UK Data Protection and Digital Information Bill Introduced

On July 18, 2022, the Department for Culture, Media, and Sport (DCMS) introduced the Data Protection and Digital Information Bill to the UK Parliament.  

The bill has been the subject of discussion for almost a year. In June 2022, the government published its response to the proposals from the consultations, titled Data: A New Direction. 

What is the UK Data Protection and Digital Information Bill? 

The Minister for Media, Data, and Digital Infrastructure, Matt Warman, when asked about the UK Data Protection and Digital Information Bill, said:  

One of the topics of discussion has been the impact of the UK’s reforms on its adequacy status with the EU. On this, the Government highlights that “these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.” 

What are the highlights of the bill?  

The UK Data Protection and Digital Information Bill is 192 pages long and is divided into several parts, including: 

• Data protection  
• Digital verification services  
• Customer and business data  
• Regulation and oversight  

The bill also has 13 additional schedules.  

Are DPOs still required? 

Under the bill, requirements on Data Protection Officers (DPOs) are removed, though they are replaced with requirements to designate a “senior responsible individual” who is tasked with several responsibilities including monitoring compliance with the law. Much of the additional detail around the circumstances and requirements bear some resemblance to provisions under the GDPR.  

Are there changes to DPIAs? 

Requirements around Data Protection Impact Assessments (DPIAs) have also been substituted in favor of “assessments of high-risk processing.” Controllers must continue to produce documents recording compliance which should include a summary of the purposes of processing; an assessment of whether the processing is necessary; an assessment of the risks to individuals; and a description of how the controller proposes to mitigate those risks.  

Are there new rules around data mapping? 

Another debated issue during the consultation was the requirement to maintain a record of processing activities (RoPA). Organizations continue to be obliged to maintain “appropriate” records of processing of personal data. Whilst the bill provides further information on what should be recorded, it also says that in deciding what is “appropriate”, organizations should consider the nature, scope, context and purposes of processing; the risks that could arise from the processing to individuals; and the resources available to the organization.   

Are cookies treated differently?   

In addition to making changes to the Data Protection Act 2018 and the UK GDPR, the bill also proposes changes to the Privacy and Electronic Communications Regulations (PECR), particularly around the issues of cookies. Minister Warman said: 

“Reforms to the Privacy and Electronic Communications Regulations will also remove the need for cookie banner pop ups for low-risk activities, such as audience measurement, so it’s easier for businesses to use information to improve their services. The Bill will also pave the way for the removal of irritating banners for other types of cookies when browser-based or similar solutions are sufficiently developed.” 

What does this mean for organizations? 

This bill’s introduction is the first stage of its journey through both Houses of Parliaments, which will include several committee reviews and readings. MPs will next consider the bill at second reading, though a date for this has not yet been announced.  

This will be yet another data protection framework to adjust existing programs, and organizations should assess the detail of the bill to understand key proposals made.  

To stay up to date with the UK Data Protection and Digital Information Bill and more, visit OneTrust’s DataGuidance.