What you need to know about the incoming UK Data Protection Reform

Print Friendly, PDF & Email

What you need to know about the incoming UK Data Protection Reform

Key Contact: Declan Goodwin

Author: Rachel McCulloch

It is essential for businesses to keep up to date with data protection regulations to ensure they remain compliant. Following the government’s consultation on proposals to reform the UK data regime, the Data Protection and Digital Information Bill (the “Bill”) was introduced to Parliament on 18th July 2022. So, what are some key takeaways from the Bill that you should know?


Businesses will no longer have to appoint a Data Protection Officer (“DPO”), but they will be required to have a “senior responsible individual” who will be responsible for overseeing data protection compliance. Their roles are similar but the key difference is DPOs have to be independent whereas a senior responsible individual must be a member of the business’s senior management team.

Furthermore, instead of completing data protection impact assessments, businesses will be required to implement an “assessment of high-risk processing”. You will still have to demonstrate your assessment and management of risks when processing personal data but the process is simplified and the assessment will only need a summary of the purposes of the processing.

The requirement to maintain a record of processing activities is replaced with a requirement to maintain appropriate records of processing personal data. These are very similar, but you will no longer have to record categories of processing and data transfers.

Data controllers not based in the UK will no longer have to appoint a data representative in the UK.

Lawful basis

Under the UK GDPR, to process personal data, you must be able to rely on a lawful basis, one of which is legitimate interests. To use legitimate interests, you must weigh up your interest against the data subject’s rights, interests, and freedoms. The Bill introduces a number of pre-approved “recognised legitimate interests” which will not require the balancing exercise.

Unfortunately, the list is limited and focuses on the public interest such as investigating and preventing crime and reporting safeguarding concerns. It is therefore unlikely to affect common data processing activities, but the government will be able to amend and add to this list. For interests not listed, a balancing exercise will still be required when relying on legitimate interests.

Data subject rights

Data subjects can submit a subject access request (“SAR”) to obtain a copy of their data. Currently, businesses can refuse or charge for SARs if they are “manifestly unfounded and excessive”. This will be replaced with “vexatious and excessive” hoping to give businesses greater scope to refuse SARs. The Bill includes examples of “vexatious and excessive” requests including those that are an abuse of process, intended to cause distress, or not made in good faith.

Changes to international transfers

The Bill allows businesses to use a risk-based approach to international transfers, assessing risks involved in using protective measures such as the fairly new ICO’s international data transfer agreement or UK Addendum. The UK Government will also follow a risk-based approach when deciding whether to provide an adequacy status to another country.

Using cookies without consent

Currently, only “strictly necessary” cookies can be used without consent. The Bill increases the categories of cookies that can be used without consent to include cookies for purposes that the Government considers pose a low risk to people’s privacy. These include cookies to enable website functionality and software security updates. Consent for other categories of cookies will still be required.

Privacy and Electronic Communications Regulations (PECR)

The fines under PECR will be increased to be brought in line with fines under the UK GDPR. Fines can therefore be up to the higher of £17.5 million or 4% of a business’s annual global turnover.

Keep updated

The Bill is less revolutionary than first expected, likely because it reduces the risk of the EU removing the UK’s adequacy status. This status is important because it allows the free flow of personal data between the UK and EEA. The Bill does not replace the UK GDPR or Data Protection Act 2018, but amends and adds to the existing legislation.

The Bill has only had its first reading in Parliament, with its second scheduled in September. It is likely there will be some amendments before the Bill becomes UK law so watch this space. For further information and assistance, please contact our Commercial and Technology Team.

Recent Posts

Whistleblower Protection Following Nicol V World Travel And Tourism Council
May 13, 2024
To Tip Or Not To Tip? How The Employment (Allocation Of Tips) Act 2023 Will Impact The Hospitality Industry
May 13, 2024
Reform Of The Sick Note
May 13, 2024
The legal risks posed by Artificial Intelligence in the workplace
AI: An automated workforce or… a very complicated calculator?
May 1, 2024
Unlocking The CQC’s Quality Statements – How And Why “Co-Production” Must Become A Cornerstone Of Your Service
April 26, 2024
Court Of Appeal Rules On Damages Award Following A Breach By The NHS Of Its Procurement Obligations – Braceurself Limited v NHS England
April 23, 2024



Skip to content