Where are we now?  – Your Front Page For Information Governance News

By neub9
7 Min Read

The Data Protection and Digital Information (No.2) Bill is currently in the Committee stage of the House of Lords. It will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). It is expected to be passed in May and will probably come into force after a short transitional period.

The current Bill is not substantially different to the previous version whose passage through Parliament was paused in September 2022 so ministers could engage in “a co-design process with business leaders and data experts” and move away from the “one-size-fits-all’ approach of the European Union’s GDPR.”

Many of the proposals in the new Bill are the same as contained in the previous Bill. These include:

– Amended Definition of Personal Data: This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.
– Vexatious Data Subject Requests: The terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, will be replaced with “vexatious” or “excessive” requests. Explanation and examples of such requests will also be included.
– Data Subject Complaints: Data Controllers will be required to acknowledge receipt of Data Subject complaints within 30 days and respond substantively “without undue delay”. The ICO will be entitled not to accept a complaint if a Data Subject has not made a complaint to the controller first.
– Data Protection Officer: The obligation for some controllers and processors to appoint a Data Protection Officer (DPO) will be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals will be required to designate a senior manager as a “Senior Responsible Individual”.
– Data Protection Impact Assessments: These will be replaced by leaner and less prescriptive “Assessments of High-Risk Processing.”
– International Transfers: There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR.
– The Information Commission: The Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive.
– PECR: Changes related to cookies, consent, direct marketing, and fines.

The main changes include:

– Scientific Research: Expanding the definition to include research for commercial purposes.
– Legitimate Interests: Introducing a non-exhaustive list of cases where organizations may rely on the “legitimate interests” legal basis.
– Automated Decision Making: Profiling will be a relevant factor in the assessment of meaningful human involvement.
– Records of Processing Activities (ROPA): Exempting all controllers and processors unless they are carrying out high risk processing activities.
– Subject Access: Data Controllers are only obliged to undertake a reasonable and proportionate search for information request under the right of access.

Although the Government states that the new Bill is “a new system of data protection”, it still retains the UK GDPR’s structure and fundamental obligations. Organisations that are already compliant with the UK GDPR will not be required to make any major changes to their systems and processes. However, some commentators have suggested that the changes may jeopardise the UK’s adequate status and so impact the free flow of data between the UK and EU.

The Bill would also:

– Establish a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents.
– Increase fines for nuisance calls and texts under PECR.
– Update the PECR to cut down on ‘user consent’ pop-ups and banners.
– Allow for the sharing of customer data, through smart data schemes, to provide services such as personalised market comparisons and account management.
– Reform the way births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.
– Facilitate the flow and use of personal data for law enforcement and national security purposes.
– Create a clearer legal basis for political parties and elected representatives to process personal data for the purposes of democratic engagement.

Reading the Parliamentary debates on the Bill, it seems that the Labour party have no great desire to table substantial amendments to be the Bill. Consequently, it is expected that the Bill will be passed in a form similar to the one now published. Learn more about the updated bill with our Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms workshop. Dive into the issues discussed in this blog and secure your spot now. Like this:Like Loading… Author: actnowtraining Act Now Training is Europe’s leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom. View all posts by actnowtraining

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *