Top takeaways from the new Data Protection and Digital Information (No.2) Bill

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on Digital Trust, Privacy, Information Security, Supply Chain security, and Environmental, Health, and Safety topics.

March 10, 2023 - On 8 March 2023, the UK government published the Data Protection and Digital Information (No.2) Bill. The core regulatory requirements of the UK's General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018 are retained in the proposals, with controller and processor obligations and data subject rights unaffected. Organizations will not need to make wholesale changes to maintain compliance with the proposed data protection reforms and there are positive operational developments that will help companies.

The proposals include the ability for controllers to consider their resources, and the intention of the request when determining a response to data subject access rights (DSARs). Controllers would be able to factor in whether a request was intended to cause distress, was made in bad faith, or is an abuse of process. With DSAR compliance a continuing challenge for businesses, this may, in some cases, provide welcome respite and reduce a costly administrative burden. On this topic, the proposals also reword the “manifestly unfounded or excessive” threshold as “vexatious or excessive," although the material benefits are not yet discernible on this point.

Among the more significant proposals are changes to requirements around the lawful basis for processing personal data and the inclusion of additional activities in the list of recognized legitimate interests. These additions are direct marketing, intra-organizational transmission of data, and network and information systems security. It is important to note that the requirement remains for controllers to balance business interests with data subjects’ rights and freedoms, even if the processing activity is on the new list of permitted legitimate interests.

In an effort to "unlock new discoveries," the proposals list types of scientific research including applied or fundamental research or innovative research into technological development. There is also clarification that public health research is only scientific research if it is in the public interest.

There may be opportunities to streamline and simplify operational privacy activities, but don't get too excited and restructure your privacy team or privacy program yet. Just because there is a reduced regulatory requirement for "pointless paperwork" doesn't mean you should be putting those record of processing activities (ROPA) and the Data Protection Impact Assessment (DPIA) in the metaphorical shredder or bidding farewell to your Data Protection Officer (DPO).

Reducing the legal importance of ROPAs and DPIAs doesn't lessen their value as an effective mechanism for identifying and managing privacy risks in new projects or changes to existing processing activities, even if they aren't likely to result in a high risk to the rights and freedoms of data subjects. Nor does rebranding DPOs as “Senior Responsible Individuals” (SRIs). The importance of an effective and independent data protection function that reports to the highest levels of an organization should not be underestimated.

Deregulating data protection doesn't remove the commercial benefits of a privacy framework, of knowing your data, reducing risks to the organization and individuals, and improving organizational resilience, however big or small the business. Yes, corporations might have less “paperwork” in theory, but the importance of understanding the data processed and the risks involved remains. The reality of a breach that could have a significant reputational impact on revenues will make an organization wish they still knew their processes and had data flows documented.

Augmenting the domestic legal framework for data protection, the UK Government also introduces risk to the UK’s data adequacy decision recently granted by the European Commission (EC). The proposals are currently just proposed changes, and the parliamentary legislative process will need to full run its course before any legislation is finalized and implemented. For now, the most salient advice for any organization is to wait and see before making any changes to existing privacy programs.

Read more insights from Matthew Goodbun in What can we learn from the Data Protection Commission’s 2022 Annual Report?

Visit Privacy and data protection consulting to learn more about embedding data protection at the heart of your organization. For more insights on other digital trust, privacy, information security, supply chain security, and environmental, health, and safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.