DPDI – Data Protection and Digital Information Bill
Information updated 25 October 2024
The UK Data Protection and Digital Information (No.2) Bill (DPDI) aimed to reform the UK’s data protection framework and was officially abandoned as a result of the dissolution of parliament on 30 May 2024, ahead of the general election in July 2024.
Although the Bill was abandoned, this information provides insight into the proposed reforms, which could influence future legislation changes.
This page explains the key differences between the UK General Data Protection Regulation (UK GDPR) and the previously proposed UK Data Protection and Digital Information (DPDI) Bill.
History of the DPDI Bill
The Bill’s path was anything but straightforward. First introduced in July 2022, it was paused and then re-introduced as the second version in March 2023.
On 29 November 2023, the Bill passed its 3rd reading in the House of Commons and moved to the House of Lords.
On 19 December 2023, the Bill was debated in a second reading in the House of Lords, where Lord Bishop of Southwell and Nottingham highlighted various concerns and quoted Rob Masson, CEO of The DPO Centre:
‘In June, the Chief Executive of The Data Protection Officer Centre said: “Whilst countries across the globe are implementing ever-more robust data protection legislation, the UK seems intent on going in the opposite direction and lowering standards.”‘
Lord Bishop of Southwell and Nottingham, Dec 2023
On 20 March 2024, the Bill progressed to the committee stage of the House of Lords, where it was then halted and ultimately abandoned, following the announcement of a general election by Rishi Sunak on 22 May 2024.
Below is a comparison of the key areas of the UK GDPR versus the abandoned DPDI Bill.
UK GDPR vs DPDI BILL
| Area | UK GDPR | DPDI |
| Personal data | Defined as any information related to an identified or identifiable living person | Seeks to change the definition of personal data with the concept of an “identifiable living individual” (a more subjective definition) |
| Scientific research | Defined “in a broad manner” with examples such as “technological development and demonstration, fundamental research, applied research, and privately funded research” | Introduces a new definition of scientific research, which would include a much wider range of commercial activities |
| Legitimate interest | One of the six lawful bases for processing personal data | Introduces the concept of “recognised” legitimate interests and an exemption from the requirement to conduct a balancing test |
| Records of Processing Activity (RoPA) | Organisations are required to keep a record of processing activities (there are limited exemptions) | Controllers & processors would only need to keep a RoPA when rights and freedoms of individuals were at high risk |
| Data Protection Impact Assessments (DPIAs) | Required for all high-risk processing activities. The ICO and EU provide a list of situations when a DPIA is required | Would not be mandatory and only high-risk processing would require an assessment |
| Data Subject Access Requests (DSARs) | Requests to access personal data can be refused if judged to be “manifestly unfounded or excessive” | The concept of “vexatious or excessive” to replace “manifestly unfounded or excessive” and controllers would be able to take into account whether a request is intended to cause distress or made in bad faith |
| International data transfers | Transfers of personal data outside the UK must use appropriate safeguards such as Binding Corporate Rules (BCRs) or the International Data Transfer Agreement (IDTA) and UK Addendum | An intention to provide a clearer and more stable framework and more of a risk-based approach, recognising “alternative transfer mechanisms” |
| Data Protection Officer (DPO) | Some organisations have a mandatory obligation to appoint a DPO. Others have voluntarily appointed one | Removes the requirement to appoint a DPO. Organisations undertaking high risk processing will need to appoint a Senior Responsible Individual (SRI) who must be part of the business, but who can delegate responsibility internally or outsource |
| UK Regulator | The Information Commissioner’s Office (ICO) is an independent body, established to uphold information rights | Reform of the ICO to form a new Information Commission, which would have some government oversight |
| Automated decision making | There are restrictions on solely automated decision-making AI systems | Seeks to clarify “meaningful human involvement” in automated decision-making |
| Cookies | All cookies require informed consent and there is a limited exemption for “strictly necessary” cookies | A reduction of cookie consent banners and an expansion of the categories of cookies not requiring consent |
| PECR fines | Current fines under the Privacy and Electronic Communications Regulation (PECR) are capped at £500,000 | Maximum fines would be brought in line with current UK GDPR (up to £17.5M or 4% of annual turnover) |
DIGITAL INFORMATION AND SMART DATA (DISD) BILL
Originally introduced in the King’s Speech, the Digital Information and Smart Data (DISD) Bill aimed to promote data-driven economic growth and modernise the Information Commissioner’s Office (ICO).
However, with the announcement on 23 October 2024 of the proposed Data (Use and Access) Bill, the DISD Bill appears to be set aside.
The new DUA Bill retains a focus on modernising data-driven standards and introduces adjustments to health information standards, international transfers, and automated decision making, among other key areas.
We are currently waiting for further news on this proposed Bill and will update with information as soon as it becomes available.
DO YOU NEED HELP WITH DATA PROTECTION COMPLIANCE?
The DPO Centre provides a comprehensive range of data protection services to help build and maintain compliance with the GDPR and other local data protection laws. We have one of the largest teams of Data Protection Officers available, who have supported over 1,000 clients across the globe.
Our services: Outsourced Data Protection Officers (DPOs), GDPR Representatives, DSAR Response Service, Consultancy, Training, AI Explainability, DSPT Audit, Caldicott Guardians, NIS Representation, Services for Schools & Data Protection support services that are specific to Life Sciences.
We provide experienced and sector specialised professionals for all your data protection needs.
WHO WE WORK WITH
Enquire Today
Fill in your details below and we’ll get back to you as soon as possible