UK Data Protection Reform – new Data Protection and Digital Information Bill published

The value of data to the UK economy is significant, with data-driven trade generating 85 per cent of the UK’s total service exports and contributing an estimated £259 billion to the UK economy in 2021. With that in mind, UK data protection reform is firmly back on the UK Government’s agenda with the introduction of the Data Protection and Digital Information Bill ("Bill") on 8 March 2023.  

The first version of the Bill was introduced in July 2022 and legislative reform had been on hold since September 2022, but 6 months on, we now have a new iteration of the Bill to consider.  Introduced by the UK Secretary of State for Science, Innovation and Technology Michelle Donelan, the Bill is intended to make the UK system easier to understand. Donelan stated that British businesses would be released from "unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy".

Whilst the political rhetoric around the release of the Bill signals substantial change, the proposed changes are less controversial in reality, given that the UK will not want to jeopardise its adequacy status.  The Bill will make changes to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations and so the original structure and principles within this legislation will be retained.  At 212 pages long, the Bill covers a lot of ground but the key changes likely to be of interest to businesses and employers are set out briefly below.

Data Subject Access Requests (DSARs)

One of the most time consuming and expensive compliance aspects of the current legislation is responding to DSARs.  Under the new Bill, DSARs can be refused where the request is "vexatious or excessive", replacing the current "manifestly unfounded or excessive" test.

Legitimate Interests

Businesses will no longer have to balance their legitimate interests with data subject's rights and interests if their legitimate interests are "recognised".  Examples of recognised legitimate interests are now provided and include direct marketing, intra-group transfer of data and ensuring the security of network and information systems.

Records of Processing

The Bill will require records of processing only where organisations carry out processing activities which are likely to result in high risk to the rights and freedoms of data subjects.

UK representative requirement removed

The requirement that controllers and processors not established in the UK must appoint a UK representative has been removed, a welcome change for cross border businesses.

Data Protection Officer (DPO)

The requirement to appoint a DPO has been removed and replaced with an obligation to appoint a senior responsible individual (SRI) where the organisation is a public body or involved in high risk processing.

The Information Commissioner's Officer (ICO)

The ICO will be strengthened with a move away from a single Information Commissioner to the creation of a statutory board with a chair and chief executive.

International Data Transfers

No significant changes are proposed to the international transfer regime.  The adequacy assessment process will now be termed a data protection test, and that test will be met if the standard of data protection is not materially lower than standards under UK law.

The Bill will now proceed to second reading stage but in the meantime, it has the backing of the current UK Information Commissioner, John Edwards.  Edwards stated that he welcomed the reintroduction of the Bill and looked forward to "continuing to work constructively with the Government to monitor how these reforms are expressed in the Bill as it continues its journey through Parliament.”

For any data protection queries please contact Aisling Byrne, Partner and Johanna Cunningham, Associate or any member of the Employment & Incentives Team in Belfast.

Date published: 22 March 2023