- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
Data Bridge for UK-US data transfers officially confirmed
September 22, 2023
New Year, new funding: The DPO Centre’s Charity and Community Fund
December 19, 2023
On 29 November 2023, the UK’s Data Protection and Digital Information Bill (DPDI) passed its final stages in the House of Commons with 267 votes to 30.
The Parliamentary session lasted over 4 hours and MPs on both sides of the House highlighted their concerns about the Bill’s lowering of data protection standards. In particular, the proposed permissions for the Department of Work and Pensions to view individuals’ financial information was cited as a serious problem.
Despite opposition and numerous warnings from privacy professionals, including The DPO Centre, the Bill will now move to the House of Lords, where it will undergo further examination. As the Lords is self-regulating, there is no limit to the debate time. Further amendments can be tabled, but these are usually addressed at the third reading.
Initial reactions from Data Protection Officers (DPOs) and privacy professionals include disappointment that their concerns were disregarded. In June 2023, The UK Data Protection Index results illuminated the extent of apprehension within the data protection industry. Responses revealed an overwhelmingly negative view towards the proposed benefits of the Bill, which will see the UK deviate from the EU General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR).
Ben Seretny, Head of DPOs at The DPO Centre said:
‘There has been limited success in addressing the concerns raised by both individuals and various industry leaders, even with the amendments made following the first consultation in 2022. The changes will loosen the current regulatory standards set by the GDPR, but without clear, actionable guidance, this will bring further uncertainty and confusion to many organisations.’
The proposed changes to the existing UK General Data Protection Regulation (UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.) include an alteration to the definition of personal dataInformation which relates to an identified or identifiable natural person., subject access requests and the obligations of controllers and processors. The Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) would also be abolished and replaced by an Information Commission, led by a chief executive who would be appointed by non-executive members.
The most significant proposed changes, and those that could have significant ramifications for organisations include:
- Senior Responsible Individual (SRI): The obligation for certain organisations to appoint a Data Protection Officer (DPO) would be removed and replaced with an SRI
- Record of Processing Activities (RoPA): The requirement for maintaining a RoPA would be removed, unless the processing is considered high risk
- Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA): The requirement for a DPIA would be eliminated and replaced with other risk assessment tools
- UK Representative: The requirement for controllers and processors not established in the UK to appoint a UK Representative would be removed
The shift from Europe’s strict approach to data protection could have far reaching implications, especially for data processing across multiple jurisdictions.
Rob Masson, CEO of The DPO Centre said:
‘The government’s decision to press forward with implementing this legislation is incredibly disappointing. Whilst countries across the globe are implementing ever-more robust data protection legislation, the UK seems intent on going in the opposite direction and lowering standards. By creating a further compliance standard, the proposed DPDI BillThe proposed Data Protection and Digital Information (DPDI) Bill aims to amend and supplement the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulation (PECR). is going to make it more difficult for all but the smallest of UK organisations, not easier, despite the Bill’s stated intentions.’
Whether the implementation of the Bill can achieve the government’s goal of saving businesses £4.7 billion over the next 10 years remains to be seen, but hope remains that the House of Lords will engage in a more measured debate.
We shall continue to monitor the Bill’s progress in these final stages, providing updates and comments as soon as we have details.
For more news and insights about data protection follow The DPO Centre on LinkedIn