Data Protection in The Digital Age: The Impact of The New Bill
Key Contact: Declan Goodwin
Author: Courtney Wilbor
On Wednesday 8th March 2023, the UK Government introduced the second version of the Data Protection and Digital Information Bill. The Bill builds on the government’s 2021 consultation: “Data: a new direction”.
The Bill aims to ensure confidence in the UK’s data protection standards, minimise the administrative burden on businesses when complying with the UK General Data Protection Regulations (GDPR), whilst also protecting individuals’ personal data rights. Below, we highlight some of the key amendments proposed in the Bill.
Data Protection Officer (DPO)
Businesses will no longer be required to appoint a DPO, rather they must allocate a responsible senior person within the business to be accountable for data protection compliance if they are carrying out processing which is deemed to be high risk. Many businesses will welcome this change, as previously a business’s DPO had to be independent of senior management.
Record of Processing
Another practical benefit of the Bill which seeks to reduce both time and costs for businesses is that a business is only required to maintain records of processing where the activity is likely to present a high risk to the rights and freedoms of individuals. This will mean businesses can undertake a risk assessment then conclude that they don’t need a record of processing if their processing of personal data is found to be lower than “high risk”.
Data Protection Impact Assessment (DPIA)
Linked to the above, businesses will need to conduct an assessment of high risk processing activities under the new Bill. Whereas previously businesses had to undergo a DPIA, businesses will now be able to tailor their assessment of risk when processing data to suit their specific business operations. As part of this, businesses will be able to introduce measures they deem proportionate to the level of risk associated with the processing activity.
The Bill introduces a selection of legitimate interests that enable businesses to process data without having to balance their legitimate interest against the data subject’s interests, rights and freedoms. To rely on this, businesses must demonstrate that the processing is necessary. Examples provided include processing for the purposes of: national security, emergencies, and the public interest. The Bill also gives the Secretary of State powers to add new categories to this list.
Whereas previously, automated decision-making was largely prohibited with only a few exceptions, under the new Bill, automated decision-making is subject to the introduction of safeguards. Businesses should note however that, where an automated decision is made wholly or partly using special categories of personal data, more demanding provisions will apply. With artificial intelligence becoming more deeply integrated into our society everyday, particularly with the recent introduction of ChatGPT, this is a crucial area for the government to ensure that the balance between business growth and the protection of individual rights and freedoms is struck accordingly.
The Bill also proposes that the maximum amount of fines under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) should match those under the Data Protection Act 2018 and the UK GDPR. In practical terms, this gives the Information Commissioner’s Office the power to issue fines up to either a maximum of 4% of a business’s annual turnover or £17.5 million, or for other breaches of PECR, up to £8.7 million or 2% of a business’s annual turnover.
What does this mean for businesses?
The new Bill attempts to make positive steps towards ensuring data protection compliance is easier for UK businesses.
John Edwards (UK Information Commissioner) said that he supports the Bill’s ambition to “enable organisations to grow and innovate whilst maintaining high standards of data protection rights”. Mr Edwards’ statement encapsulates the crux of the Bill and the ongoing balance that must be struck between providing businesses with the power to expand and develop, whilst also ensuring that data subjects’ rights and autonomy are respected in doing so.
Whilst some may be disappointed that the Bill has not diverted further from the EU GDPR, it is worth noting that the government is likely to have in mind the EU-UK adequacy review which is planned for 2024.
We will continue to track the Bill’s progress and provide further detailed comments on each of the key changes as it edges closer to becoming law.
For further information please get in touch with our Commercial and Technology Team.