What is the Data Protection and Digital Information Bill (DPDI)?

What is the Data Protection and Digital Information Bill?

The UK government has introduced the Data Protection & Digital Information Bill (DPDI), which aims to make the EU General Data Protection Regulation (GDPR) more manageable in lower-risk situations while maintaining high data protection standards. Multinational companies operating in both the UK and the EU will still need to comply with the GDPR; however, companies operating only in the UK will only need to comply with the DPDI, which should be easier as the requirements are less burdensome in certain areas. This article will focus on the current version of the DPDI (Bill 143) and explain how the changes will improve the existing legislation surrounding data protection in the UK.

The Difficulties of Aligning the Data Protection and Digital Information Bill and the GDPR

Many companies are facing challenges in becoming GDPR compliant due to the ongoing reporting and management required. Additionally, they are having difficulties appointing Data Protection Officers (DPOs) and other relevant personnel as there is a shortage of skilled cybersecurity professionals. And let’s not forget that companies don’t have unlimited resources. Moreover, many companies are unsure about their compliance status and struggle to enforce security policies and best practices. Despite public concern about data security, boards have lost interest in the GDPR after the initial hype and are failing to make it a priority. Another reason why companies are not fully complying with the GDPR is because many fail to locate personal data within the required timeframe, which is partly caused by the reliance on cloud-based services. Of course, there isn’t a simple solution to these problems, as cybersecurity isn’t a directly profitable endeavor. However, the DPDI aims to make life easier for companies, without sacrificing data protection standards.

Anticipated Timelines/Deadlines of the DPDI

Predicting the exact timings of the DPDI is challenging, but it is estimated that it may take around a year for the DPDI Bill to become an Act (approximately by March 2024). After that, most provisions will come into effect on dates specified by the Secretary of State.

Key Changes to the 2022 Version of the DPDI Bill

The Data Protection and Digital Information Bill was introduced to the House of Commons on 18 July 2022. The second reading of the DPDI Bill, which was originally slated for 5 September 2022, was postponed by the Government. This decision was made following the election of Elizabeth Truss as leader of the Conservative Party, as Ministers needed more time to review the DPDI Bill. On 8 March 2023, the original DPDI Bill was withdrawn. However, on the same day, the Data Protection and Digital Information Bill (No. 2) was introduced. This new Bill largely mirrors the content of the withdrawn version. Below is a summary of the key changes made to the 2022 version of the DPDI Bill:

The definition of “personal data”

DPDI Bill 143 aims to change the definition of personal data in the Data Protection Act 2018. It states that information will be considered personal data if the individual can be identified by the controller or processor, or if the information can be obtained by another person and used to identify the individual. The DPDI Bill also expands on when an individual may be directly or indirectly identifiable based on whether additional information is needed.

Legitimate interests

Bill 143 suggests a departure from the current requirement of conducting a ‘legitimate interests’ assessment’ under Article 6 of the UK GDPR, and instead adopts a predetermined list of ‘recognized legitimate interests’. The current list includes:

• Participation in democratic processes
• Ensuring national security
• Maintaining public security and defense
• Processing necessary for the public interest
• Protecting vulnerable individuals
• Detecting, apprehending, or investigating crime
• Responding to emergencies

International data transfers

Bill 143 introduces changes to the UK’s approach to international data transfers. The DPDI Bill replaces the ‘adequacy test’ with a new ‘data protection test’ that considers the data protection levels in third countries. Factors such as respect for human rights, existence of an enforcement authority, and arrangements for data subject redress will be considered. The DPDI Bill also allows the Secretary of State to issue regulations specifying standard data protection clauses. In addition, the Information Commissioner’s Office has updated its guide on Binding Corporate Rules.

Data Subject Access Requests (DSARs)

Bill 143 proposes changes to data subject access requests (DSARs) that allow controllers to refuse to respond to requests that are considered vexatious or excessive. The DPDI Bill defines vexatious requests as those that are intended to cause distress, not made in good faith, or an abuse of process. Factors like the nature of the request, the relationship between the data subject and controller, and the resources available to the controller will be considered when determining if a request is vexatious or excessive.

The definition of “research”

The DPDI Bill modifies the definition of research and statistical purposes. It includes any research that can be described as scientific, which encompasses technological development, fundamental research, and applied research. Consent for scientific research must align with ethical standards relevant to the specific research area. Consent can also be given when the specific purposes for data processing cannot be fully identified.

Automated decision-making (ADM)

Bill 143 seeks to bring significant changes to the regulation of automated decision-making. It proposes that decisions made solely through automated processing should have no human involvement. Additionally, individuals will only have the right to human intervention in decisions that are considered ‘significant’ rather than ones that have legal effects or significant impacts on them.

Data Protection Officers (DPOs)

Instead of a Data Protection Officer (DPO), Bill 143 requires organizations to designate a ‘senior responsible individual’ for high-risk processing, who will be a member of the organization’s senior management. This individual will be accountable for handling data protection issues, including managing data breaches and addressing complaints related to data processing. Examples of ‘high-risk processing’ will be published by the Information Commissioner’s Office (ICO).

Data Protection Impact Assessments (DPIAs)

The requirement for Data Protection Impact Assessments (DPIAs) will be replaced by an assessment of high-risk processing (AHRP). The DPDI Bill eliminates the scenarios that previously required a DPIA/AHRP and the necessity of consulting a data protection officer (DPO) during the process.

