The UK GDPR post-Brexit reflected many of the previous provisions and has stood alongside the Data Protection Act 2018. Until now.
The Data Protection and Digital Information (DPDI) Bill was introduced to parliament as the centre of the government's plan to reform the GDPR and other EU-based legislation. With a more independent framework, there will be some changes to the UK GDPR as we know it.
DPDI Bill & the UK GDPR
- What is the DPDI?
- How does it differ from the UK GDPR?
- How will it affect businesses in the UK?
- Does DPDI mean bigger data breach fines?
- What does DPDI mean for the ICO?
1. What is the DPDI?
The DPDI was previously known as The Data Reform Bill and originated from the Department for Culture, Media and Sport (DCMS) consultation in 2021. According to the UK government, this new legislation aims to simplify the current data protection framework by making it more UK-centric.
The Bill proposes to reform the UK GDPR, DPA 2018 and Privacy and Electronic Communications Regulations (PECR) 2003. The current regime will remain in place but be subject to the amendments proposed by the Bill.
2. How does it differ from the UK GDPR?
The Bill will establish new rules on web cookies and digital identity that simultaneously protect users' rights while reducing the compliance burden on UK firms, particularly small businesses.
The Bill proposes new provisions around the use of personal data for research and the requirement to report unlawful direct marketing to the ICO.
In line with this, some of the most notable changes will include:
- redefinition of "personal data"
- removal of legitimate interests balancing test
- removal of the consent requirement for cookies
- Assessments of High-Risk Processing to replace Data Protection Impact Assessments (DPIA)
- replace the appointment of a Data Protection Officer (DPO) with a Senior Responsible Individual (SRI)
3. How will it affect businesses in the UK?
The DPDI will bring about a change in the way businesses collect and process personal data. Some of the practical changes include:
- flexibility in accountability - the flexible and more risk-based approach to accountability is evident in that the DPDI doesn't require the appointment of DPOs or DPIAs to be carried out (although management and mitigation of data risks will remain a requirement).
- relying on legitimate interests without the balancing test - in practice, this means that businesses can rely on legitimate interests as a lawful means for processing data in certain circumstances which the DPDI will introduce. These recognised legitimate interests can be added to by the Secretary of State.
- Data Subject Access Requests (DSARs) - organisations can decide to refuse DSARs if they determine them to be “vexatious or excessive”. This aligns with the Freedom of Information (“FOI”) regime and clarifies the vague concept of “manifestly unfounded or excessive”.
- ICO fines under PECR to increase - this will increase penalties for businesses that engage in unsolicited marketing calls and electronic communications
- Cookie consent removed - PECR will be amended, so that cookie consent is no longer a requirement when used purely for web analytics
In general, businesses will need to review their risk management systems and procedures in relation to data protection. It is advisable to keep an eye out for any changes in the lead-up to the enactment of the DPDI.
4. Does DPDI mean bigger data breach fines?
Under the DPDI, breaches under PECR will fall under GDPR, resulting in higher fines. Currently, the highest fine for infringing on web cookies or direct marketing rules is £500k. This fine could increase to as much as 4% of global annual turnover.
5. What does DPDI mean for the ICO?
The Information Commissioner's Office (ICO) will continue to operate in the same capacity as they have been in the post-Brexit era. It remains the data supervisory authority for the UK. The ICO will account for the amendments to the current regime when issuing penalties for breaches in legislation.
For the latest information and guidance, keep checking back to the ICO website.
Why data protection training is vital
In order to achieve GDPR compliance, companies need to ensure they know their data sources, categorise their data, have plans if there is a breach, review policies and educate their staff.
Despite the GDPR taking effect in 2018, many companies are still not GDPR compliant. A recent study indicates that nearly three-quarters of UK companies don’t follow GDPR data request requirements.
The lack of effective data protection training has already resulted in numerous and significant GDPR fines. The rules are fairly clear, meaning that almost all fines are completely avoidable.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.