UK GDPR Vs DPDI Bill: What You Need to Know

The DPDI Bill has now progressed to the House of Lords. Our DPDI Bill guide explains what changes lie ahead.

Houses of Parliament

The Data Protection and Digital Information (DPDI) Bill will reshape the UK’s data protection legislation. With changes to the UK GDPR and DPA 2018, the Bill aims to give the UK the flexibility needed to evolve in the rapidly changing digital future. 

The proposed reforms, however, have reached much speculation. Discover what changes are ahead in our DPDI Bill below. 

What Is the DPDI Bill?

The DPDI Bill, previously known as The Data Reform Bill, is the UK government’s new legislation to reform the country’s data protection framework. 

The Department of Science, Innovation and Technology (DSIT) sponsors the Bill, which aims to simplify the UK GDPR, Data Protection Act (DPA) 2018 and Privacy and Electronic Communication Regulations (PECR) 2003. Amendments to these frameworks will follow once the Bill goes into force.

The first version of this Bill was published in 2022, reiterated in March 2023, and has now progressed to the committee stage of the House of Lords. You can monitor the status of the DPDI Bill on the UK Parliament’s website. 

What’s the Difference Between the DPDI Bill and UK GDPR?

Several proposed changes to the UK GDPR have left the data protection sector apprehensive of what the future holds. 

Here are the most concerning differences between the UK GDPR and the DPDI Bill:

Personal Data Redefined

In the UK GDPR, personal data is information about an identifiable or identified living individual. The DPDI Bill considers personal information only identifiable if:

  • The data controller or processor identifies the individual by sensible means or
  • The data controller or processor knows that another individual will disclose the processing information to another party, allowing the third party to identify individuals reasonably. 

So, what does this mean for data subjects? Under the Bill, only the controller, processor or third party determines the identification of the information collected. 

Removal of UK Representative

Under Article 27, controllers and processors outside the UK must appoint a UK representative. This applies to companies that sell goods or services or monitor the behaviour of UK individuals. 

The UK representative is the point of contact for “all issues related to processing, for the purposes of ensuring compliance with this Regulation” (Article 27).

The DPDI Bill will eliminate this requirement for overseas companies. Not only will this increase the chances of non-compliance, but communicating with these companies will become more challenging. 

Replacement of DPIAs

A Data Protection Impact Assessment (DPIA) helps organisations assess, identify and limit data protection risks when processing personal data. It’s an essential part of the accountability obligations, making it legal to carry out. Failure to do so can result in fines of £8.7 million. 

DPIAs maintain compliance, helping individuals understand how and why you use their data. Conducting DPIAs also increases data privacy and awareness of protection in your organisation. 

The UK DPDI will only make DPIAs essential for high-risk processing and will be more flexible regarding other processing activities. 

Replacement of RoPA

Records of processing activities (RoPA) is a central resource for organising your company’s data processing activities. Our recent blog discusses how a RoPA will demonstrate compliance, transparency and accountability for processing activities

Again, the DPDI Bill proposes to replace RoPAs with appropriate methods for processing personal data. RoPAs will soon only be required for high-risk processing, similar to DPIAs. 

Refusal of DSARs

Individuals have a legal right to obtain copies of their data collected by data controllers. A subject access request (SAR), or DSAR, could once be refused if “manifestly unfounded or excessive.” 

This reason will now change to whether a SAR is “vexatious or excessive” – a concept derived from the Freedom of Information Act (FOIA) 2000. This change will make it easier for organisations to refuse or charge reasonable fees for DSARs

The outcome? Individuals will struggle to access their information, leaving them in the dark about how their data is used. 

DPOs to SRIs

A Data Protection Officer (DPO) is a legal requirement for organisations that meet the UK GDPR’s criteria. At Data Protection People, our DPOs assist public authorities and organisations with objective expertise and management of their data privacy controls. 

The DPDI Bill will remove the requirement for DPOs and swap them for a Senior Responsible Individual (SRI) to handle high-risk processing activities. The SRI must be part of the organisation’s senior management team and can delegate responsibilities internally or externally. 

Governmental Control of the ICO

The Information Commissioner’s Office (ICO) is an independent body that provides guidance, support and action on the UK GDPR, DPA, FOIA and PECR to the public and organisations. 

The DPDI Bill will reform the ICO, including some governmental control and insight. This Bill ultimately harms the ICO’s independence, which may limit its ability to hold organisations accountable for data breaches or misuse

Other Changes to the UK GDPR:

  • Removal of legitimate interest balancing tests and introduction of new ‘recognised legitimate interests’ for particular public interests.
  • PECR fines to increase from £500,000 to £17.5 million or 4% of annual turnover (in line with current UK GDPR).
  • Reduction in cookie consent banners and addition of cookie categories that require no consent.
  • Increased investment in AI-powered automated decision-making (ADM) and review the current safeguards around human involvement. 

Our Opinion on the DPDI Bill

Since its arrival in 2022, we have raised concerns about the DPDI Bill’s risks to data privacy, transparency and control. Data protection should be a central focus, especially as more AI risks and data breaches emerge.

Our data protection professionals are responsible for safeguarding individual rights and maintaining company compliance. The DPDI Bill, however, waters down existing measures and puts individuals at greater risk of unfairness and data misuse

Listen to our recent podcast episode, Bashing the Bill, to hear from our hosts and 150 listeners on their opinions of the DPDI Bill. 

Do You Need Data Compliance Support?

We offer various data protection services to help you comply with the UK GDPR and DPA. Our expert team constantly monitors the progress of the DPDI Bill and will ensure your organisation is prepared for its arrival. 

Contact Data Protection People to learn more