There’s a new bill in town: need to knows about the Data Protection and Digital Information Bill

It’s been pitched as part of a new post-Brexit business and consumer-friendly British data protection system. But what do the proposed changes mean for you?

By Nigel Jones

Co Founder of The Privacy Compliance Hub

October 2022

It’s been a turbulent few months in the UK. Since 18 July when the Data Protection and Digital Information Bill was introduced in the House of Commons, the Queen has died, Liz Truss has resigned, and a recession is looking increasingly likely. The Bill’s second reading, which was due on 5 September, was postponed because of a change of Prime Minister. On 13 October, Conservative minister Julia Lopez confirmed ministers are still considering its proposals. 

The Bill stems from the government’s plans to “seize the benefits of Brexit” by updating and simplifying data protection law in the UK. The government says it wants to reduce regulatory burdens on businesses while maintaining high protection standards demanded by the GDPR. 

The current secretary of state for the Department for Culture, Media and Sport, Michelle Donelan, told the recent Conservative party conference she would be: “replacing GDPR with our own business and consumer-friendly British data protection system”. 

“It’s time we seize this post-Brexit opportunity fully and unleash the full growth potential of British business,” she added. “We can be the bridge across the Atlantic and operate as the world’s data hub.”

This latest announcement has created unwelcome uncertainty for business. Of course, with the UK government so unstable, Donelan’s announcement may be moot. But here are some of the main changes the Bill introduced by Boris Johnson’s government proposes to introduce:

Changes to the UK GDPR

Legitimate interests

The Bill proposes a list of recognised legitimate interests (eg. detecting, investigating or preventing crime), which would form a new lawful basis for processing personal information and remove the requirement to conduct a legitimate interests assessment. Any processing would still need to satisfy the principles of necessity and proportionality. This would prevent, for example, an employer conducting intrusive surveillance of employees in the name of detecting, investigating or preventing crime – we’re looking at you, Ikea

Subject access requests (SARs)

As it stands, an organisation can refuse to comply with a SAR or charge a reasonable fee for complying with it if it’s considered manifestly unfounded or excessive. The Bill would change the threshold for charging a fee, bringing it in line with the grounds to refuse a freedom of information request. However, critics have pointed out that equating SARs with FOI requests is problematic as while anyone can submit a FOI request, SARs are restricted to the requestor’s own personal information.

Automated decision-making

Data subjects would have the right not to be subjected to automated decision-making where their personal information being processed is special category data, as opposed to the current general prohibition. Controversially, any exceptions and safeguards could be easily amended by a secretary of state in the future, as opposed to via a Bill that has to win approval in the House of Commons and the House of Lords. 

UK representatives

Organisations based outside of the UK with no presence in the country will no longer be required to appoint a representative in the UK. The purpose of representatives is to make it easier for UK residents to enforce their UK GDPR rights and for the Information Commissioner to exercise its powers against organisations based outside the UK. 

Data protection officers (DPOs)

Certain businesses are required to appoint a DPO with expert knowledge of data protection law, who is given specific protection under the UK GDPR to perform their duties. This requirement will be replaced with an obligation to designate a ‘senior responsible individual’ (who should be a member of the senior management team) with responsibility for data protection matters.

Article 30 record or record of processing activities (ROPA)

The requirement to keep a record of data processing activities set out in Article 30 of the UK GDPR will be replaced with a requirement to maintain an ‘appropriate record of personal data’. Organisations whose records comply with the current form prescribed by the UK GDPR, will satisfy the requirements set out in the proposed Bill. Organisations which sell into the EU must continue to keep a record of processing activities in the current form anyway.

Data protection impact assessments (DPIAs)

The new requirement is for ‘assessments of high-risk processing’ rather than DPIAs, and is more limited in scope. The obligation to consult with the Information Commissioner where a high risk to the rights and freedoms of individuals has been identified but cannot be mitigated will become voluntary. DPIAs are vital in mitigating risk and potential data protection harms to individuals. It is as yet unclear what the practical differences will be between a DPIA and an ‘assessment of high risk processing’ but any ‘watering down’ of such assessments would be undesirable and, in any event, a UK business which wants to sell into the EU would still be required to conduct a DPIA in high risk circumstances.

Data protection complaints

The Information Commissioner will be given new powers to refuse to act on an individual’s complaint if it has not also been made to the relevant organisation, if the company has not finished dealing with the complaint (and 45 days have not passed), or the complaint is vexatious or excessive.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Changes to the Privacy and Electronic Communications Regulations (PECR) 


Currently, setting a cookie on a user’s device requires UK GDPR standard consent. The only exception is where the cookie is ‘strictly necessary’ for the provision of the service requested by the user such as those which enable login. The Bill proposes to extend the circumstances in which user consent is not required to set cookies on a device. This would include cookies deployed to collect information for statistical purposes with a view to making improvements to the service (such as web analytics) provided the user is given a simple means of objecting.  

Nuisance communications

The Information Commissioner would be able to investigate and act against organisations sending unsolicited direct marketing communications, regardless of whether they have actually been received by the intended recipient. 

The ‘soft opt-in’

The Bill extends the use of the ‘soft opt-in’ exception (to the requirement that consent must be obtained for direct marketing communications), to charities, political and other non-commercial organisations.

New duty to report unlawful marketing activity 

Public electronic communication service providers and public communication network providers will have to report any ‘suspicious activity’ to the ICO relating to unlawful direct marketing within 28 days of first becoming aware of it. 

Increased fines

The maximum fines under PECR would increase in line with those applicable under the UK GDPR, from the current cap of £500,000 to a maximum penalty of £17,500,000 or 4% of the organisation’s total annual worldwide turnover, whichever is higher. 

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

On the whole, the changes proposed in the Bill are relatively measured and modest. But the prospect of the UK going further as suggested by Michelle Donelan and ploughing its own data protection furrow is largely unwelcome. That could have implications for the UK’s data adequacy decision from the European Commission (allowing the free flow of personal information from the EU to the UK). It would also force businesses to comply with an unfamiliar UK data protection regime after they have spent four years getting to grips with the GDPR, not to mention the additional regulatory burden on those businesses which would have to continue to comply with the GDPR in parallel.

More to watch and read