New ‘Data Protection and Digital Information Bill’ to reform UK Data Protection Law

New ‘Data Protection and Digital Information Bill’ to reform UK Data Protection Law

What could it mean for businesses?

On 8 March 2023 the UK government published the new draft ‘Data Protection and Digital Information (No.2) Bill’ (the Bill).

The intention of the Bill is to simplify certain aspects of data protection compliance in the UK and make compliance easier for businesses.

The Bill is vast, however some key changes which will be relevant for many UK businesses include:

  • Less recordkeeping duties: under the Bill, controllers and processors won’t need to keep records unless they are carrying out what is deemed to be ‘high risk’ data processing activities. This should reduce paperwork for businesses.
  • Changes to the requirement to appoint a DPO: Businesses currently need to appoint a Data Protection Officer (DPO) in certain circumstances. The Bill proposes to replace the DPO requirement and for businesses to instead appoint a ‘Senior Responsible Individual’ or ‘SRI’ (again in certain wider circumstances) who must be part of senior management and carry out data protection responsibilities.
  • Certain cookie law rules could but relaxed but there could be huge fines for breaching direct marketing laws: Whilst the Bill intends to simplify certain rules around using website cookies, the fines for certain direct marketing law breaches would be increased to £17.5 million or 4% of global annual turnover (whichever is the higher). This would bring these fines in lines with the UK GDPR fines and be hugely risky for businesses carrying out marketing campaigns.

Additionally, the Bill would introduce other significant changes such as a new list of ‘recognised legitimate interests’ and a wider exemption for refusing Subject Access Requests.

The Bill is not law yet and it’s likely to take some time before it comes into force. It’s expected that the UK government will want to keep the EU data protection regulators happy and so not depart too far from the GDPR regime, particularly for the purposes of transfers of personal data between the UK and EU. It therefore remains to be seen how far this proposed law reform (one fully implemented) will differ from the current GDPR rules.

We are closely monitoring development of the Bill, but in the meantime, it is vital that businesses continue to comply with the UK GDPR rules.

If you would like to discuss the Bill and how it may impact your business, contact our data protection team.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry