The UK recently introduced a new data protection bill, titled the Data Protection and Digital Information (No.2) Bill (the Bill). The Bill is still at an early stage (second reading), and it remains to be seen how it will be amended, if at all, but we wanted to take the opportunity to give you an indication of some of the more practical changes that the Bill seeks to introduce, and its potential impact on organisations subject to UK data protection law.

Broadly speaking, the Bill aims to amend a number of provisions in the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. However, while these amendments appear to try and make life easier for organisations, our sense at this stage is that they are generally more cosmetic than substantive (though this will become clearer as and when we receive further guidance from the Information Commissioner’s Office (ICO). The changes that might have the biggest impact are those that allow scope for the UK Government to make further amends to data protection law at a later stage (though we won’t go into too much detail about those in this post).

Summary of Key Changes

1.  Definitions (Easier anonymisation?)

Proposed Amendment: The current definition of personal data (information that relates to an identifiable individual) will be supplemented to provide that information is personal data where the relevant organisation can (a) identify the individual at the time of processing or (b) knows or ought reasonably to know that the individual will be identifiable by another person by reasonable means at the time of processing. ‘Reasonable means’ includes time, effort, costs and other resources available to the other person.

Comment: The supplemented definition seeks to ease the burden on organisations when sending information to a third party that could (in principle) identify individuals from that information but who are unlikely to be able to do so (because doing so would require extensive resources etc.). Where this is the case, the data would be considered anonymised, and therefore not personal data. The amendment makes the definition of personal data more subjective, but it also reflects what is already set out in the ‘motivated intruder’ test in the ICO’s Anonymisation Guidelines, so it’s not clear that this is a significant change from a practical standpoint.

​​​​​​2. Lawful Basis (Recognised Legitimate Interests)

Proposed Amendment: Currently, in order to rely on the lawful basis that processing is in an organisation’s legitimate interests, an organisation must conduct a legitimate interest assessment to balance its interests against the rights of the individuals whose personal data is being processed. The Bill would introduce a new Schedule to the UK GDPR, setting out a specific list of ‘recognised legitimate interests’ that do not require a legitimate interest assessment (including e.g. processing for the prevention or detection of crime and safeguarding vulnerable individuals).

Comment: This addition will be of benefit to organisations who wish to rely on legitimate interests in a limited set of circumstances (note that the list of recognised legitimate interests does not include processing for commercial purposes). One caveat: if an organisation is processing special category data (e.g. data relating to race, health, religion, ethnicity, philosophical beliefs etc.) or criminal convictions data, the organisation will still need to meet the requirements of Articles 9 and 10 UK GDPR as appropriate, so there may still be some work to do to ensure that the relevant data is being processed lawfully, even if a recognised legitimate interest applies.

3. International Data Transfers (Risk-based Transfer Risk Assessments)

Proposed Amendment: The Bill sets out further detail about how organisations should conduct transfer risk assessments. In particular, organisations “acting reasonably and proportionately” must consider whether the standard of protection provided by e.g. (a) standard contractual clauses, (b) the recipient country’s laws and practices and (c) the use of other safeguards would result in materially lower standards than those in the UK GDPR.

Comment: This codifies the UK’s ‘risk-based approach’ in relation to transfer risk assessments, which is already set out in the ICO’s guidance on transfer risk assessments. NB If an organisation is subject to the EU GDPR and UK GDPR, it will still need to undertake the more detailed EU-standard of transfer risk assessment for personal data subject to the EU GDPR.

4. Data Protection Officers and Personnel (DPOs replaced by SRIs)

Proposed Amendment: The Bill proposes to: (a) remove the requirement for organisations not established in the UK to appoint a UK representative and (b) replace the position of Data Protection Officer (“DPO”) with that of ‘Senior Responsible Individual’ (“SRI”). SRIs would be required where processing is likely to result in a high to the rights and freedoms of individuals. Practically speaking, the duties of SRI appear to be similar to those of DPOs, but note that SRIs must be part of the organisation’s senior management.

Comment: The current UK GDPR requirement for DPOs for to be independent is something that many organisations have found challenging, particularly smaller organisations where individuals have a number of roles and conflicts of interest can be difficult to avoid. The new role of SRI may be helpful in this regard, since the SRI can (and must) be part of senior management. However, organisations subject to both the EU GDPR and UK GDPR might need to appoint both an SRI and a DPO (because an SRI might not be sufficiently independent) – how these two roles will interact remain to be seen.

5. Data Protection Impact Assessments (DPIAs replaced by assessments of high risk processing)

Proposed Amendment: The name of DPIAs has been changed to ‘assessments of high risk processing’. The Bill proposes to (among other things): (a) remove the list of scenarios where a DPIA is automatically required (though it includes scope for the ICO to produce its own list) and (b) reduce the information that must be included in a DPIA (the list of information is now less prescriptive and detailed).

