What does the UK’s new Data Protection Bill mean for UK data?

Before it left the European Union on 31 December 2020, the UK implemented the General Data Protection Regulation (GDPR), via the Data Protection Act (DPA) which came into effect on 25 May 2018.

The DPA controls how businesses and government organisations use and store personal information in the UK, setting out a range of data protection principles including requirements to use data ‘fairly, lawfully, and transparently’. The DPA also sets out rights for UK data holders, such as the right to know how their data is being used, and the right to prevent or restrict firms from processing their data. 

With personal data being an increasingly important regulatory focus in jurisdictions around the world, the UK government recently indicated that it would be exploring new data protection regulations to replace and reform those introduced by the GDPR.

With that in mind, a proposed new Data Protection Bill was submitted to Parliament in July 2022. It aims to modernise UK data regulation by creating a “more pro-growth, pro-innovation” regime while continuing to maintain data protection standards. 

Although the new Data Protection Bill will not come into effect for some time, it’s vital that UK businesses understand how it will affect the UK’s data protection landscape, and their own regulatory compliance efforts. 

Why is the new Data Protection Bill being introduced?

The proposed Data Protection and Digital Information Bill intends to account for a changing global cybersecurity landscape, including emerging technological innovations and criminal methodologies, and to allow the UK to take advantage of its new regulatory powers now that it has left the EU.

While the GDPR enhanced personal data protection across the bloc with sweeping new regulations, many businesses found the new compliance burden challenging, while authorities struggled, in some cases, to enforce its rules.

Under a reformed bill, the UK government hopes to increase regulatory flexibility and boost commercial opportunities, while maintaining robust protection for individuals. 

Following a consultation in 2021, the UK government identified a range of key regulatory issues with existing data protection regulation, and set out the following objectives for the new DPA:

• Reducing barriers to responsible innovation: The DPA will seek to clarify the interpretation of current UK data laws and personal data processing in order to increase the certainty of businesses using new data-driven technologies. 

• Reducing burdens on businesses and delivering better outcomes for people: The DPA will ‘strengthen accountability requirements while providing opportunity and flexibility’ for businesses during the processing of personal data. 

• Boosting trade and reducing barriers to data flows: The DPA will introduce reforms that eliminate ‘unnecessary obstacles to cross-border personal data flows,’ with the goal of creating an ‘ autonomous UK international transfers regime’.

• Delivering better public services: The DPA will enhance public services by implementing better data-sharing practices and increasing the transparency of government data processing activities. It will also simplify the legal process of the police’s ‘use and retention’ of biometric data. 

• Reform the Information Commissioner’s Office: The DPA will include proposals to introduce a ‘modern governance framework’ to the ICO, including an independent board. 

Data Protection Impact

The measures set out in the new Data Protection Bill will amend many existing GDPR rules. Key provisions include:

Personal data: If passed, the new DPA will adjust the definition of ‘personal data’ insofar as data protection rules apply to that term. It will apply the term ‘personal data’ in the following contexts: 

• Information identifiable “by the controller or processor by reasonable means at the time of the processing” 

Or,

• Contexts in which the data controller or processor “knows, or ought reasonably to know, that another person will or is likely to, obtain the information as a result of the processing, and the individual will be or is likely to be, identifiable […] by that person by reasonable means at the time of the processing.”

Under the new rules, data controllers and processors would be responsible for assessing the identifiability of personal data, and only at the point at which they processed it. Businesses would not have to worry about the potential identifiability of the data in the future. 

Accountability

The new DPA will streamline the data protection accountability process within firms by removing the need for Data Protection Officers (DPO) and replacing them with a “senior responsible individual.”

The responsible individual would implement a company-specific privacy programme, and delegate data protection risk management to relevant persons. The DPA will also remove the requirement that overseas companies appoint a UK representative to oversee compliance with UK data privacy rules. 

International transfers

Under the new rules, businesses would be able to take a risk-based approach to international data transfers, implementing appropriate mitigation measures where they determine there may be a risk to personal data.

Where data is transferred across borders, firms would be required to ensure that data protection standards in the third country were “not materially lower” than in the UK. 

Data access requests

The DPA will adjust the GDPR’s Data Subject Access Request (DSAR) regime. Under the new rules, firms will be able to refuse DSARs that are “vexatious or excessive” – as opposed to the GDPR requirement that they are “manifestly unfounded”.

Legitimate interests

The DPA will remove the need for firms to use a balancing test in order to establish legitimate interest before processing subjects’ personal data.

In practice, this means that firms will not necessarily need to obtain consent from subjects before processing personal data. Instead, the government will create a whitelist of legitimate interests, such as public interest, national security, and safeguarding, which allow for data processing to proceed.  

Data protection challenges on the horizon

While UK businesses have welcomed the prospect of greater flexibility and reduced EU red tape, some observers have expressed concern at the extent of the deregulation in the proposals.

The personal data provisions in the new DPA, for example, will likely reduce the amount of data that is protected and the contexts in which personal information is protected.

Similarly, under the new international transfer rules, the movement of personal data from third countries, such as the United States, into the EU, may also raise regulatory challenges, especially since some EU authorities suggest that the GDPR does not allow for a risk-based approach to data protection.  

When the UK left the EU, the EU found that the UK’s data privacy regime had achieved “adequacy” in its compliance with the GDPR. The finding allowed for the transfer of personal data between the UK and the EU, and was crucial to business continuity, saving up to £460 million in costs, and up to $410 million in export revenue. The new DPA may threaten that adequacy finding if the EU determines that the data reforms do not meet GDPR standards. 

Given the potential for disruption, UK businesses should monitor the progress of the new DPA closely, and be prepared to review their personal data compliance solutions as the UK government explores new regulatory possibilities. 

Keep ahead of emerging data regulations by speaking to CUBE.