UK Data Protection Regime Reform: Data Protection And Digital Information Bill Introduced To Parliament

• Published date: 27 July 2022
• Subject Matter: Privacy, Data Protection
• Law Firm: Harrison Drury Solicitors
• Author: Mr David Edwards and Charles Mather

On 18 July 2022, the Data Protection and Digital Information Bill (DPDI) was introduced to Parliament. The Bill, which was previously known as the Data Reform Bill, is the result of the Department for Culture, Media and Sport (DCMS) consultation of last year. David Edwards and Charles Mather from our regulatory and compliance team outline the main features in the new bill.

The aim of DPDI is to update and simplify the UK's data protection framework. A second reading of the bill in Parliament will take place in the autumn.

The objectives of DPDI include, reducing barriers to responsible innovation, reducing burdens on business while delivering better outcomes for individuals, and boosting trade and reducing barriers to data flows. All with the intention of making the UK a world-leading data marketplace, where individuals are empowered by the responsible use of personal data.

The Bill will impact upon businesses' approach to collecting and processing personal data, and reform some of the lawful avenues for processing personal data in the public sector.

The practical implications that businesses will face, include the following:

• Changes to the accountability framework - DPDI enables businesses to take a more risk-based and flexible approach to accountability, underpinned by a privacy management program (PMP). For instance
  • The requirement for mandatory data protection officers will be replaced with the requirement to appoint a designated senior individual (DSI), who will be responsible for embedding a culture of data protection across the business
  • Businesses will still be required to identify, manage and mitigate data risks, but the requirement to carry out data protection impact assessments (DPIAs) will be removed.
  • As a part of their PMP activities, businesses will be required to maintain personal data inventories. However, in contrast to the current requirement to maintain records of processing activities businesses will be granted greater flexibility; and the Article 30 UK GDPR requirement to maintain records of processing activities will be removed.
• Legitimate interests - DPDI will introduce a limited set of circumstances in which businesses/organisations can rely upon legitimate interests as a lawful means for processing personal data without applying the 'balancing test' (the balancing of legitimate interests against the fundamental rights and freedoms of individuals), and without resorting to consent. The current list is largely limited to...