The UK’s data protection and privacy landscape remains largely the same since Brexit, with the UK General Data Protection Regulation (UK GDPR) retaining substantially the same rules as exist in the EU, and the Data Protection Act 2018 (DPA) and Privacy and Electronic Communications Regulations (PECR) remaining unchanged.
But in 2022, with the UK Data Protection and Digital Information Bill (the “Bill”), the UK government has proposed some important changes to the UK’s data protection and privacy framework with significant amendments to the UK GDPR, DPA, and PECR.
The first version of the Bill was introduced in July 2022, but the government introduced a second version in March 2023 and tabled hundreds of amendments this November. The Bill is currently at second reading at the UK’s House of Lords, and is expected to pass in 2024.
Updates in the new version of the Bill
Among other provisions, the Bill:
- Introduces a new definition of “personal data” limited to information that can be used to identify an individual via “reasonable means”.
- Sets new rules for using personal data in scientific, historical, and statistical research, including by specifying that research may conducted for commercial as well as non-commercial purposes.
- Introduces a new legal basis of “recognised legitimate interests” in areas such as democratic engagement, national security, and crime prevention, under which a controller does not need to conduct a full “legitimate interests assessment”.
- Reconstitutes the Information Commissioner’s Office (ICO) as the Information Commission (IC) with changes to its governance, responsibilities, and enforcement powers. The Commission will be required to have regard for the government’s priorities and other factors such as innovation and national security.
- Replaces the Data Protection Officer (DPO) role with a “Senior Responsible Individual” (SRI), who must be a member of the senior management team but who may designate their tasks to other persons.
- Changes the thresholds and requirements for keeping Records of Processing Activities (RoPA) intended to offer more flexibility to organisations.
- Increases PECR fines from the current maximum of £500,000 up to £17.5 million or 4% of global annual turnover, whichever is higher.
- Introduces new exceptions to the PECR’s cookie consent rules areas such as analytics, security, and accessibility.
- Proposes a new digital identity system, where individuals can obtain a verifiable digital identity through Digital Verification Services (DVS).
- Proposes the creation of “smart data” schemes in consumer markets, similar to the open banking model.
On November 24, 2023, the UK government and other Members of Parliament proposed hundreds of amendments to the Bill, including:
- A controversial proposal for banks to provide access to data about the bank account of certain benefit claimants.
- A new requirement for social media companies to preserve personal data in cases of child suicide for potential investigations or inquests.
- New rules on the use of biometric data in counterterrorism.
We’ll be keeping our eyes peeled and ears open for further updates to the bill.
HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed.