Skip to main content

On-demand webinar coming soon...

Blog

UK Data Protection and Digital Information Bill re-introduced to Parliament

Today the UK Government re-introduced the Data Protection and Digital Information Bill. It aims to reduce the administrative burden placed on businesses, promote international trade, and reduce consent notices. Here's what you need to know

Robb Hiscock
Content Marketing Specialist | CIPP/E, CIPM
March 8, 2023

Low angle view of futuristic modern architecture, Skyscraper of corporate office building, Curve shape, 3D rendering.

On March 8, 2023, the Department for Science, Innovation and Technology, issued a press release stating that a revised Data Protection and Digital Information Bill had been re-introduced to the UK Parliament. 

The Bill has been the subject of discussion for over 12 months and has been redesigned in collaboration with industry and business leaders. In June 2022, the Government published its response to the proposals from the consultations, titled Data: A New Direction. However, in September 2022, the Bill was placed on hold indefinity while UK Ministers redesigned the Bill.  

What is the UK Data Protection and Digital Information Bill?

According to the Government, the redesigned Data Protection and Digital Information Bill aims to promote research and innovation in the UK while maintaining the country’s high standard of data protection and European adequacy. Another central aim of the Government is to reduce the operational costs placed on UK businesses and remove burdens for small and medium enterprises, through a reduction in consent pop-ups and new rules for when businesses can process data without consent. The new Bill will also introduce rules to enhance the development of AI technologies and the safeguards necessary for this development, specifically in instance of automated decision-making and profiling. 

Science, Innovation and Technology Secretary Michelle Donelan said; “Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs. Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR. Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”

What are the key areas of the Bill?

Reduced record keeping requirements 

Central to the key themes of the Bill, amendments have been made to reduce the operational burden on organizations. This will apply to existing record keeping obligations and demonstrable compliance whereby the updated Bill will only require organizations whose processing activities are likely to pose a high risk to the data subject (e.g., processing large volumes of personal data or processing sensitive data) to keep a record of their processing activities.

New rules for consent

While the Bill aims to reduce the number of content notices that data subjects will see online, it will also give organizations new conditions for when they can process personal data without needing consent.

Clarity on safeguards for automated decision-making

In an attempt to instill greater public confidence in the use and development of AI technologies, the new Bill sets out rules for implementing the appropriate safeguards for individuals about whom solely automated decisions are made. Under the new Bill, organizations will be required to make data subjects aware when such decisions are made, give them the opportunity to challenge the decision, and allow them to seek human review.

Continued international transfers

The new Bill will also retain a focus on international trade and has been developed to ensure that the free flow of personal data from the UK remains in place. Organziations will be able to rely upon their existing international data transfer mechanisms, such as Standard Contractual Clauses (SCCs) and adequacy decisions, to export personal data so long as the mechanisms are already compliant with current UK data laws. 

Broader research exemption

The updated Bill includes a revised definition of “scientific research” that would allow commercial organizations to benefit from the same exemptions as academic researchers when carrying out innovative scientific research, encouraging such research to take place in the commercial sector. The new definition of “scientific research” is left open to broad interpretation that many processing activities “could reasonably be described as scientific” up to and including research into technological development.

Increased fines

In addition to the amendments to the operational requirements, increased fines for nuisance calls and texts will be introduced under the new Bill. These will range up to 4% of global turnover or £17.5 million, whichever is greater.

What does this mean for organizations?

There is a long way for the Data Protection and Digital Information Bill to go before it overhauls existing data protection law in the UK. The Bill’s re-introduction to Parliament is just the first stage of its journey through the UK’s legislative process and it will still be required to undergo include several committee reviews and readings. 

While there is no immediate action for UK businesses to take, they can begin to assess some of their current processes and start to understand where gaps are likely to appear under any new legislative regime. Some key areas to consider include:

  • Data Protection Impact Assessments in order to understand whether future record keeping requirements will be necessary 
  • Data mapping will continue to be instrumental in order to assess compliance and ensure areas such as data transfer safeguards and valid consent are tracking to the new Bill 
  • Consent and preference management will require attention in order to understand where consent is needed and how it can be collected under any new rules

To stay up to date with the progress of the UK Data Protection and Digital Information Bill and more, visit OneTrust’s DataGuidance. 


You may also like

eBook

Privacy Management

Understanding data transfers under the GDPR ebook

In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.

June 05, 2024

Learn more

Resource Kit

Privacy Management

EU-US Data Privacy Framework resource kit

Download our EU-US Data Privacy Framework resource kit to better understand the new aggreement for cross-border personal data transfers and how to educate your stakeholders.

July 20, 2023

Learn more

Webinar

Responsible AI

Unpacking the EU AI Act and its impact on the UK

Prepare your business for EU AI Act and its impact on the UK with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more

Checklist

Privacy Management

The Revised FADP: 7 steps toward preparedness

Prepare for Switzerland’s Revised Federal Act on Data Protection (Revised FADP) when it comes into force on September 1, 2023 with our free compliance checklist.

June 15, 2023

Learn more

Webinar

Privacy Management

EU-US data transfers: Breaking down DPC’s Meta decision

Join us for this webinar as we break down the May 22, 2023 DPC Meta decision and cover the key takaways for EU-US data transfers.

June 01, 2023

Learn more

Webinar

Third-Party Risk

Unpacking the third-party risk regulatory landscape in the Nordic region and beyond

In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.

May 30, 2023

Learn more

Webinar

Privacy Management

Saudi Arabia's PDPL latest amendments: Are you ready?

Join OneTrust and Deloitte Middle East as we cover the latest changes to Saudia Arabia's Personal Data Protection Law (PDPL) and what it means for organizations in the KSA region.

May 30, 2023

Learn more

Webinar

AI Governance

The EU's AI Act and developing an AI compliance program

Join Sidley and OneTrust DataGuidence as we discuss the proposed EU AI Act, the systems and organizations that it covers, and how to stay ahead of upcoming AI regulations.

May 30, 2023

Learn more

Webinar

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more

Webinar

Privacy Management

5 years of GDPR: Milestones, challenges, and opportunities

Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

May 24, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Finance: Staying ahead of the regulatory and cyber landscape

How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.

May 22, 2023

Learn more

Webinar

Privacy Automation

OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

April 04, 2023 1 min read

Learn more

eBook

Privacy Management

The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

February 21, 2023

Learn more