UK Data Protection and Digital Information Bill (No.2) 2023

Written on 01 June 2023.

The Data Protection and Digital Information Bill (DPDI) reform bill was initially proposed in July 2022 but was paused in September 2022.The revised draft was submitted to parliament on 8th March 2023. In this article, you will learn what the changes are and what those changes mean for businesses and Data Subjects. You can also watch our free webinar below

What is the core purpose of the reform Bill?

The intention of the re-introduced Bill by the Secretary of State for Science, Innovation and Technology, Michelle Donelan MP, is to provide a framework that is more business-friendly, reduces paperwork and is simple and cost-effective to manage. It intends to make provisions for:

• Services containing the use of information to establish and verify facts about any individual
• The regulation of processing information to allow the identification of an individual
• Improving the disclosure of information to allow a public service announcement
• The storing and keeping of information regarding birth and death registration
• Information Standards for health and social care
• Establishing the information commission
• Oversight of biometric data

Why is the current Bill being changed and what does this mean for businesses?

The Data Protection and Digital Information Bill is being changed to improve its useability and to make it easier to manage, simpler and more flexible.

The UK Information Commissioner, John Edwards said:
“I welcome the reintroduction of the Data Protection and Digital Information Bill and support its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society.”

The Bill will still hold the fundamental principles of the UK GDPR and will also retain the same name. Whilst businesses that already comply with the UK GDPR will not need to make any changes, they will have to make specific clarifications to their existing policies & processes.

Some of the changes that have been made are:

• Scientific research - This was not fully identified when the original bill was introduced. The new Bill has amended the concept of consent so that it would now include scientific research.
• Cookies - Up until now the rules around website cookies have been very strict. Under the new Bill, these rules would be relaxed and a website would be able to place certain types of security and location cookies without the need for consent. We have a dedicated training course for cookie compliance for websites and apps if you’re interesting in learning more.
• Fines for direct marketing - The current maximum fine for non-compliant direct marketing is £500,000. Under the new Bill, this would be increased to £17.5 million or 4% of global annual turnover depending on which is higher. This is one of the easier areas for companies to fall foul of the legislation and is often an area we get asked the most questions about as there can be a lot of confusion in marketing teams around what they can vs can’t do. Our live course, “GDPR and Privacy Training for Marketing Teams” provides an invaluable way to support your marketing teams and ensure you’re confident in their knowledge of what’s allowed under the legislation.
• The replacement of “DPO” with “SRI” - The current role of Data Protection Officer (DPO) would be replaced by a Senior Responsible Individual (SRI) who must be a senior person in an organisation and can carry out other roles too.
• Legitimate interests - Under the previous Bill, businesses could rely on legitimate interests without needing to carry out a balance test where it is recognised. The recognised legitimate interests cover processing purposes such as national security and preventing crime. The new Bill retains the same principles but with the addition of examples of when legitimate interests could be suitable. As the examples would not be part of the “recognised” list of legitimate interests, a balance test would be required. They are intended to be used as a guide for businesses to understand when legitimate interest can be applied.

The new Bill aims to take the best elements of GDPR combined with a clearer and easy-to-understand framework and provide businesses with flexible ways to comply with the new data laws.

This will mean:

• Less paperwork
• A simpler process with clear guidelines
• Supporting more international trade without creating extra costs for organisations (as long as they are already compliant with the current data regulation)
• Public and business confidence in AI technologies would increase
• Data adequacy with the EU would be maintained
• Records of processing would only be required for organisations if the processing activities they are carrying out are a high risk to the data subjects’ rights and freedoms

Time to refresh your staff's GDPR training?

It is important that staff are aware of and understand the current legislation so they don't process, handle, or respond to data requests with outdated knowledge. Databasix provides a range of training courses for different roles.

We also offer a refresher course if you are looking to update your knowledge to meet with the current legislation. This will be particularly useful if you or your staff haven’t received any training in the last twelve months.

Can you improve your data protection in light of the reform Bill?

As well as training, we provide a range of services ranging from consultancy to data mapping, audits and implementation plans to ensure you’re getting the best value from your data whilst also handling it appropriately.

Contact us today for a friendly, no obligation chat to discover how we can help you.