Comment: At first glance, it appears as though the UK is attempting to make the ‘assessment’ process more flexible and less onerous for organisations, but it remains to be seen whether this will in fact be the case. Many of the proposed changes to the DPIA provisions in the UK GDPR seem to be cosmetic and aimed at removing ‘EU terminology’ (e.g. the removal of references to necessity and proportionality). Further guidance from the ICO would be welcome on this point.

6. Records of Processing Activities (ROPA requirements removed)

Proposed Amendment: The Bill seeks to remove the obligation on organisations to maintain a record of processing activities (as currently required under Article 30 UK GDPR).

Comment: While this is likely to ease some burden on organisations, it may still be useful for organisations to keep a record of processing so that it can effectively comply with its accountability obligations under the UK GDPR and/or e.g. in case the organisation needs to provide details of its personal data processing to a third party (for example in the context of a merger or acquisition).

7. Data Subject Requests (Vexatious or excessive exemption)

Proposed Amendment: The Bill proposes to replace the “manifestly unfounded or excessive” exemption with a “vexatious or excessive” exemption. This means that organisations would be able to either refuse to comply with a request, or a charge a fee for complying, if the request is vexatious or excessive (with the burden of proof for showing that on the organisation). Examples of factors indicating a vexatious or excessive request include a request which is intended to cause distress, made in bad faith or an abuse of process.

Comment: Again, the practical implications of this new exemption remains to be seen. The term ‘vexatious’ is borrowed from an exemption under the UK’s Freedom of Information Act, but further guidance will be needed in order to determine how widely the term ‘vexatious’ can be interpreted in a data protection context and/or whether the removal of the need for a request to be ‘manifestly’ excessive lowers the threshold for relying on the exemption.

8. Complaints to Organisations (A new right to complain)

Proposed Amendment: The Bill would introduce a formal right for individuals to complain directly to organisations and a corresponding obligation on organisations to facilitate the making of complaints, e.g. by providing a complaint form that can be completed electronically. Organisations would need to acknowledge receipt of a complaint within 30 days and take steps to respond without undue delay. The ICO could refuse to act on a complaint if it hasn’t been directed to the relevant organisation first.

Comment: This is another example of the Bill codifying something that already happens in practice – the ICO already pushes individuals to try to resolve complaints directly with organisations in the first instance. The requirement to facilitate the making of complaints is new, though, and it remains to be seen how formal that facilitation needs to be (and whether a specific complaint form becomes an obligation or whether organisations will be able to facilitate complaints by having e.g. a designated email address).

9. Marketing Rules (Soft opt-in for non-commercial organisations)

Proposed Amendment: The Bill would expand the ‘soft opt-in’ exemption to non-commercial organisations, so that such organisations would be able to send marketing for furthering a charitable, political or other non-commercial objective if the relevant contact details were obtained in the course of an individual expressing an interest in or providing support for, that objective. Currently the exemption only applies to commercial organisations who obtained the relevant details in the context of a sale (or negotiation for a sale).

Comment: This amendment will be music to the ears of charities and other non-commercial organisations, who would be able to send marketing to supporters without having to obtain their opt-in consent first on each occasion.

10. Cookies (Further exemptions to the consent rule)

Proposed Amendment: Currently, organisations must obtain consent prior to placing cookies, except ‘essential cookies’ required to enable the relevant website to function correctly. The Bill seeks to expand the types of cookies that do not require consent, including (a) statistical cookies to make improvements, (b) cookies that enable the appearance or function of a website to reflect user preferences, (c) installing necessary security updates to software on a device and (d) identifying an individual’s geolocation in an emergency.

Comment: This may well help some organisations who use cookies purely for functionality rather than e.g. for advertising, since such organisations may not need to obtain consent (e.g. via a cookie banner) prior to placing cookies. However, for other organisations who do use advertising cookies, analytics cookies etc., not much will change here.

11. Automated Decision Making (A relaxation of rules to encourage AI?)

Proposed Amendment: The Bill would replace Article 22 UK GDPR (which currently relates to automated decision making) with a number of new automated decision provisions and would provide that automated decision making is decision making with no ‘meaningful human involvement’. The reference to individuals having a right not to be subject to automated decision making would be removed: instead, restrictions will be placed on ‘significant decisions’ based solely on automated processing (including prohibition on decisions based on special category data except in certain circumstances and requirements to inform individuals of automated decision making about them and allowing them to challenge such decision making).

Comment: This appears to be a watering down of the provisions on automated decision making – perhaps to encourage the development of artificial intelligence and similar technology in the UK (but again, the practical implications remain to be seen!).

We will continue to keep you abreast of any developments with the Bill and its passage through Parliament, and will also be holding a number of workshops on the Bill’s effects on different sectors in due course.