, ROPAs are excellent for the worst-case scenario when a company comes under scrutiny from the ICO. In these situations, an organisation must be able to explain the data it holds, where it is used and who it is shared with which the new report does not fully cover.
ROPAs provide further organisational benefits by allowing organisations to establish precisely what they are doing with personal data and where. This allows for more effective working relationships with other organisations and transparency for customers. As such some organisations may choose to continue the practice of keeping a ROPA.
For those who need assistance with their accountability frameworks, DPAS can help.
Article 27
Organisations that operate in the UK are bound by UK GDPR and require a UK representative if they process personal data in relation to the provision of goods or services.
This representative may be a ‘natural or legal person’ and serves as the contact for data subjects and the ICO in the UK. This representative is separate from the obligations concerning the DPO. The two individuals cannot be the same.
Clause 14
Removes the entirety of Article 27.
This aligns with the government’s goal of removing the administrative ‘red tape’ imposed by UK GDPR currently.
Will only impact those organisations not based in the UK.
Organisations based outside the UK will still need to respond to UK data subject right requests.
The Bill makes a couple of small changes aimed at bringing existing guidance into law to clear up confusion, while expanding the scope for organisations to refuse SARs that are deemed ‘vexatious’.
Article 12 (s. 5)
Information provided to data subjects under Articles 13 and 14 are to be provided free of charge. Where requests from data subjects are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
a) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
b) Refuse to act on the request.
The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
Clause 8
This changes the ‘manifestly unfounded or excessive’ aspect of Article 12 to ‘vexatious or excessive’.
Clause 9
Addresses the grace period for an organisation to respond to a SAR. While verifying the identity of the person making the request that the organisation has reasonable doubts about, the ‘clock’ is paused while their identity is verified.
These changes largely echo existing ICO guidance in this area, serving to bring the guidance into law.
This is a welcome change, particularly for organisations that receive SARs aimed at pre-litigation disclosure, such as employment tribunals, or from individuals aiming to be a nuisance by causing administrative headaches.
The grace period was a source of confusion for some organisations, having it explicitly stated in the legislation provides clarity. This grace period is not an extension of time organisations have to respond to these quests. If your organisation requires assistance in this area, DPAS can offer support.
Organisations based outside the UK will still need to respond to UK data subject right requests.
The Bill proposes some modest reforms to the lawful bases under Article 6 of UK GDPR.
Article 6(f)
The UK GDPR sets out six lawful bases for justifying the processing of personal data, the sixth of which is legitimate interests.
In order to rely on legitimate interests as a lawful basis for processing, the controller must:
Clause 5
Proposes a prescribed list of activities for which the legitimate interests balancing test would no longer be required. These would be known as RLIs.
Schedule 1
This contains an extensive list of RLIs and when they would apply to processing. They can be briefly surmised as being necessary for:
This change means that in certain circumstances organisations will not have to conduct a legitimate interests assessment before relying on Article 6(1)(ea) as a lawful basis. It is likely to be most beneficial for non-commercial or third-sector organisations, particularly those working with the public sector.
Public bodies cannot rely on RLIs in the performance of their tasks.
Organisations will still need to have processes and procedures that demonstrate their accountability regarding the new provision.
Recitals 47-49 GDPR
These recitals were added to highlight certain purposes that ‘should be regarded’ as a legitimate interest:
For the purposes of direct marketing the right to object is absolute and you must stop processing when someone objects.
Clause 5 Article 9
The Bill adds an additional article, listing examples of processing that ‘may’ constitute ‘processing that is necessary for the purposes of a legitimate interest’. These include processing that is necessary for the purposes of:
Unlike RLIs, these scenarios still require a legitimate interests assessment to be carried out before they can be relied upon as lawful basis.
The changes proposed by the DPDI mirror those made in Recitals 47-49. This will be helpful as these examples will now be in the body of the legislation which will provide greater clarity for organisations that are looking to rely on a legitimate interest.
The example of direct marketing for legitimate interests represents a major departure for direct marketing, which previously relied on the legal basis of consent. The change means that by processing the data for a third-party marketing purpose, organisations could rely on the ‘opt-out’ model rather than the ‘opt-in’ preferred by GDPR. This in turn could result in an influx of spam marketing which would be legal under the legitimate interests basis.
The Bill reforms the approach to international transfers from a stricter, EU-based approach to a more risk-based approach.
Article 73-76
Personal data can be transferred from the UK using tools or mechanisms similar to those under EU GDPR:
Clause 23, Schedules 5-7
The Bill clarifies that international transfers taking place before the new law comes into force remain lawful; any alternations to the rules do not apply retrospectively.
Significant changes have been made to the role and powers of the Secretary of State, such as:
A new data protection test is introduced for when a new adequacy decision needs to be made. This test is a departure from the EU’s restrictive approach and instead requires a country, or international organisation, to have data protection not ‘materially lower’ than the UK’s. Factors that are considered are:
The Bill stating that previous lawful transfers will remain lawful is a relief for organisations as they will not have to scramble to update existing agreements. DPAS can help with both data transfer agreements and contractual clauses.
