New Data Protection and Digital Information Bill announced

The Data Protection and Digital Information Bill: A new post-Brexit regime

The government says the new “common-sense-led UK version of the EU’s GDPR will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online”.

Ministers co-designed the Bill with key industry and privacy partners including Which? and TechUK. Here are some of the key features:

• A clear and business-friendly framework that will not be difficult or costly to implement, giving businesses more flexibility about how they comply.

• Maintaining EU data adequacy and wider international confidence in the UK’s data protection standards; and supporting more international trade without creating extra costs. Businesses will be able to continue to use their existing international data transfer mechanisms to share personal data overseas if they’re already compliant with current UK data laws.

• Reducing the paperwork required to show compliance. Only organisations whose processing activities are likely to pose high risks to individuals’ rights and freedoms will need to keep processing records.

• Giving organisations greater confidence about when they can process personal data without consent.

• Reducing the number of consent pop-ups people see online.

• Increasing public and business confidence in AI technologies by clarifying when robust safeguards apply to automated decision-making. People will be made aware when such decisions are made and can challenge and seek human review when those decisions may be inaccurate or harmful. New measures clarify that profiling is subject to the same set of robust safeguards for automated decision-making when a significant decision is taken about a person with no meaningful human involvement.

• Increasing fines for nuisance calls and texts to up to 4 per cent of global turnover or £17.5 million, whichever is greater.

• Establishing a framework for the use of trusted and secure digital verification services, allowing people to prove their identity digitally if they choose to do so.

• Unleashing more scientific research. The Bill updates the definition of scientific research to clarify that commercial organisations will benefit from the same freedoms as academics to carry out innovative scientific research.

A welcome development?

We already knew that a key component of the new Data Protection and Digital Information Bill would involve reducing the burdens on businesses. That has been signposted again, but the devil will be in the detail. The Bill still has a long way to go. While we know there will be changes to cookie consent requirements, it’s still not clear exactly how that will work. There was no mention of controls on data subject access requests, which we know many businesses are keen to see. We’ll be monitoring and reporting on developments as the Bill progresses.

Businesses have already spent a lot of time, money and effort ensuring data protection compliance under the GDPR. We’ll need to wait and see whether the government can truly deliver on its promise that the new framework will not be difficult or costly to implement.

Progress on the new Bill will also be closely watched in Europe. Much is made in the announcement about organisations no longer having to struggle with the barriers of the European regime. The government says the UK’s proposed new rules seek to ensure data adequacy, while moving away from the ‘one-size-fits-all’ approach of the EU GDPR. It remains to be seen whether the UK will be successful in navigating that balance between the two.

How we can help

Please contact Jeanette, Andrew or Sally if you have any initial questions on the Data Protection and Digital Information Bill; or otherwise need advice or assistance with data protection compliance, related international trade or technology issues.