On March 8, 2023, the Department for Science, Innovation and Technology, issued a press release stating that a revised Data Protection and Digital Information Bill had been re-introduced to the UK Parliament.
The Bill has been the subject of discussion for over 12 months and has been redesigned in collaboration with industry and business leaders. In June 2022, the Government published its response to the proposals from the consultations, titled Data: A New Direction. However, in September 2022, the Bill was placed on hold indefinity while UK Ministers redesigned the Bill.
What is the UK Data Protection and Digital Information Bill?
According to the Government, the redesigned Data Protection and Digital Information Bill aims to promote research and innovation in the UK while maintaining the country’s high standard of data protection and European adequacy. Another central aim of the Government is to reduce the operational costs placed on UK businesses and remove burdens for small and medium enterprises, through a reduction in consent pop-ups and new rules for when businesses can process data without consent. The new Bill will also introduce rules to enhance the development of AI technologies and the safeguards necessary for this development, specifically in instance of automated decision-making and profiling.
Science, Innovation and Technology Secretary Michelle Donelan said; “Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs. Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR. Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”
What are the key areas of the Bill?
Reduced record keeping requirements
Central to the key themes of the Bill, amendments have been made to reduce the operational burden on organizations. This will apply to existing record keeping obligations and demonstrable compliance whereby the updated Bill will only require organizations whose processing activities are likely to pose a high risk to the data subject (e.g., processing large volumes of personal data or processing sensitive data) to keep a record of their processing activities.
New rules for consent
While the Bill aims to reduce the number of content notices that data subjects will see online, it will also give organizations new conditions for when they can process personal data without needing consent.
Clarity on safeguards for automated decision-making
In an attempt to instill greater public confidence in the use and development of AI technologies, the new Bill sets out rules for implementing the appropriate safeguards for individuals about whom solely automated decisions are made. Under the new Bill, organizations will be required to make data subjects aware when such decisions are made, give them the opportunity to challenge the decision, and allow them to seek human review.
Continued international transfers
The new Bill will also retain a focus on international trade and has been developed to ensure that the free flow of personal data from the UK remains in place. Organziations will be able to rely upon their existing international data transfer mechanisms, such as Standard Contractual Clauses (SCCs) and adequacy decisions, to export personal data so long as the mechanisms are already compliant with current UK data laws.
Broader research exemption
The updated Bill includes a revised definition of “scientific research” that would allow commercial organizations to benefit from the same exemptions as academic researchers when carrying out innovative scientific research, encouraging such research to take place in the commercial sector. The new definition of “scientific research” is left open to broad interpretation that many processing activities “could reasonably be described as scientific” up to and including research into technological development.
Increased fines
In addition to the amendments to the operational requirements, increased fines for nuisance calls and texts will be introduced under the new Bill. These will range up to 4% of global turnover or £17.5 million, whichever is greater.
What does this mean for organizations?
There is a long way for the Data Protection and Digital Information Bill to go before it overhauls existing data protection law in the UK. The Bill’s re-introduction to Parliament is just the first stage of its journey through the UK’s legislative process and it will still be required to undergo include several committee reviews and readings.
While there is no immediate action for UK businesses to take, they can begin to assess some of their current processes and start to understand where gaps are likely to appear under any new legislative regime. Some key areas to consider include:
- Data Protection Impact Assessments in order to understand whether future record keeping requirements will be necessary
- Data mapping will continue to be instrumental in order to assess compliance and ensure areas such as data transfer safeguards and valid consent are tracking to the new Bill
- Consent and preference management will require attention in order to understand where consent is needed and how it can be collected under any new rules
To stay up to date with the progress of the UK Data Protection and Digital Information Bill and more, visit OneTrust’s DataGuidance.
