Navigating the new landscape: understanding the UK’s Data Protection and Digital Information (No.2) Bill

The UK Department for Science, Information and Technology (DSIT) recently announced the introduction of the Data Protection and Digital Information (No.2) Bill, a significant development that could reshape the landscape of data protection in the UK. This proposed legislation aims to modify the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, commonly known as PECR. 

In a bold move, the DSIT’s press release characterises the Bill as a common-sense, UK-centric version of the EU’s GDPR. The intention is to alleviate the regulatory burden on British businesses and charities, streamline international trade, and reduce the frequency of online data collection pop-ups. The government anticipates these reforms could unlock substantial economic benefits, projecting savings of around £4.7 billion over the next decade. 

John Edwards, the UK’s Information Commissioner, has responded positively to the announcement, expressing eagerness to collaborate with the Government in refining the Bill as it progresses through Parliament. 

Background 

This Bill represents the second attempt to reform the UK’s data protection regime. The initial version, introduced in July 2022, was paused to allow for further consultation with business leaders and data experts. The aim was to move away from the ‘one-size-fits-all’ approach of the EU’s GDPR. However, a full consultation round, expected after Michelle Donelan’s announcement of a new “British data protection system” at the Conservative Party Conference in October 2022, never materialised, leading to the withdrawal of the previous Bill. 

Key changes 

The new Bill retains many proposals from its predecessor but introduces some clarifications and additional flexibility. Notable changes include an amended definition of personal data, revised criteria for subject access requests, and alterations to the complaints process. The Bill also proposes significant changes to the Records of Processing Activities (RoPA) requirements, the concept of ‘legitimate interests’, and the rules surrounding cookie banners. 

One of the most significant shifts is the transformation of the Information Commissioner’s Office into the Information Commission, a corporate body with a chief executive. Additionally, the Bill introduces new regulations for data holders regarding the availability and processing of customer and business data. 

Impact and timing 

The Bill is currently at the third reading stage and is expected to receive Royal Assent early next year. Its progress can be tracked online. 

As the EU reviews its adequacy decision with the UK every four years, with the next review due in June 2025, there is speculation about how these changes might affect the UK’s adequacy status and the free flow of data between the UK and EU. However, the government maintains that the new Bill, while introducing changes, still upholds the fundamental obligations of the UK GDPR. 

Organisations maintaining compliance with the UK GDPR are well-positioned for a seamless transition under the new Bill. However, to guarantee full compliance and leverage the evolving data protection landscape, partnering with experts is key. Moore ClearComm is at the forefront, crafting specialised services to guide both UK-based and international clients through these changes, ensuring seamless compliance and strategic advantage. 

For more information about the Data Protection and Digital Information (No.2) Bill, contact our Data Privacy team.