UK Data Protection Under Scrutiny as DPDI Bill Advances
UK Data Protection Landscape at a Crossroads with DPDI Bill
Unrest in the landscape of UK Data Protection Law as the DPDI Bill moves from the House of Commons to the House of Lords.
With a resounding 267 votes to 30, on the 29th of November 2023 the new Data Protection and Digital Information (DPDI) Bill was passed over from the House of Commons to the House of Lords – this comes on the same day that the Labour Party objected to the 156 pages of amendments to the DPDI as being unacceptable.
The Bill will replace the current UK General Data Protection Regulation (UK GDPR) should it attain royal assent, as the UK looks to leave its own imprint in the world of data protection.
The Bill encompasses a wide array of provisions aimed at supposedly strengthening data protection and security measures within the UK. However, it has not been short of criticism across the field, with many data protection practitioners voicing their concerns since it was first drafted back in 2022 under Nadine Dories.
Proposed changes to the current UK General Data Protection Regulation.
The proposed changes to the existing UK GDPR include an alteration of the definition of ‘Personal Data’, obligations of a data controller and data processor and the ability for the Department of Work and Pensions (DWP) to be able to monitor bank account of benefit claimants.
Further significant proposed changes that would alter the way a business operates in relation to data protection includes:
Senior Responsible Individual: The current legal requirement for certain organisations to appoint a Data Protection Officer (DPO) would be replaced with a Senior Responsible Individual (SRI).
Record of Processing Activities: It is currently a legal requirement under Article 30 of the UK GDPR for organisations to implement and maintain a record of processing activities (RoPA). The DPDI Bill would only require organisations to keep such records of processing only when it constitutes ‘high risk’.
Data Protection Impact Assessment: Article 35 of the UK GDPR requires organisations to carry out a Data Protection Impact Assessment (DPIA) where one or more of the conditions of Article 35 are met regarding a processing activity. The new Bill has proposed DPIAs to be removed and replaced with the requirement for assessments of only high-risk processing. The requirement to consult the ICO before undertaking high-risk processing has also been removed.
Cause for Concern
It’s safe to say that the Bill has fractured the current UK data protection landscape, with many believing that the Bill will undermine the current law and will provide less protection of individuals data, rights and freedoms. There is also chatter of the new Bill putting the UK’s adequacy decision with the EU at risk, if this was to occur then UK organisations would need to implement appropriate safeguards to facilitate personal data from the UK to the EU and vice versa.
In an ever-changing world and with the emergence of innovative technologies such as AI, countries across the world are stepping up their efforts to ensure peoples personal data is kept secure. The same can’t be said for the UK it seems as we seem to be taking 2 steps back rather than one step forward. My take on this is, if it isn’t broken, don’t fix it!!
Learn more about the amendments suggested in the DPDIB here: https://publications.parliament.uk/pa/Bills/cBill/58-03/0314/amend/datapro_rm_rep_1123.pdf
DPP will monitor the progress of the Data Protection and Digital Information Bill and will provide updates when possible.