New requirements under the UK Data Protection and Digital Information Bill

The UK Government introduced the Data Protection & Digital Information (No.2) Bill (the 'DPDI Bill') in March 2023. Understanding its implications is essential for charities that control and process data.    

In a Written Ministerial Statement of 8 March 2023, Michelle Donelan, Secretary of State for Science, Innovation and Technology, said the new Bill was introduced following a ''detailed codesign process with industry, business, privacy and consumer groups […] to create a new UK data rights regime tailor-made for our needs”. 

Whilst the draft legislation is still at Report stage in the House of Commons, understanding its implications is essential for charities that control and process data.  

An important aim of the DPDI Bill is to make compliance with the General Data Protection Regulation (GDPR) easier, by clarifying ambiguities as opposed to substantially changing the rights and obligations under the GDPR. A more pragmatic approach should be introduced by the DPDI Bill making the following changes regarding GDPR compliance: 

• clarifying what constitutes personal data – and that information may be considered personal data if it is not sufficiently protected to mitigate risks of it being accessed or obtained by unauthorised persons
• reducing the administrative burden regarding processing personal data on the legal basis of legitimate interests:
  • by stating that in some circumstances, processing necessary for legitimate interests may include processing that is necessary for direct marketing (e.g., communications of advertising and marketing material to particular individuals). This may make direct marketing opportunities easier to manage in the future
  • by introducing a new 'recognised legitimate interest' for certain crucial public interests (such as safeguarding vulnerable individuals) where no balancing test against an individual's rights would be required. 
• introducing a risk-based approach to adequacy decisions made in relation to international data transfers from the UK.  Preserving an adequate level of protection for GDPR purposes is said to be an important goal for the UK Government 
• allowing data controllers to refuse data subject access requests (DSARs) or charge a reasonable fee where the request is deemed "vexatious or excessive".

The DPDI Bill would also introduce an Information Commission, a new body which will have a broader remit than that currently held by the Information Commissioner, including regarding oversight of biometric data. Under the legislation, data protection officers (DPOs) will need to co-operate with and act as a contact point with the Information Commission.  

It is unclear when the new DPDI Bill will become law. However, it is unlikely to be before March 2024. While the final Act may differ, charities should now start to consider what changes they will want to make to their own policies, procedures and training as a result of the Bill's changes.