An Inside Look at the Data Protection & Digital Information Bill 

A Perspective from Joe Kirk:

As a Data ProtectionSupport Desk Consultant, I’m constantly immersed in the challenges faced by organisations and individuals navigating the complex world of Data Protection. In today’s article, I’d like to delve into the recent developments surrounding the Data Protection and Digital Information Bill, after the government released a keeling schedule for the bill earlier this week.  

Complications and Considerations: Upon reviewing the keeling schedule of the reform bill, I must admit that my initial impression was one of disappointment. The changes proposed by the UK government seem to complicate matters unnecessarily, leading one to wonder if there might be a touch of superiority complex at play. Let’s take a closer look at some of the key amendments and their potential implications. 

1. 1.  DPO to “Senior Responsible Individual”: The bill suggests changing the title of Data Protection Officer (DPO) to “Senior Responsible Individual.” This alteration may seem insignificant, but it raises questions about the underlying motivations. Renaming the role could inadvertently dilute the importance and expertise associated with the position, potentially undermining the effectiveness of Data Protection practices within organisations. 

1. 2.  DPIA to “Assessment of High-Risk Processing”: Similarly, the proposed change from Data Protection Impact Assessment (DPIA) to “Assessment of High-Risk Processing” introduces unnecessary complexity. The term DPIA is widely recognised and understood within the industry and altering it might create confusion and additional hurdles for compliance. 

1. 3.  Adequacy Decision to “Data Protection Test”: The concept of an adequacy decision is vital when it comes to international data transfers. However, the bill suggests replacing it with the term “Data Protection test.” While it’s commendable to emphasise the need for robust Data Protection laws, the bill’s apparent willingness to grant adequacy to any country as long as they have a “materially lower” set of Data Protection laws raises concerns. We must ensure that data transfers do not compromise individuals’ rights and freedoms. Additionally, the biggest concern in my opinion, is the possible threat to the UK’s adequacy decision with the EU. 

1. 4.  The “watering down” of RoPAs: One of the most baffling changes is the removal of Records of Processing Activities (ROPA), except in cases where personal data processing poses a high risk to individuals’ rights and freedoms. As we discussed extensively on a previous podcast episode (118), ROPAs are the backbone of an organisation’s Data Protection practices. They play a crucial role in shaping and influencing various aspects of an organisation’s data processing activities. Removing the requirement for ROPAs seems counterintuitive and could have unintended consequences. 

Expert Insights: During the examination of the Data Protection and Digital Information Bill at the committee stage, John Edwards, the UK Information Commissioner’s Office commissioner, shared his insights. Here are the key takeaways from his testimony: 

1. 1.  Clarity of Definitions: Edwards highlighted the need for greater clarity around terms such as “high-risk activity” within the bill’s definitions. Ambiguities in these definitions can impede effective implementation and compliance. 

1. 2.  No Threat to Adequacy: The commissioner reassured us that there is “nothing in the bill that threatens adequacy.” While this provides some relief, we must remain vigilant to safeguard individuals’ data when it traverses international borders. 

1. 3.  Importance of Clarity in Legitimate Interest: Edwards stressed the significance of clarity in the term “legitimate interest.” Providing businesses with clear guidelines and circumstances in which legitimate interest can be invoked reduces uncertainty and promotes compliance. 

1. 4.  The ICO’s New Role: Edwards expressed excitement about the ICO’s new role, positioning it as a supporter of the “empowered citizen.” This suggests a commitment to protecting individuals’ rights and promoting transparency in data processing practices. 

1. 5.  Citizen Rights and Access: Importantly, Edwards stated that the bill presents no challenge to citizens’ ability to access their rights, including the possibility of charging them. This reassurance underscores the ongoing commitment to ensuring that individuals can exercise their Data Protection rights effectively. 

In conclusion, the Data Protection and Digital Information Bill has generated both praise and concerns within the Data Protectioncommunity. As an advocate for Data Protection practices, I must admit that some of the proposed changes appear to complicate rather than simplify matters. Renaming key roles, altering terminology, and removing the requirement for ROPAs all raise valid concerns about the effectiveness and transparency of Data Protection measures. 

However, it’s crucial to note that these observations reflect my personal opinions as Joe Kirk, and I’m open to hearing and considering different viewpoints on these recent developments. Data Protection is a dynamic field, and it’s essential for us to engage in thoughtful discussions and exchange ideas to ensure the best outcomes for individuals and organisations. 

Lastly, mark your calendars for this Friday’s episode of the Data Protection Made Easy Podcast, where I’ll be returning as your host. We have an exciting line-up of discussions planned, and I encourage you to visit our events page and register for any upcoming sessions that pique your interest. Join our passionate community of individuals who share a common dedication to Data Protection and information security. 

Remember, Data Protection is a collaborative effort, and your voice matters. Let’s continue to navigate the ever-changing landscape together, empowering individuals and safeguarding their rights in the digital age. 

By Joseph Kirk
Data Protection Support Desk Consultant
Data Protection Made Easy Host
Connect on LinkedIn: https://www.linkedin.com/in/joe-kirk-98812520a/ 

 Register for episode 122 of the Data Protection Made Easy podcast and listen to Joe Kirk as he discusses the latest developments with our audience of Data Protection Practitioners: GDPR Radio – Episode 122 – News, Views & Opinions