New Data Protection law – UK businesses brace for change

Some of the key changes proposed in the new data protection law should help reduce the time and cost associated with the admin side of data protection...

On 8 March 2023, the Data Protection and Digital Information Bill (No. 2) Bill (DPDI) was introduced to Parliament, rising from the ashes of its predecessor which was withdrawn on the same date. If this new data protection law comes into force, it will make some significant changes to the obligations under the UK GDPR.

There are some changes to the UK GDPR that seem unnecessary but, overall, we think this is a step in the right direction.

Some of the key changes proposed in the bill should help reduce the time and cost associated with the admin side of GDPR compliance, which will be a welcome change for many. They do seem intent on making it easier for politicians to send us marketing, though…

With support from the ICO, it’s possible that the DPDI becomes law in the not-too-distant future, so we wanted to provide a quick breakdown of some of the main differences.

Please note: the DPDI and the changes to the law discussed in this article are not yet in force.

Clarifications and Amended Definitions

A few definitions and provisions have been updated to address ambiguities that existed in the GDPR – often following previous guidance issued by the ICO to clarify these matters:

The definition of “personal data” has been expanded to clarify that:

  • A subject is “directly” identifiable from the data in question if no additional information is required to identify them (and “indirectly” identifiable if further information is required to identify them).
  • A subject is “identifiable” if they can be identified by the company by reasonable means, or if the company knows (or ought to know) that another person is likely to obtain the data and they would be able to identify the subject by reasonable means. In both cases, it is necessary for the subject to be identifiable at the time of processing,

The definition of “pseudonymisation” has been updated; data will only be considered pseudonymised if the decoding information is stored securely and separately from the main data.

The requirements for valid consent in the context of scientific research have been reduced slightly, acknowledging that the specific purposes for processing personal data in this context may not be fully known at the time consent is given.

Various rules are introduced to assist in determining whether or not a new purpose for processing personal data is “compatible” with existing purposes.

New Lawful Basis – Recognised Legitimate Interests

The DPDI introduces a new lawful basis to article 6 of the UK GDPR – recognised legitimate interests.

Legitimate interests have always been a staple lawful basis under the GDPR, but relying on legitimate interests requires an assessment of the balance between the interest and the rights of the individual. The introduction of recognised legitimate interests covers a few areas where the balance is now assumed to be in favour of the controller:

  • Disclosure under a request for public interest reasons;
  • National security;
  • Emergencies;
  • Detecting and preventing crime;
  • Safeguarding vulnerable people; and
  • (For some reason) Politicians sending spam campaign marketing.

Jokes aside, the first five of these are situations that are often the subject of debate and there has rarely been clear guidance on when, or how, data can be used and shared in these circumstances. The introduction of a specific lawful basis will help to simplify guidance on disclosure in these contexts.

Automated Decision-Making

The UK GDPR is relatively brief on automated decision-making, providing restrictions on significant decisions made solely by automated means.

With the recent boom in AI technologies, and natural language models like ChatGPT set to revolutionise the way we interact with information, having a solid legal framework in place to govern the privacy impact of these technologies is more important than ever.

The DPDI fleshes out the provisions relating to automated decision-making; clarifying definitions, providing for safeguards and introducing specific rules for automated decision-making using sensitive “special categories” of personal data.

Goodbye UK Representatives

The DPDI abolishes the need for overseas companies to appoint a UK Representative, which is currently required where a non-UK company processes data about UK individuals in the context of:

  • offering them goods or services; or
  • monitoring their behaviour (profiling for targeted ads is a common example of this).

This requirement, which I think has largely gone forgotten, unnoticed or downright ignored by many businesses anyway, is not being replaced with any equivalent – a bit of the red tape reduction this bill has been lauded for.

Goodbye DPO Introducing the SRI

The DPDI also abolishes the statutory role of the Data Protection Officer (DPO) – which is a big shake up for the industry, given the number of employees, consultants and businesses out there currently undertaking that role.

