What could it mean for businesses?
On 8 March 2023 the UK government published the new draft ‘Data Protection and Digital Information (No.2) Bill’ (the Bill).
The intention of the Bill is to simplify certain aspects of data protection compliance in the UK and make compliance easier for businesses.
The Bill is vast, however some key changes which will be relevant for many UK businesses include:
- Less recordkeeping duties: under the Bill, controllers and processors won’t need to keep records unless they are carrying out what is deemed to be ‘high risk’ data processing activities. This should reduce paperwork for businesses.
- Changes to the requirement to appoint a DPO: Businesses currently need to appoint a Data Protection Officer (DPO) in certain circumstances. The Bill proposes to replace the DPO requirement and for businesses to instead appoint a ‘Senior Responsible Individual’ or ‘SRI’ (again in certain wider circumstances) who must be part of senior management and carry out data protection responsibilities.
- Certain cookie law rules could but relaxed but there could be huge fines for breaching direct marketing laws: Whilst the Bill intends to simplify certain rules around using website cookies, the fines for certain direct marketing law breaches would be increased to £17.5 million or 4% of global annual turnover (whichever is the higher). This would bring these fines in lines with the UK GDPR fines and be hugely risky for businesses carrying out marketing campaigns.
Additionally, the Bill would introduce other significant changes such as a new list of ‘recognised legitimate interests’ and a wider exemption for refusing Subject Access Requests.
The Bill is not law yet and it’s likely to take some time before it comes into force. It’s expected that the UK government will want to keep the EU data protection regulators happy and so not depart too far from the GDPR regime, particularly for the purposes of transfers of personal data between the UK and EU. It therefore remains to be seen how far this proposed law reform (one fully implemented) will differ from the current GDPR rules.
We are closely monitoring development of the Bill, but in the meantime, it is vital that businesses continue to comply with the UK GDPR rules.
If you would like to discuss the Bill and how it may impact your business, contact our data protection team.