What the Data Protection and Digital Information Bill Means for Business
Table Of Contents:
The UK’s digital economy was worth an estimated £259bn in 2021, according to the government. And it comprised 85% of total service exports. That’s why businesses have been eagerly awaiting one of the most significant pieces of legislation in the post-Brexit era: The Data Protection and Digital Information Bill (DPDI). First introduced in the summer of 2022 and then paused shortly after for consultation with industry experts and business leaders, the legislation is now being touted as a way for UK firms to cut paperwork and reduce trade barriers without compromising privacy and data protection.
But could its provisions actually increase red tape for organisations at a time when they’re already overloaded with new compliance mandates in the US?
What’s in the Bill?
There’s plenty to unpack from what is essentially the UK’s attempt to produce its own version of the GDPR. It’s a blend of clarifications and carve-outs which attempt to make the law more business-friendly without impacting the UK’s adequacy status, which would imperil data flows to and from the EU.
One of the headline changes is to ensure that only organisations engaged in “high-risk” data processing, such as those handling large volumes of health data, need to keep records. This is designed to cut paperwork for a large number of businesses. The new rules are also intended to clarify when organisations can process data without requiring consent, such as when it is deigned in the public interest to share personal data to prevent crime.
Further clarifications have been made to increase confidence in AI by stating when safeguards must apply to automated decision-making or profiling, which are critical to many business models. And there are new rules designed so that commercial organisations can benefit from the same protections as academics when conducting research. That means any research which could “reasonably be described as scientific”. The aim again is to reduce red tape and legal costs for researchers while driving more scientific research in the private sector.
Other departures from the GDPR include a new framework for optional digital verification, increased fines for nuisance calls and texts to up to 4% of global turnover or £17.5m, and the creation of a new statutory board for regulator the Information Commissioner’s Office (ICO). There are also proposals to reduce the number of consent pop-ups internet users see online, which effectively means firms will be able to use tracking technologies on websites and apps without prior end-user consent for analytics.
What the Government is Promising
Unsurprisingly the government is shouting from the rooftops about the potential benefits its new version of the GDPR will usher in. It claimed the reforms will “unlock” £4.7bn in savings for UK organisations over the coming decade without impeding international data flows. In fact, the government claims that the changes will enhance global confidence in its regulatory regime to drive even more international trade. The legislation will help alleviate the burden placed on small businesses, particularly by what the government describes as an inflexible, top-down European law.
Another theme is increasing business confidence—both about when they can process personal data without consent and in clarifying when safeguards must apply when using AI technologies.
Science, Innovation and Technology Secretary, Michelle Donelan, was keen to stress that the bill had been “co-designed” with businesses from the start.
“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR,” she said on its launch.
“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs and boost our economy.”
Could the Bill Increase Red Tape?
However, there are concerns that, far from removing red tape, the legislation could actually increase it for some organisations. Antonis Patrikios, a partner and global co-chair of the data privacy and cyber security practice at Dentons, explains that organisations not wanting to change their existing GDPR compliance framework do not have to do so with the new legislation.
“The bill envisages that organisations may continue to comply with the EU GDPR if they wish, and this will be considered to meet the requirements of the new UK data protection law. So, organisations who do not wish to be impacted by the changes introduced by the bill will not have to,” he tells ISMS.online.
However, while that would reduce the potential compliance burden, especially for those with European operations, it would mean those organisations cannot benefit from the much-touted advantages of the new legislation. Those who want to must effectively maintain two separate compliance frameworks, one for their EU operations (GDPR) and one for the UK (DPDI).
Patrikios admits as much.
“Of those organisations who will like to avail themselves of the streamlined (and likely easier to comply with) revised UK law requirements, those who process both UK personal data and EU personal data will need to do a bit more thinking to consider the extent to which they want to rely on the revised UK law and how they will manage in practice the interplay between applying one standard (i.e. the EU GDPR) for their EU data and another standard (i.e. the revised UK data protection law) for their UK data,” he says.
There is also a question mark over whether making compliance easier is even in organisations’ best interests, particularly if it has unintended consequences. The removal of the need for most low-risk data processors to keep records is one such case, according to Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice.
“Although no one is going to complain about a reduction in paperwork, removing the requirement for most businesses to maintain personal data inventories means they might struggle to understand how and where they hold data, which isn’t in anybody’s benefit,” he argues.
How Companies Can Manage the Extra Workload
Any increase in compliance work for UK organisations will come at a busy time. This year, it’s anticipated that seven states, including Colorado, Connecticut, Utah and Virginia, will begin enforcing new GDPR-inspired statutes. The extra workload threatens to overwhelm swamped compliance teams.
“In addition to the UK data protection law reform and the US state privacy law reform processes, there are new privacy laws and/or evolving guidance and practice in important markets such as China, India and Canada. We should also not forget the suite of cybersecurity (e.g. NIS 2 and DORA) or technology regulatory laws (such as the AI Act and DSA) that are making their way through the EU legislative process,” explains Patrikios.
“Organisations should consider which of these new laws apply to them and then consider what the likely impact is going to be and how to get ready for it. In doing so, it is essential to speak to external specialist advisors because there are new provisions, some of which do not have a precedent, so they may be difficult to apply in practice. If more than one new law applies, streamlining compliance efforts may not be straightforward, and getting a steer regarding what others in the market are doing can be very helpful in practice.”
This is where trusted partners like ISMS.online can help by providing a centralised portal where customers can manage all their compliance efforts in one place. Even better, where some tasks and specifications look the same across different regulatory frameworks, ISMS.online can ensure teams don’t waste time duplicating their efforts.
