UK Data Protection and Digital I...
UK Data Protection and Digital Informati...

UK Data Protection and Digital Information Bill Introduced

The UK Government today introduced the Data Protection and Digital Information Bill to strengthen data protection standards in the UK, levy tougher fines, and modernize the Information Commissioner’s Office (ICO)

Alexis Kateifides OneTrust Senior Center of Excellence Counsel

clock4 Min Read

Featured Image

On September 5, 2022, it was announced that the second reading of the Data Protection and Digital Information Bill would not take place as planned. A new date for the second reading has not yet been announced.

On July 18, 2022, the Department for Culture, Media, and Sport (DCMS) introduced the Data Protection and Digital Information Bill to the UK Parliament.  

The bill has been the subject of discussion for almost a year. In June 2022, the government published its response to the proposals from the consultations, titled Data: A New Direction. 

What is the UK Data Protection and Digital Information Bill? 

The Minister for Media, Data, and Digital Infrastructure, Matt Warman, when asked about the UK Data Protection and Digital Information Bill, said:  

We now have the opportunity to seize the benefits of Brexit and transform the UK’s independent data laws. We have designed these new updates to our data protection framework so it works in our interests, protects our citizens, and unburdens our businesses. 

Through this Bill we will realize the opportunities of responsible data use whilst maintaining the UK’s high data protection standards.” 

Matt Warman, Minister for Media, Data, and Digital Infrastructure

One of the topics of discussion has been the impact of the UK’s reforms on its adequacy status with the EU. On this, the Government highlights that “these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.” 

What are the highlights of the bill?  

The UK Data Protection and Digital Information Bill is 192 pages long and is divided into several parts, including: 

  • Data protection  
  • Digital verification services  
  • Customer and business data  
  • Regulation and oversight  

The bill also has 13 additional schedules.  

Are DPOs still required? 

Under the bill, requirements on Data Protection Officers (DPOs) are removed, though they are replaced with requirements to designate a “senior responsible individual” who is tasked with several responsibilities including monitoring compliance with the law. Much of the additional detail around the circumstances and requirements bear some resemblance to provisions under the GDPR.  

Are there changes to DPIAs? 

Requirements around Data Protection Impact Assessments (DPIAs) have also been substituted in favor of “assessments of high-risk processing.” Controllers must continue to produce documents recording compliance which should include a summary of the purposes of processing; an assessment of whether the processing is necessary; an assessment of the risks to individuals; and a description of how the controller proposes to mitigate those risks.  

Are there new rules around data mapping? 

Another debated issue during the consultation was the requirement to maintain a record of processing activities (RoPA). Organizations continue to be obliged to maintain “appropriate” records of processing of personal data. Whilst the bill provides further information on what should be recorded, it also says that in deciding what is “appropriate”, organizations should consider the nature, scope, context and purposes of processing; the risks that could arise from the processing to individuals; and the resources available to the organization.   

Are cookies treated differently?   

In addition to making changes to the Data Protection Act 2018 and the UK GDPR, the bill also proposes changes to the Privacy and Electronic Communications Regulations (PECR), particularly around the issues of cookies. Minister Warman said: 

Reforms to the Privacy and Electronic Communications Regulations will also remove the need for cookie banner pop ups for low-risk activities, such as audience measurement, so it’s easier for businesses to use information to improve their services. The Bill will also pave the way for the removal of irritating banners for other types of cookies when browser-based or similar solutions are sufficiently developed.” 

What does this mean for organizations? 

This bill’s introduction is the first stage of its journey through both Houses of Parliaments, which will include several committee reviews and readings. MPs will next consider the bill at second reading, though a date for this has not yet been announced.  

This will be yet another data protection framework to adjust existing programs, and organizations should assess the detail of the bill to understand key proposals made.  

To stay up to date with the UK Data Protection and Digital Information Bill and more, visit OneTrust’s DataGuidance 

Data Guidance CTA

You Might Also Be Interested In

NOVEMBER 28, 2022

From Sapin II to Sapin III: France’s anti-corruption fight

NOVEMBER 25, 2022

7 myths about SOC 2 compliance

NOVEMBER 18, 2022

What every Chief Privacy Officer should know  about third-party risk management

NOVEMBER 17, 2022

The role of disclosures in risk assessment and mitigation 

NOVEMBER 15, 2022

US climate risk rule could affect more than 5,700 federal suppliers

NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU approves new ESG disclosure rules

NOVEMBER 9, 2022

SOC 2: Starting your audit process

Onetrust All Rights Reserved