Did you know that the UK’s Data Protection Policy is being reformed?

Recently, on the 8th of March 2023, upon removal of the first Data Protection and Digital Information Bill, the UK Government introduced the 2nd version of the DPDI bill. In an official press release, Secretary Donelan voiced this as a “new common-sense-led UK version of the EU GDPR which will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.”

Michelle Donelan stated that a strengthened data regime will save the UK economy more than £4 billion over the next 10 years and ensure data privacy is securely protected.

What might the DPDI Bill mean for a DPO?

The original Bill removed the requirement for an organisation to appoint an independent DPA. Instead, a “senior responsible person” (SRI), employed by the organisation, would provide oversight of its data use. According to the revised Bill, an organisation will only need to appoint an SRI if its data controller or processor is a public body, or, if it carries out processing that poses a ‘high risk’ (i.e. has the potential for any significant physical, material or non-material harm to individuals).

What could the DPDI Bill (No 2) mean for businesses?

Data-driven trade generated 85 per cent of the UK’s total service exports and contributed an estimated £259 billion for the economy in 2021. The new DPDI Bill (No 2) aims to introduce more flexibility for businesses in terms of how they manage their record keeping and compliance with data protection legislation.

In addition, the proposed changes to the cookies regime are positioned as giving more flexibility, for example the changes may allow the use of certain analytical cookies without consent where the data is being used to improve services/websites. Businesses will need to consider the proposed requirements of DPDI Bill (No 2) carefully and understand how it will change UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) 2003. In addition, businesses will need to check that their current standards and internal processes meet the proposed new requirements established by DPDI Bill (No 2).

Of course there’s a parliamentary process to complete before the bill becomes law. Some argue that having separate data protection standards to comply with in the U.K. will add additional compliance burdens to businesses operating globally. Also, that any movement away from or watering down of GDPR standards may threaten the U.K’s. adequacy status. Considering this, it remains to be seen what aspects of the bill make it into law.”

At HewardMills we actively work with clients to advise and guide on GDPR and compliance. We have Subject Matter Experts who can support you with any queries you may have in the light of this announcement.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.