A DPO is an independent data protection expert that assists a company with GDPR compliance. They can be an existing staff member with another role (provided they retain a level of independence and avoid any conflicts of interest), a full or part-time employee as a dedicated role, or an external consultant or service provider, and their key tasks are:

  • monitoring the business’ compliance with data protection laws and with the business’ own data protection policies, including assisting with DPIAs;
  • advising the business on its obligations under data protection law; and
  • acting as a contact point both for data subjects and the ICO (or EU supervisory authorities).

In place of the abandoned DPO role, arrives the Senior Responsible Individual (SRI). While we’re guessing at the rationale behind this change, we can at least take a look at what’s different from the current DPO role:

Data Protection Officer
Senior Responsible Individual

A DPO is required for public bodies (except courts) as well as businesses which:

  • regularly and systematically monitor data subjects on a large scale; or
  • process special categories of data or data about criminal convictions and offences on a large scale.

An SRI is required for public bodies (except courts) as well as businesses which carry out processing that is likely to result in a high risk to the rights and freedoms of individuals.

A DPO can be an employee (including where this is secondary to their main role, subject to maintaining independence and avoiding conflicts of interest) or an external consultant or service provider.

The DPO must report to the highest level of management of the business.

An SRI must be a member of the organisation’s senior management (meaning someone who plays a significant role in managerial decision-making for the organisation) – it is therefore always a secondary (not dedicated) role.

The SRI cannot be an external service provider, and you could not recruit a dedicated SRI (unless they were being recruited to senior management).

A DPO must be an expert in data protection law and practice.

An SRI does not need to be an expert in data protection law.

Since the SRI must be a senior manager (as opposed to, for example, a lawyer or data protection practitioner), it is probably likely that most SRIs will not be data protection experts

A DPO’s key tasks include:

  • monitoring the business’ compliance;
  • advising the business on its legal obligations; and
  • acting as a contact point for data subjects and the ICO.

A DPO is protected against penalisation by the company for undertaking these tasks.

The SRI’s tasks are similar to those of the DPO (with a few more details), but it is anticipated that the SRI will outsource those tasks to someone else.

In practice, it will likely make sense for many DPOs to continue their roles, but as advisors to the SRI rather than having their own statutory positions.

The SRI as well as any person they outsource these tasks to is protected against penalisation for undertaking these tasks, similar to a DPO.

Goodbye RoPA – Introducing the… RoPoPD?

In an entirely unnecessary change of acronyms, the easy-to-say “RoPA” (Record of Processing Activities) has been replaced with the new Record of Processing of Personal Data (RoPoPD? Or RPPD? I quite like “RoPop” so we’ll go with that for now).

Aside from the silly name change, this is something that will be music to the ears of many compliance officers around the country who, like myself, have spent far more of their lives than they would like to admit developing RoPAs.

The new RoPop is a condensed version of the old RoPA, and appears to require much less granular detail than was expected in the past – thanks in part to no longer having to list different types of non-sensitive data.

Maintaining the new record is only a requirement for businesses undertaking processing that is likely to represent a high risk to individuals; a welcome change, as almost all businesses are required to maintain a RoPA under current rules (the exemption for small businesses is very narrow).

Goodbye DPIA – Introducing the AHRP

Another apparently gratuitous acronym change – this time to abolish the DPIA (Data Protection Impact Assessment) and replace it with a new “Assessment of High Risk Processing”.

The AHRP (which I’m pronouncing like a northerner saying “Harp”) is required in the same circumstances as a DPIA – that is, when processing of personal data is likely to result in a high risk to the rights and freedoms of individuals – but, in the spirit of the DPDI, it is a slightly less onerous process.

Where the DPIA required a “systematic description” of processing activities, purposes and legitimate interests, the new AHRP simply requires a summary of the purposes of processing. In line with the ICO’s existing guidance on DPIAs, the AHRP is also then required to include:

  • an assessment of the necessity of the processing for the specified purposes;
  • an assessment of risks; and
  • a description of measures taken to mitigate the risks.