The approach of a risk-based assessment echoes previous guidance issued by the ICO in 2022 as the UK looks to diverge from the EU approach.
There is some concern that the UK approach being ‘not materially lower’ than the equivalent approach that the EU takes could put the UK’s adequacy status in jeopardy, however both the ICO and government have affirmed their belief that this will not adversely affect the UK’s adequacy status.
The Bill proposes a series of changes for PECR, dealing with cookie fatigue, direct marketing and bringing enforcement in line with punitive measures similar to that available under GDPR.
Regulation 6
All cookies must explicitly state their purpose and be positively affirmed to by the user before they can be placed. There are some exemptions:
Compliance with PECR 2003 is usually achieved through a consent request mechanism, typically a pop-up window or a banner, which provides the information for the purpose of the cookies and allows the user to accept or decline their placement.
Clause 83
Proposes removing the requirement for positively affirmed user consent in specified scenarios where the cookies are considered low risk. Low risk cookies are those that solely:
It is still compulsory to provide users with the ability to easily opt-out.
This is a small change that is not unlikely to have much impact in reducing cookie fatigue and is unlikely to change cookie banners at this time.
It has been labelled as the groundwork for further work to come on reforming cookies in the UK though significant change is unlikely to materialise until technology to support browser-based opt-outs is released.
It is also important to remember that this would only apply to the UK, notification and affirmed consent to these specific cookies would still be required for someone accessing the website outside the UK.
Regulation 22
PECR 2003 permits the marketing of similar services/goods to existing contacts via email, known as the ‘soft opt-in’.
For a ‘soft opt-in’ to apply, the following conditions must be met:
Clauses 85-86
These clauses propose to:
The recipient must be provided a simple means of opting out of contact both initially and at each time of subsequent communication.
Clause 89
Proposes allowing the Information Commission (IC) to base enforcement action on the number of calls generated rather than the number of calls connected.
The ability for non-commercial organisations to market in this way is a welcome change and will aid the likes of charities in raising funds with the ability to contact previous donors.
The increased number of powers given to the Secretary of State is a concern throughout much of the Bill and this is no different. For further analysis on this see the ICO reforms.
Another welcome change that will mean the IC can more regularly take enforcement action against organisations that make many nuisance calls.
Serious breaches of PECR can result in a fine of £500,000, in line with the measures under the Data Protection Act 1998.
Proposes changes to:
As the ICO in its current form has been prosecuting organisations under breaches of PECR 2003, the increased level of fines will be welcomed so that organisations are not seen to be prosecuted with lesser punitive measures.
The Bill brings some key changes to the role of the ICO. The Information Commissioner will be replaced with the Information Commission (IC), a supervisory body rather than an individual. The changes would bring the IC in line with other regulatory bodies such as Ofcom, while reforming the organisation’s current enforcement powers. There are some concerns that this area of the proposed reforms reduces the independence of the ICO, or as it would be known, the IC.
The ICO is a non-governmental body that offers guidance, rulings, and appropriate action in relation to information rights.
It is supervised by a management board who work with the Information Commissioner, a role appointed by the crown, reporting to Parliament.
Clauses 107-109
Proposes changing the ICO from a ‘corporation sole’ to a ‘body corporate’, introducing a board, a chair, chief executive, and a change in name to the IC.
Functions of the ICO will pass to the IC and remain mostly unchanged.
This brings the ICO in line with other regulatory bodies.
The ICO’s remit consists of:
Clause 30
Introduces a new statutory framework of objectives:
Clause 31
The Secretary of State can set the priorities of the IC, though these priorities are not legally enforceable and must be presented before Parliament.
The expansion of the IC’s duties to include considering the impact on innovation and competition echoes the government’s desire for the UK to be at the forefront of innovation in data usage.
There are concerns that this level of government involvement with the IC will threaten its stance as an independent regulator, which in turn would be a threat to the UK’s position of adequacy with the EU.
The ICO has issued a statement in which it claims that these reforms are not likely to result a change in EU adequacy.
Increased powers of the Secretary of State and greater involvement with the IC further undermines the independence of the regulatory body.
The ICO is able to take the following actions:
For breaches of the DPA 2018, the ICO can issue fines of up to 4% of global turnover or £17.5 million, whichever is higher.
For breaches under PECR 2003, the ICO are able to issue fines of up to £500,000.
Clause 90
Proposes changes to:
Clauses 35 & 42
The IC will be allowed to decide how and when it investigates complaints, though it must produce guidance about how its discretion is to be exercised.
Clauses 36-40
The Bill proposes new enforcement tools:
As the ICO in its current form has been prosecuting organisations under breaches of PECR 2003, the increased level of fines will be welcomed so that organisations are not seen to be prosecuted with lesser punitive measures.
The ICO already gives direction for how a complaint can be made, this change codifies that guidance.
Clause 36 clarifies that this power to request information does extend to requesting documents.
Overall, these changes are unlikely to affect most organisations. Keeping up to date and thorough documentation to present to the IC would continue to be best practice should an organisation be investigated for non-compliance.
