July 19, 2022
UK Data Protection and Digital Information Bill Introduced
OneTrust Senior Center of Excellence Counsel
4 Min Read
On September 5, 2022, it was announced that the second reading of the Data Protection and Digital Information Bill would not take place as planned. A new date for the second reading has not yet been announced.
On July 18, 2022, the Department for Culture, Media, and Sport (DCMS) introduced the Data Protection and Digital Information Bill to the UK Parliament.
The bill has been the subject of discussion for almost a year. In June 2022, the government published its response to the proposals from the consultations, titled Data: A New Direction.
What is the UK Data Protection and Digital Information Bill?
The Minister for Media, Data, and Digital Infrastructure, Matt Warman, when asked about the UK Data Protection and Digital Information Bill, said:
“We now have the opportunity to seize the benefits of Brexit and transform the UK’s independent data laws. We have designed these new updates to our data protection framework so it works in our interests, protects our citizens, and unburdens our businesses.
Through this Bill we will realize the opportunities of responsible data use whilst maintaining the UK’s high data protection standards.”
Matt Warman, Minister for Media, Data, and Digital Infrastructure
One of the topics of discussion has been the impact of the UK’s reforms on its adequacy status with the EU. On this, the Government highlights that “these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”
What are the highlights of the bill?
The UK Data Protection and Digital Information Bill is 192 pages long and is divided into several parts, including:
- Data protection
- Digital verification services
- Customer and business data
- Regulation and oversight
The bill also has 13 additional schedules.
Are DPOs still required?
Under the bill, requirements on Data Protection Officers (DPOs) are removed, though they are replaced with requirements to designate a “senior responsible individual” who is tasked with several responsibilities including monitoring compliance with the law. Much of the additional detail around the circumstances and requirements bear some resemblance to provisions under the GDPR.
Are there changes to DPIAs?
Requirements around Data Protection Impact Assessments (DPIAs) have also been substituted in favor of “assessments of high-risk processing.” Controllers must continue to produce documents recording compliance which should include a summary of the purposes of processing; an assessment of whether the processing is necessary; an assessment of the risks to individuals; and a description of how the controller proposes to mitigate those risks.
Are there new rules around data mapping?
Another debated issue during the consultation was the requirement to maintain a record of processing activities (RoPA). Organizations continue to be obliged to maintain “appropriate” records of processing of personal data. Whilst the bill provides further information on what should be recorded, it also says that in deciding what is “appropriate”, organizations should consider the nature, scope, context and purposes of processing; the risks that could arise from the processing to individuals; and the resources available to the organization.
Are cookies treated differently?
In addition to making changes to the Data Protection Act 2018 and the UK GDPR, the bill also proposes changes to the Privacy and Electronic Communications Regulations (PECR), particularly around the issues of cookies. Minister Warman said:
“Reforms to the Privacy and Electronic Communications Regulations will also remove the need for cookie banner pop ups for low-risk activities, such as audience measurement, so it’s easier for businesses to use information to improve their services. The Bill will also pave the way for the removal of irritating banners for other types of cookies when browser-based or similar solutions are sufficiently developed.”
What does this mean for organizations?
This bill’s introduction is the first stage of its journey through both Houses of Parliaments, which will include several committee reviews and readings. MPs will next consider the bill at second reading, though a date for this has not yet been announced.
This will be yet another data protection framework to adjust existing programs, and organizations should assess the detail of the bill to understand key proposals made.
To stay up to date with the UK Data Protection and Digital Information Bill and more, visit OneTrust’s DataGuidance.
