New UK Data Protection Regime – what to expect?

Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that the proposed Data Protection and Digital Information Bill (the ‘bill’) should bring, according to the UK government.

The draft legislation was published by the government on 8 March 2023 with a view to reforming the current data protection regime in the UK. This came following a consultation launched by the Department for Digital, Culture, Media and Sport in 2021 and after the initial draft of the proposed legislation was put on pause last September. The bill now seems to be progressing towards becoming legislation and has just received its second reading in Parliament. Our data protection group have looked at the proposed legislation and highlight below a couple of points that might be of interest for organisations processing personal data.

Under the bill, only those organisations whose processing activities are likely to pose ‘high risks’ to individual rights and freedoms (such as health data) should be required to keep a record of processing activities. It also aims to provide more clarity as to when organisations can process personal data without needing consent, and it removes the need for data processors to balance their own legitimate interest with the data subject’s rights and interests where certain public interest activities are concerned (such as crime prevention or the protection of vulnerable individuals).

The proposed legislation also updates the definition of scientific research to clarify that commercial organisations will benefit from the same freedoms as academics to carry out such research, making it easier to reuse data for those purposes. It should also increase confidence in AI by clarifying when safeguards apply to automated decision-making.

The wider public is likely to welcome the government’s proposals to increase fines for nuisance calls and texts to either up to 4% of global turnover or £17.5m (whichever is higher) and to reduce the number of cookie consent pop-ups in their daily lives.

Certain changes are also proposed in respect of data subject requests. Although they are a crucial right for individuals, subject access requests can also be time consuming and costly to process for many organisations, especially if used as a mean of circumventing strict disclosure protocols in disputes and gaining information for prospective litigation. The bill proposes to change the current threshold for refusing a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. Data subject requests intended to cause distress, not made in good faith or abusing the process are listed as non-exhaustive examples of vexatious requests.

The DPDI (No.2) Bill also proposes reforming the Information Commissioner’s Office (the ‘ICO’) by setting clearer strategic objectives and duties for the ICO while changing its governance model. This should enhance the ICO’s accountability both to Parliament and the public and extend its investigatory powers. The ICO would in future tackle the highest risk data processing activities, while helping organisations to comply with the law from the outset, rather than focussing on penalising them.
In general, organisations that are currently compliant with the UK GDPR should not have to take any steps or make any changes to comply with the proposed legislation. However, the proposed legislation – if implemented as is – would bring organisations more flexibility to choose a more efficient approach to their data privacy. Moreover, those remaining subject to both the UK and the EU GDPR should not be disadvantaged either, as the proposed reform is not likely to create dual or conflicting requirements between the two.

The question is whether all these proposed changes will withstand parliamentary scrutiny. Although the proposed legislation was received positively by the UK Information Commissioner John Edwards, questions have been raised about whether the proposed changes might impact the UK ‘adequacy’ decision obtained from the EU Commission following Brexit, thereby jeopardising the cross-border flow of data between the UK and the European Economic Area. The UK’s data reform plans have previously faced criticism from a member of the European Parliament and the next adequacy decision review is due to take place in June 2025, although a change in the UK’s data protection laws could prompt an earlier review. However, the UK government remains confident that the proposed regime will maintain data protection adequacy with the EU while moving away from the ‘one-size-fits-all’ approach of the EU GDPR.

If your organisation is in need of GDPR support, training or EU representative or UK representative services to comply with your data protection obligations – or even if you would like to know more about the proposed legislation – please get in contact with us. Our data protection experts offer businesses a free no-obligation consultation.

Founded by legal and data protection experts recognised by the world’s largest global information privacy community, Willans Data Protection Services provides organisations operating on a multi-national basis with EU and UK Representative solutions, Data Protection Officer services and training solutions under the GDPR.

Through its affiliation with UK law firm Willans LLP, it also provides organisations with wider advisory services concerning GDPR compliance such as GDPR audits, drafting policies, preparing legal documentation and bespoke legal advice.

Contact us for all things concerning data protection.