DPDI – Data Protection and Digital Information Bill
The proposed UK Data Protection and Digital Information (No.2) Bill (DPDI) is currently making its way through the legislative process. The first iteration of the Bill was introduced in July 2022, which was paused and then re-introduced as the second version in March 2023.
The new Bill is sponsored by the Department for Science, Innovation and Technology (DSIT) and seeks to reform the UK’s data protection framework, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA 2018).
This page explains the key differences between the UK General Data Protection Regulation (UK GDPR) and the proposed UK Data Protection and Digital Information Bill (DPDI)
On 29 November 2023, the Bill passed its 3rd reading in the House of Commons and moved to the House of Lords.
On 19 December 2023, the Bill was debated in a second reading in the House of Lords, where Lord Bishop of Southwell and Nottingham quoted Rob Masson, CEO of The DPO Centre.
The Lord Bishop questioned how the Bill will retain public trust and not diverge from current adequacy agreements:
‘We share the concerns of many civil society groups that the Bill will reduce transparency by weakening the scope of subject access requests, although I welcome the concern to mitigate plainly vexatious complaints. In June, the Chief Executive of The Data Protection Officer Centre said: “Whilst countries across the globe are implementing ever-more robust data protection legislation, the UK seems intent on going in the opposite direction and lowering standards.”’
On 20 March 2024, the Bill progressed to the committee stage of the House of Lords. Several new amendments have been discussed, to date, including ensuring that children’s data is part of the definition of sensitive data.
The Bill is continuing through various sittings, and we will update with further information as soon it becomes available.
UK GDPR vs DPDI BILL
| Area | UK GDPR | DPDI |
| Personal data | Defined as any information related to an identified or identifiable living person | Seeks to change the definition of personal data with the concept of an “identifiable living individual” (a more subjective definition) |
| Scientific research | Defined “in a broad manner” with examples such as “technological development and demonstration, fundamental research, applied research, and privately funded research” | Introduces a new definition of scientific research, which would include a much wider range of commercial activities |
| Legitimate interest | One of the six lawful bases for processing personal data | Introduces the concept of “recognised” legitimate interests and an exemption from the requirement to conduct a balancing test |
| Records of Processing Activity (RoPA) | Organisations are required to keep a record of processing activities (there are limited exemptions) | Controllers & processors would only need to keep a RoPA when rights and freedoms of individuals were at high risk |
| Data Protection Impact Assessments (DPIAs) | Required for all high-risk processing activities. The ICO and EU provide a list of situations when a DPIA is required | Would not be mandatory and only high-risk processing would require an assessment |
| Data Subject Access Requests (DSARs) | Requests to access personal data can be refused if judged to be “manifestly unfounded or excessive” | The concept of “vexatious or excessive” to replace “manifestly unfounded or excessive” and controllers would be able to take into account whether a request is intended to cause distress or made in bad faith |
| International data transfers | Transfers of personal data outside the UK must use appropriate safeguards such as Binding Corporate Rules (BCRs) or the International Data Transfer Agreement (IDTA) and UK Addendum | An intention to provide a clearer and more stable framework and more of a risk-based approach, recognising “alternative transfer mechanisms” |
| Data Protection Officer (DPO) | Some organisations have a mandatory obligation to appoint a DPO. Others have voluntarily appointed one | Removes the requirement to appoint a DPO. Organisations undertaking high risk processing will need to appoint a Senior Responsible Individual (SRI) who must be part of the business, but who can delegate responsibility internally or outsource |
| UK Regulator | The Information Commissioner’s Office (ICO) is an independent body, established to uphold information rights | Reform of the ICO to form a new Information Commission, which would have some government oversight |
| Automated decision making | There are restrictions on solely automated decision-making AI systems | Seeks to clarify “meaningful human involvement” in automated decision-making |
| Cookies | All cookies require informed consent and there is a limited exemption for “strictly necessary” cookies | A reduction of cookie consent banners and an expansion of the categories of cookies not requiring consent |
| PECR fines | Current fines under the Privacy and Electronic Communications Regulation (PECR) are capped at £500,000 | Maximum fines would be brought in line with current UK GDPR (up to £17.5M or 4% of annual turnover) |
DO YOU NEED HELP WITH DATA PROTECTION COMPLIANCE?
The DPO Centre provides a comprehensive range of data protection services to help build and maintain compliance with the GDPR and other local data protection laws. We have one of the largest teams of Data Protection Officers available, who have supported over 900 clients across the globe.
Our services: Outsourced Data Protection Officers (DPOs), GDPR Representatives, DSAR Response Service, Consultancy, Training, AI Explainability, DSPT Audit, Caldicott Guardians, NIS Representation, Services for Schools & Data Protection support services that are specific to Life Sciences.
We provide experienced and sector specialised professionals for all your data protection needs.
WHO WE WORK WITH
Enquire Today
Fill in your details below and we’ll get back to you as soon as possible