Data Protection And Digital Information Bill: Our First Impressions

• Published date: 26 July 2022
• Subject Matter: Privacy, Data Protection
• Law Firm: Herbert Smith Freehills
• Author: Ms Miriam Everett and Duc Tran

Following the UK Government's publication of its response to the DCMS consultation on the Data Reform Bill last month (see our blog post on this here), the UK Government has published and introduced to Parliament a 192-page draft text which now has a new name: the Data Protection and Digital Information Bill. The new bill is accompanied by a set of Explanatory Notes.

The new bill is broken up into six parts (data protection, digital verification services, customer data and business data, other provisions about digital information, regulation and oversight and final provisions) and as promised in last month's consultation response, it contains provisions which serve to amend rather than replace the existing UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003.

Clarification of existing legislation

In terms of the drafting itself, the new bill largely reflects the UK Government's plans set out in the consultation response and so there are few surprises. Our overall impression is that it seeks to clarify the existing legislation in ways that are sometimes welcome. For example, Article 12A (relating to data subject rights) replaces the vague concept of "manifestly unfounded or excessive" with "vexatious or excessive" and provides examples of requests that meet this threshold. In addition, Article 22 (relating to automated decision making) now defines what amounts to a "significant decision" and what a "decision based solely on automated processing" is by making explicit reference to meaningful human involvement.

Accountability and governance provisions

In contrast, the sections which serve to amend a number of the "accountability and governance" obligations currently set out in the UK GDPR are surprisingly cumbersome given that they are intended to streamline compliance for UK organisations. The requirement to appoint a DPO has been replaced with the requirement to designate a "senior responsible individual" in relation to which the qualifying threshold is lower and the requirements for the role are almost just as prescriptive. The requirement to maintain records of processing activities have been replaced with a requirement to maintain "records of processing of personal data" which cover very similar ground. While the concept of "assessment of high risk processing", which replaces the requirement to conduct data protection impact assessments, is less prescriptive about what needs to be addressed in the...