Small businesses in the UK have been facing significant challenges when it comes to complying with the General Data Protection Regulation (GDPR). The requirement to fulfil Data Subject Access Requests, perform data risk assessments, and adhere to data breach policies can be overwhelming, especially for small businesses with limited resources.
To help streamline these processes and ensure that personal data is adequately protected, the UK Government has introduced to parliament the Data Protection and Digital Information (No. 2) Bill. This Bill, which was presented to the House of Commons in March 2023, aims to make it easier for both small and large businesses to conduct their operations while maintaining compliance with GDPR regulations.
In this article, we will take a closer look at the key provisions of the UK Data Protection and Digital Information Bill and how it can benefit businesses.
What is the Data Protection and Digital Information (No. 2) Bill?
The Data Protection and Digital Information notes (which are extremely comprehensive) state:
“This Bill is intended to update and simplify the UK’s data protection framework to reduce burdens on organisations while maintaining high data protection standards.”
The Bill aims to provide more flexibility when complying with the legislation and clarify the often confusing aspects of cross-border data transfers.
In addition, the Bill puts provisions to reform the Information Commissioner’s Office (ICO), including its governance structure, duties, enforcement powers, reporting requirements, data protection complaints processes, and its development of statutory codes of practice.
A framework for providing UK digital verification services is also included to enable digital identities and attributes to be used with the same confidence as paper documents and regulations covering smart data schemes.
Other effects of the Data Protection Bill include the following:
- Increasing fines for nuisance calls and texts under the Privacy and Electronic Communications Regulations (PECR)
- Updating the PECR to reduce ‘user consent’ pop-ups and banners
- Allowing for the sharing of customer data through smart data schemes to provide services such as personalised market comparisons and account management
- Reforming how births and deaths are registered in England and Wales enables the move from a paper-based system to electronic registration
- Facilitating the flow and use of personal data for law enforcement and national security purposes
- Creating a clearer legal basis for political parties and elected representatives to process personal data for democratic engagement
Data Protection and Digital Information Bill summary
Now that the UK has left the EU, the Government wants to take advantage of the opportunity to improve data protection compliance for businesses while maintaining high standards of personal data protection.
The Government believes certain elements of the UK GDPR and the Data Protection Act (DPA) 2018 – “create barriers, uncertainty, and unnecessary burdens for businesses and consumers”.
In addition, following an extensive research and consultation process, the Government believes that the current data protection legislation leads to box-ticking compliance activities rather than “one which encourages a proactive and systemic approach.”
Also, it has been identified that researchers require more flexibility concerning re-using personal data for long-term research projects.
Why is the ICO being reformed?
The ICO is being reformed by the UK Government to provide a more transparent and comprehensive framework for the supervisory authority's role in protecting personal data.
The Data Protection and Digital Information Bill introduces Section 120A, which outlines a new principal objective for the ICO. This objective requires the ICO to prioritise securing an appropriate level of safeguarding for personal data, considering the interests of data subjects, controllers, and other parties, as well as matters of general public interest. The ICO must also promote public trust and confidence in the processing of personal data.
Furthermore, Section 120B mandates that the ICO publish a "forward-looking" strategy that outlines how it will balance economic growth and data protection functions. These changes demonstrate the UK Government's commitment to ensuring that personal data remains secure and that individuals' privacy rights are respected in the digital age.
Get legal assistance from LawBite
The proposed Data Protection and Digital Information Bill brings about significant changes to data privacy and protection laws in the UK. One notable amendment is Clause 13, which seeks to remove Article 27 from the UK GDPR entirely. This change aims to simplify the compliance process for overseas-based controllers and processors who are required to adhere to UK GDPR under Article 3(2).
As a result, these entities will no longer need to appoint a UK-based representative, and instead, will be allowed to decide on how to facilitate effective communication between themselves, UK data subjects, and the ICO.
If your business needs support navigating these changes and ensuring compliance with data protection regulations and data processing activities, LawBite's team of GDPR specialists can assist you. To find out more book a free 15 minute consultation with a data protection lawyer or call us on 020 3808 8314.