When circulating the Bill, the government raised concerns that the laws around the use of personal data for research purposes were too complex and were spread across different pieces of legislation. The aim of this part of the Bill is to clear up that confusion and provide greater certainty about processing personal data for the purpose of research.
Research was not defined in the UK GDPR, but are addressed by recitals:
Recital 159
Introduces the idea of ‘scientific research’. No definition is provided, and the recital encourages this to be interpreted broadly. A list of examples is provided:
Recital 160
No definition but stated to include genealogic research.
Clause 2
Creates definitions for types of research:
Scientific research includes:
Historical research includes genealogical research.
The amended definition for scientific research in particular is a welcome change and moving them to the operative text of the legislation provides greater clarity for organisations wishing to use research for commercial purposes.
Article 13(3)
Where the controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller shall provide the data information on the other purpose and any relevant further information.
Recital 33
Acknowledges that it is often not possible to fully identify scientific research purposes at the time of data collection and states that data subjects should be allowed to give a broader effective consent.
Clause 3
Personal data can be further processed (by deeming consent) for a scientific research purpose that differs from the original purpose. The relevant organisation does not need to be informed up-front, in certain circumstances:
This further clarifies the confusion around consent that data subjects can give and is likely to be welcomed by those working in this field.
As previously mentioned, the UK government has stated its desire to take a flexible approach to the innovation and development of new technology, particularly concerning AI. The previous legislation gave data subjects the right to not be subjected to processing by non-human means, however this area has been changed by the Bill to allow for a greater range of processing by AI.
Article 22
Data subjects have a right not to be subject to solely automated decision-making except in specific circumstances.
Solely automated decision-making is allowable where it is:
Appropriate safeguarding measures must be implemented in all circumstances.
Clause 12
Defines ADM as the processing of data where there is no meaningful human involvement in the taking of a significant decision.
Profiling alone does not count as ADM, but the extent to which the decision reached used ADM will determine the level of meaningful human involvement.
Widens the scope for solely automated decision-making. Rather than being restricted, ADM would be allowed by default and would only be restricted when:
Decisions which include the use of special category data and use ADM will still be restricted, but would be permissible where it is necessary:
An enhanced list of safeguards is present under Clause 12, the most notable of which are those that allow people to contest to the decision, after it has been made, and to request human intervention.
This is a notable divergence from the EU GDPR’s position on ADM.
There are concerns that this approach will impact on the rights of data subjects, although it has more explicitly stated safeguards then were previously available under Article 2. The onus will be on organisations to ensure these safeguards are in place.
There is little change to further processing, though the changes here clarify some scenarios where factors listed under Article 6(4) of the UK GDPR would not need to be considered when making the decision to use personal data for a new purpose.
Article 6(4)
Data can be re-used for a new purpose when certain factors are considered:
Article 5(1)
Further processing for the following purposes should be considered compatible lawful processing operations:
Clause 6
The Bill retains the provisions under the UK GDPR of the factors that must be considered when processing data for a new purpose.
Some scenarios are pre-approved as compatible, meaning the organisations would not need to consider those factors. These scenarios are when the new purpose is for:
Where the original legal basis for processing was consent, organisations must meet one of the following criteria before being able to continue:
The changes under Clause 6 expand the scope for further processing of personal data and provides clearer guidance for organisations about when they can process data for a compatible purpose.
This area may evolve further through the development of secondary legislation.
Perhaps the area of the Bill that has seen most discussion is the changes made to the definition of personal data. The DPDI proposes to alter the definition in such a way that some kinds of personal data could be excluded from the protections afforded by the UK GDPR.
Article 4(1)
Personal data is any information that relates to an identified or identifiable living person.
An identifiable person is one who can be identified, directly or indirectly, by reference to identifiers.
Some examples of identifiers are given, such as:
Clause 1
The Bill amends the definition, stating that information being processed is only personal data when:
Reasonable means is defined as:
The Bill adds that an individual can be identified in two ways: directly and indirectly. When processing data, controllers and processors should be aware of:
This change gives more power to the data controller as they are now required to judge whether a third party is likely to obtain the information. Should they judge that it is unlikely, then that data will no longer qualify as personal data. Therefore, that data will have no protections under UK GDPR.
Critics of the Bill believe this to be a fundamental risk to data subject rights. The ICO, in their response to the DPDI, concurs that this would be a privacy risk. In the event that a controller judges that a third party will not see the data but a third party gains access anyway and identifies individuals, then those individuals have no resource under data protection law.
Overall, the Bill is not a significant departure from EU GDPR. How much these changes will affect your organisation will be determined by the scope of your business. SMEs that operate solely within the UK will feel the most benefits of these changes, as their administrative burden has decreased considerably. Larger scale organisations that operate within both the UK and EU will still find that the process has been streamlined for their UK-based operations, though will still need to ensure they comply with the stricter requirements under EU GDPR.
Want to receive a copy of our monthly Data Protection newsletter and news from the DPAS team?
Helping organisations access the value of their data, create a vision, embed the change and build the future.
Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative or definitive statement of the law.