Consultation with the ICO following an assessment that identifies an unmitigated high risk will no longer be a requirement, but this will remain as an option for businesses.

New statutory first-level complaint process

Data subjects have always had the right under the UK GDPR to lodge complaints about businesses with the ICO, but it is strongly encouraged (both by the ICO and by businesses) for data subjects to raise their concerns with the business first.

The DPDI introduces a requirement for businesses to make available a simple means of submitting data protection-related complaints (such as an online form) as well as to acknowledge complaints within 30 days and to respond “without undue delay”. Thankfully, there is no strict requirement for an online complaint form, so businesses may have some discretion as to how they apply this.

Digital Verification Services

The DPDI introduces a new statutory framework for service providers of digital verification services – this is of course relevant to ID verification, but also other forms of verification in which a fact about an individual is ascertained using information provided by a third party.

The Secretary of State will prepare a “trust framework” that sets out the rules, and there will be a public register for accredited digital verification service providers (along with a “trust mark” for registered providers to use).

We’ll have to wait and see how this plays out in practice, and whether digital verification is adopted by the government and public bodies for ID and address verification (which is, based on my recent experience, still incredibly cumbersome).

Customer Data, Business Data and Gatekeepers

Part 3 of the DPDI introduces a new set of rules relating to “customer data” and “business data”. Both definitions may include information which is not personal data (e.g. where both business and customer are companies), so this Part takes us outside the usual scope of data protection law under the GDPR.

The DPDI enables the Government to require a business to:

  • provide customer data (such as information about transactions between the customer and the business) to the customer;
  • produce, collect, retain or make changes to customer data or business data; or
  • publish business data (such as information about the business’ products and services, how they are supplied and customer feedback) or provide it to a customer or third party.

There are a number of provisions relating to the Secretary of State’s ability to make further regulations in this area, so we may see this fleshed out in months to come.

This appears to be following in the footsteps of the EU Digital Markets Act, which imposes rules on “gatekeepers” – large online platforms that have a significant impact on the internal market. In theory, this could help to ensure a fairer environment for the businesses utilising these platforms as well as improved choice for consumers.

One of the more interesting changes in the DPDI relates to provisions under e-privacy laws (the Privacy and Electronic Communications Regulations 2003) rather than the GDPR – and it’s all about cookies.

The GDPR’s strict standard of consent is currently required for any cookies that are not necessary for the website to operate. This means that users must take a positive action to opt-in to things like Google Analytics, depriving businesses of useful information about user engagement,

The DPDI makes some changes to the consent requirements for common situations where the existing rules have caused headaches. GDPR-level consent will no longer be required for:

  • analytics cookies
  • cookies used for user preferences or enhanced functionality;
  • storage of or access to information on a user’s device for the purposes of software security updates.

The category of “strictly necessary” cookies (which do not require user consent) has been expanded to provide some clear examples, including security, fraud prevention, bug fixes, ID verification, and user preferences.

Under the new rules, many businesses would be able to abandon their cookie consent tools for good – and for those which still require consent (e.g. for the use of cookies in targeted advertising), there will be a much lower volume of cookies that need to be integrated with the consent tool.

Whether the new DPDI comes into force in its current guise (and, if so, when) is still an unknown at this point, but the UK Government promised an overhaul of UK data protection laws and that’s what they appear to be trying to deliver with this Bill.

The DPDI introduces some positive changes that strike a good balance between effective regulation and efficient compliance obligations, but also includes some provisions that seem to represent change for the sake of change. My main concern at this point is the ability for smaller businesses to navigate and understand the rules, as we now have to cross reference between all three of the UK GDPR, Data Protection Act 2018 and the new DPDI (not to mention secondary legislation) – fingers crossed we’re graced with a keeling schedule for the updated UK GDPR.

Questions or concerns about the changes to UK data protection law?

We advise on all aspects of data protection law in the UK and we can help you keep on top of the legal framework as it continues to evolve – get in touch for a no-obligation consultation to see how we can help.

Share this article
Will Eggleston
Will Eggleston