Written by Syan Bateman

The Data Protection and Digital Information Bill was introduced to Parliament on 18 July 2022, following publication of the government’s response to the Data: a New Direction consultation. This primary legislation will harness our post-Brexit freedoms to create an independent data protection framework. The Bill is important as its response may change UK Data Protection Law, such as the proposed changes to ease requirements for cookie consent and for re-using personal data for research. 

These changes take us away from the strict EU GDPR, though if your business operates within the EU, you must still adhere to EU GDPR. Generally, overcompliance to EU GDPR will ensure compliance with the majority of the changes in this Bill, but the loosened rules may improve data flow to non-EU countries, such as the USA and Australia. 

One of the key changes is the ICO being reformed – which is a concern for privacy advocacy organisations, as they fear it could hinder the ICO’s independence. Expert panels will review all new codes of practice or guidance on complex and novel issues, and the Secretary of State will have the power to approve them. 

Some key aims and changes proposed in the Bill are:

• To reduce barriers to responsible innovation. The Bill proposes a change to the extent of consent regarding research, such as allowing less specific consent for scientific research, and recollecting consent for re-purposed data in research, if it requires disproportionate effort, isn’t required. The standard of anonymisation will also be clarified.
• To reduce burdens on businesses. Parts of the existing data protection framework – such as Data Protection Officers, Article 30 risk registers and Data Protection Impact Assessments – will be replaced by privacy management systems, though this may mostly be a name change. In small companies, DPO’s can be replaced by a senior responsible individual, unless trading in the EU. 
• To reduce barriers to data flow. Adequacy decisions for international data transfers will be risk-based and no longer reviewed every 4 years. Additionally, the Secretary of State is to also recognise alternative transfer mechanisms. 
• To deliver better public services. Special personal data may be processed under substantial public interest, and non-public companies may deliver public tasks under lawful processing. Law enforcement and UK intelligence services will also come under UK GDPR and DPA, and be under enforcement from the ICO.

These changes are also not yet set in stone, and until the Bill is passed, UK GDPR is the standard for data protection. If you want more information on the Bill, or how it may affect your business or your current compliance with Data Protection Law, email us at info@bivika.com.