Records of Processing Activities (ROPAs)

Under the new Bill, controllers and processors would no longer be obligated to maintain records of processing activities (ROPAs). However, under Article 30A of the UK GDPR, controllers are still required to keep appropriate records of processing personal data, including information such as the location of the data, purposes for processing, sharing details, retention period, special categories of data, and data related to criminal convictions. Processor records must include information about the controller and data location. Both controller and processor records should also include information about data security, if possible.

Cookies and tracking technologies

Bill 143 introduces changes to the regulation of cookies and tracking technologies. It expands the types of cookies that can be placed on a user’s device without their consent to include those used for statistical information and service improvement. The DPDI Bill also authorizes the Secretary of State to create regulations allowing for automatic consent or objection to cookies, reducing the need for individuals to manually accept or reject cookies on multiple websites.

Changes to the ICO

Bill 143 proposes significant changes to the ICO, including changing its name to the Information Commission. The DPDI Bill also suggests changes to the regulator’s governance structure, duties, and enforcement powers. The Information Commission’s main objective would be to ensure an appropriate level of protection for personal data and promote public trust in data processing. The DPDI Bill also emphasizes the importance of promoting competition and innovation. The UK’s Information Commissioner, John Edwards, believes that the reforms in Bill 143 strike a good balance and align with the ICO’s strategic plan (ICO25), which outlines its goals for the next three years.

Data subject rights

Amendments related to data subject rights are specified in Clauses 7 to 10 of Bill 143. There is a clarification of information provision obligations, with no significant alterations, to ensure that the exemption for disproportionate effort or impossibility outlined in Article 14(5)(b) of the UK GDPR applies to all processing activities that involve data not obtained directly from the data subject.

Digital verification services

Bill 143 defines verification services as services that verify information about an individual and confirm it to another person. Digital verification services (DVS) are these services provided online. The Secretary of State must create a document called a DVS trust framework to outline the rules for providing DVS. They must also establish a register of DVS providers and can issue trust marks for DVS.

Direct marketing

Bill 143 includes a new definition for direct marketing in the Privacy and Electronic Communications Regulations (PECR), defining it as any communication of advertising or marketing material that targets specific individuals. Additionally, the DPDI Bill suggests increasing fines for nuisance calls and texts under the PECR to align with the penalties outlined in the UK GDPR, which could be up to 4% of global turnover or £17.5 million, whichever is higher.

UK representatives

Clause 13 of Bill 143 aims to eliminate the obligation stated in Article 27 of the UK GDPR, which necessitates controllers and processors to designate a representative based in the UK.

Business data/open data

Bill 143 seeks to streamline the implementation of ‘smart data schemes’, which would foster data exchange between businesses. These schemes would grant authorized third parties the ability to securely access and share data, as requested by the customer.

Will the DPDI Affect UK’s Ability to Offer Digital Services to the EU?

The EU Commission has the power to end, suspend, or modify its decision permitting free transfer of personal data from the EU to the UK if it deems the UK does not provide sufficient data protection. However, the UK government aims to maintain adequacy and many changes in the DPDI Bill simply clarify and simplify compliance rather than reduce data protection. Even if adequacy is revoked, organizations can still transfer data using standard contractual clauses or other mechanisms. Nevertheless, this would create additional challenges for companies transferring data between the EU and UK.

What are the Key Practical Action Points?

Organizations operating in the UK should closely monitor the progress of the DPDI Bill and assess any modifications needed to align with it once it becomes law. They must determine whether to continue adhering to the GDPR or transition to the UK’s own standards when the DPDI Bill is enacted. Although the DPDI Bill introduces some additional requirements, they are not significant. Moreover, the DPDI Bill adopts a more practical approach and provides clarification in certain aspects, simplifying the exploration of new technologies, including AI. The reduced formalities and paperwork will enhance efficiency and reduce compliance costs, without sacrificing data protection standards. The elimination of uncertainty surrounding fundamental business functions enables organizations and the ICO to focus their efforts on areas that genuinely jeopardize the privacy of individuals.

How Lepide Can Help?

The Lepide Data Security Platform offers numerous features that can help organizations comply with most, if not all, data privacy laws. The most relevant features are summarized below:

Holistic view of activity across all systems: The platform provides a centralized view of all systems, both on-premises and cloud-based, that store personal data belonging to UK/EU citizens. Via an intuitive dashboard you can view full details of all changes taking place across your IT infrastructure, such as changes in user access, permissions, configurations, and more.

Data discovery & classification: Lepide’s built-in data classification feature will scan your repositories, whether on-premises or cloud-based, and tag personal data as it is found. This makes it a lot easier to search for specific records, and thus comply with subject access requests.

Immediate breach notifications: The platform can send immediate breach notifications based on unusual levels of activity or anomalous behavior. This helps organizations detect and respond to potential data breaches in a timely manner.

Audit reports to demonstrate compliance: The platform generates audit reports that clearly demonstrate permission changes, and other relevant information, over a given period. It can also automate the generation, scheduling, and delivery of audit reports. These reports provide evidence of compliance with the DPDI/GDPR requirements for managing and monitoring access to personal data.

Archive of audit data: The Lepide platform allows you to archive audit data for as long as required or recommended, thus helping you demonstrate compliance with the DPDI/GDPR’s requirements.

If you’d like to see how the Lepide Data Security Platform can help you comply with the DPDI, schedule a demo with one of our engineers or start your free trial today.