Data protection law reform: or is it?

By Kate Edwards, Birketts

On 18 July 2022, the Department for Digital, Culture, Media and Sport (DCMS) introduced the Data Protection and Digital Information Bill to Parliament.

Published in Norfolk Director Magazine Winter 2023
Never Miss A Copy
Sign up now to receive for free the latest magazine as an e-publication

Legal: Birketts

The Bill amends the current version of the GDPR retained as UK law post-Brexit (the UK GDPR). It was heralded as reformative and intended, according to the DCMS, to simplify UK data protection laws. It would remove barriers to using personal data for research and innovation purposes and cut compliance red tape burdening smaller organisations. The Bill would do this while retaining the UK’s high data protection standards, which earned an adequacy decision from the EU.

Is the compliance burden really reduced?

The UK GDPR is hot on compliance documentation. Two key examples are the Record of Processing Activity and Data Protection Impact Assessments (DPIAs). The former is a hard requirement for controllers and processors, with a narrow exemption for smaller organisations with under 250 staff. The latter must be completed by controllers performing high-risk processing activities, some of which are specifically listed in the UK GDPR.

Whilst the Bill amends the language of the relevant UK GDPR provisions, little change is actually delivered. Organisations, including smaller organisations carrying out high-risk processing, must still document their personal data processing activities. An ’assessment of high-risk processing’ replaces DPIAs, but the issues to be assessed are unchanged. The threshold triggering an assessment is also the same, although the current list of specific processing activities triggering mandatory assessment is removed.

Similarly, the Bill ostensibly reduces organisational burden by removing the need to appoint a data protection officer (DPO). But instead, the Bill means a Senior Responsible Individual (SRI), who must be a member of senior management, must oversee compliance and act as liaison with the Information Commissioner’s Office. The SRI need not be a data protection expert and may delegate the performance of (although not responsibility for) their statutory tasks to other appropriate individuals.

Ironically, the areas where we do see more material change, appear somewhat contradictory to the DCMS-stated aims to introduce the new legislation. In particular, the Bill’s provisions governing the processing of personal data for research purposes, add new safeguards preventing research (except for approved medical research) from impacting individual data subjects.

Material changes that will impact a broader range of organisations, are the revisions to fines under the Privacy of Electronic Communications Regulations 2003 for non-compliant electronic direct marketing communications and cookies usage. These are set to increase significantly to equal fines for breaches of the UK GDPR.

When will the law change?

The Bill is now under the steerage of Michelle Donelan, Secretary of State for DCMS, who replaced the Bill’s original supporter, Nadine Dorries. The Secretary of State used her speech at the Conservative Party Conference in October to announce that the Bill required significant re-drafting before it would be considered further. We can, therefore, only watch this space.

Main photo credited to Jecapix / iStock via Getty Images / Kate’s photo credited to Sylvaine Poitau

Data protection law reform: or is it? 1


Kate Edwards, Solicitor in Data Protection Team at Birketts


Table of Contents

Discover Birketts

Legal expertise to meet all your needs. Whatever the challenge, we’re here for you.

Share This


WHEN RELEASED WE WILL SEND YOU THE latest digital version.