Partner Content

UK data protection reform back on track

Following a seemingly false start, the reform of UK data protection legislation seems to be back on track with publication of the Data Protection and Digital Information (No. 2) Bill. Organisations will need to take time to consider the new Bill and determine which of the changes to the current regulations will apply.

Assuming the current version of the Bill becomes law, it will be necessary to determine whether processing activities are considered ‘high risk’ as this is what will determine whether data processing records need to be kept. The government currently gives one example of where processing may be high risk (processing large volumes of sensitive data about people’s health). We expect to receive further guidance on this but anticipate that it will be based on the nature and scope of the processing and those that process special category data.

Back on track

Following government consultation post-Brexit, the first iteration of the Data Protection and Digital Protection Bill was introduced to Parliament in July 2022. The government then announced that further amendments were required, and progress stalled. The updated version of the bill, the Data Protection and Digital Information (No. 2) Bill had its first reading in the House of Commons on 8 March 2023.


Much of the July 2022 bill was in keeping with the current status quo, although did introduce:

  • Changes to the accountability framework, including alternatives to the requirements to undertake data impact assessments and appoint a data protection officer.
  • Changes to data subject access requests, to bring this into line with the UK’s freedom of information regime.
  • A data protection test: The requirements for assessing the adequacy of third countries were altered and renamed as a “data protection test” that focuses on risk-based decision-making and outcomes.
  • Reform of the Information Commissioner’s Office (ICO), including consistency in the level of fines that can be issued, bringing the Privacy and Electronic Communications Regulations in line with other legislation.

What’s new?

The reforms are said to take “the best elements of the GDPR” while providing “businesses with more flexibility”. The key changes that have been made to the updated Bill mostly provide clarification on the first draft:

  • The updated Bill now provides non-exhaustive examples of processing that is necessary for the purposes of a legitimate interest, including processing that is necessary for the purposes of direct marketing.
  • The definition of scientific research has now been updated to include that which is publicly or privately funded and whether carried out as a commercial or non-commercial activity.
  • The Bill clarifies rules regarding automated decision making where a significant decision is taken with “no meaningful human involvement”.
  • The duty to keep data processing records will now only apply to organisations whose processing activities are likely to pose a high risk to an individual’s rights.
  • The Bill confirms that businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if they are already compliant with current UK data laws.

Impact and comments

The Bill confirms a new duty on public electronic communication service providers to report any “suspicious activity” to the ICO relating to unlawful direct marketing. Non-compliance could result in a £1,000 penalty. The ICO will be publishing guidance on what may constitute reasonable ground for such suspicion, but this duty is likely to mean that providers of electronic communications services may need to introduce new policies to ensure compliance.

The Bill also confirms an emphasis on safeguarding and sets out specific safeguards for research, archiving or statistical purposes, which are arguably more onerous than the GDPR (General Data Protection Regulation). Organisations will need to ensure that they have the necessary measures in place to ensure compliance.

It is also worth noting a new requirement for data subjects to raise complaints with the relevant data controller, prior to lodging a complaint with the ICO.

The Bill is not substantially different to that published in July last year and does not appear to depart significantly from the essence of the GDPR, so we hope that the adequacy decision by the European Commission, allowing data to follow freely from the EU to the UK, will not be at risk. However, until the Bill becomes law and is reviewed in full by the EC, there are no guarantees.

What’s next?

The Bill now moves to a second reading in the House of Commons, although no date has yet been set. The Bill will then make the usual progress through the House of Commons and House of Lords, before becoming law.

Contributed by Helen Bourne, partner, Clyde & Co

Back to top button