Introduction: A New Chapter in UK Data Protection Law
The UK is on the brink of significant data protection reform. The Data Protection and Digital Information Bill (DPDI Bill) is set to reshape the data privacy landscape by updating the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).
Introduced as part of the government’s drive to create a “pro-innovation” data regime post-Brexit, the Bill aims to reduce administrative burdens on businesses while maintaining high data protection standards. However, it’s far from a mere regulatory trim—it introduces some fundamental changes that will affect how organisations manage data rights, digital identity, cookies, and much more.
Section 1: What Is the Data Protection and Digital Information Bill?
The DPDI Bill proposes changes in several key areas, introducing entirely new rights and shifting responsibilities. Here’s a breakdown of some of the most notable inclusions:
1. Data Access Rights Extended
The Bill may broaden data subject access rights beyond traditional personal data to include company-specific information—such as product performance, service quality metrics, or internal processes. This would mark a shift from personal-only access to potentially commercially sensitive data, challenging organisations to rethink what constitutes a valid request.
2. Digital Verification
The Bill supports a new framework for digital identity verification, enabling individuals to prove who they are online more securely and seamlessly. This initiative aims to cut down on fraud and streamline public and private sector services while raising fresh questions about identity management and security obligations.
3. Information Commission to Replace the ICO
The current Information Commissioner’s Office (ICO) will be replaced by a new body, the Information Commission, designed to operate more like a traditional regulator, with increased oversight and accountability to Parliament. This structural change could signal a more enforcement-driven approach to regulation.
Section 2: How the Bill Will Impact UK GDPR and PECR
Let’s explore the key ways the DPDI Bill may alter existing UK GDPR and PECR frameworks:
UK GDPR Impacts
-
Fines and Enforcement: The scope of fines will expand, especially under PECR, aligning closer to UK GDPR penalty levels. Expect stricter enforcement on spam, cookies, and marketing practices.
-
Cookie Consent Changes: The Bill proposes exemptions to the current cookie consent rules. For example, certain cookies used for analytics or service improvement may no longer require consent, simplifying website compliance—but requiring clear policy updates.
-
DSAR Reform: With the inclusion of potentially non-personal data, DSAR (Data Subject Access Request) policies will need updating to reflect broader response requirements and tighter timeframes.
-
Data Protection Complaints: Organisations will be expected to demonstrate clear, documented internal complaint-handling procedures before individuals escalate to the regulator—placing more onus on resolving issues early.
-
Legitimate Interests: The Bill introduces a list of recognised legitimate interests, including national security, safeguarding, and democratic engagement. It also supports a more flexible interpretation of organisational legitimate interests, potentially reducing the need for complex balancing tests in certain cases.
-
International Transfers: The Bill suggests a more flexible adequacy model for data transfers outside the UK, which may allow organisations to work with more countries—though risks to data protection standards remain under scrutiny.
-
Purpose Limitation & Reuse of Data: Clarifications on reusing data for compatible purposes may offer more leeway for organisations—particularly in research and innovation contexts.
-
Automated Decision-Making: The Bill refines the rules around automated decisions, ensuring there’s human involvement in high-risk scenarios, but relaxing some of the restrictions to encourage innovation.
-
Children’s Data & Privacy by Design: Data protection by design and by default—particularly for children’s data—remains a key requirement. The Bill reinforces the need for robust design processes that put children’s rights at the forefront.
Section 3: Next Steps for Organisations
The proposed changes will require most organisations to review and refresh their privacy strategies. Here’s how to prepare:
✅ Review Compliance with PECR
Especially in light of increased fine thresholds, organisations should revisit their email marketing, telephone campaigns, and tracking technologies to ensure PECR compliance.
✅ Update Cookie Consent Practices
Determine whether the types of cookies in use may benefit from new exemptions and update cookie banners and privacy notices accordingly.
✅ Amend DSAR Policies
Incorporate the broader scope of access rights into internal DSAR procedures and train staff to handle more complex requests.
✅ Formalise Complaint Handling
Introduce structured processes to manage data protection complaints internally, reducing the risk of escalation to the regulator.
✅ Refresh Legitimate Interest Assessments
Align LIA documentation with the Bill’s recognised and organisational legitimate interests framework.
✅ Assess International Transfer Mechanisms
Evaluate whether your current transfer safeguards still apply or whether you can benefit from more streamlined adequacy provisions.
Conclusion: Stay Ahead of the Change with Formiti
The Data Protection and Digital Information Bill marks a pivotal moment for UK data protection. While it introduces some welcome simplifications, it also places new responsibilities and higher expectations on organisations.
At Formiti Data International, we help organisations navigate these regulatory shifts with confidence. Whether it’s updating your PECR policies, reviewing DSAR procedures, or preparing for the new digital ID framework, our experts are just a free consulting call away.