Understanding the UK Data Protection Bill: What it means for your business

In an expert interview, Ben Daley-Gage dissects the complexities of UK's Data Protection Bill, highlighting elements affecting your business, including data transfers, ePrivacy, and accountability changes. Ben not only forecasts implementation odds but also alleviates concerns for UK and EU businesses.

The new Data Protection and Digital Information (no. 2) Bill (short: DPDI No.2) in the UK holds the key to striking a delicate balance between promoting innovation and safeguarding individual privacy in an increasingly data-driven world.

Soma Ashty, Product Marketing Manager at DataGuard, interviewed Ben Daley-Gage - Data Protection and Privacy Consultant at DataGuard and Advisory Board Member of the International Association of Privacy Professionals (IAPP) – about the potential changes of the bill that UK businesses should keep in consideration.

Why is the UK Data Protection Bill relevant and what's the impact on data protection standards?

Soma: Ben, thank you for joining us today. Let's start by addressing the relevance of DPDI No.2. Can you provide some background on what's happening, and why this bill is important?

Ben Daley-Gage: Sure! Currently of course, post-Brexit data protection in the UK is driven by the UK GDPR (still a close reflection of the EU GDPR) and the Data Protection Act 2018.

The new DPDI Bill proposes a number of changes which would start to move the UK into a different stance on some key definitions, such as what is defined as personal data and how we process and manage it, even dealing with data rights, governance and taking overall direct responsibility.

In simple terms, I believe the aim is to find a solution that maintains and promotes equally high levels of data protection, yet at the same time makes the management of this more accessible and approachable in line with current business practices and approach - modernisation if you like.

Soma: Now, could you shed light on the impact of this bill? Which areas of privacy are likely to be affected by the proposed changes?

Ben Daley-Gage: The bill has several significant impacts. One key area is international data transfers. The bill aims to streamline this process by introducing adjustments to how data transfers are managed. It allows organisations more opportunity to self-assess if the data protection standards in the destination country align with those in the UK; this remains an area of particular discussion and interest at the moment.

The bill also introduces changes to ePrivacy, affecting cookie consent requirements and email marketing rules. Additionally, there are modifications in accountability and impact assessments. This includes changes in records of processing activities (RoPAs) and a rebranding of data protection impact assessments (DPIAs) for high-risk processing.

What does ePrivacy mean? ePrivacy is a directive focusing on electronic communication, cookies, and trackers. It complements the UK GDPR by safeguarding communication confidentiality, limiting tracking, and reducing spam.

What falls under high-risk processing? The use of innovative technologies (Artificial intelligence, machine learning, facial recognition, biometrics) as well as Profiling and Tracking (predictions, behaviour analysis, online monitoring)

What actions businesses should take

Soma: Considering these changes, what actions should businesses be prepared to take?

Ben Daley-Gage: Businesses need to be proactive in understanding and adapting to these changes.

  • For international data transfers, it's crucial to familiarise themselves with the new data protection test and the factors considered for assessment to be ready for any changes in requirements should they fall into place.
  • For ePrivacy, businesses should ensure that they understand the exemptions and changes in email marketing rules.
  • Regarding accountability and impact assessments, businesses engaged in high volume or high-risk processing, including processing Special Category data, should make sure they assess or re-assess their processes to ensure they drop in line with the new requirements - although of course this should be a regular assessment any business undertakes already.

Soma: Thank you for those insights. Could you provide an expert analysis of the bill? How does it align with previous proposals, and what key points should stakeholders be aware of?

Ben Daley-Gage: The bill closely resembles abandoned 2022 proposals, emphasising changes to personal data definitions, processing rules, data rights, governance, and accountability.

It emphasises research purposes, modifies record-keeping obligations, and potentially supports a shift for some responsibilities from data protection officers (DPOs) to Senior Responsible Individuals (SRI) for smaller businesses. The government's goal is to balance innovation with data protection. 

Watch the webinar: The evolving DPO role in the UK

Outlook and how to stay up to date

Soma: It's interesting to see the balance the government aims to achieve. Could you also share some critiques or concerns that have been raised about the bill?

Ben Daley-Gage: While the bill strives for innovation and simplification, there are concerns about the role of the Secretary of State in approving Codes of Practice. Some worry that this could lead to an institutional bias in favour of data controllers, potentially undermining the interests of data subjects. This aspect deserves careful consideration as the bill progresses through Parliament.

Soma: Thank you, Ben, for your valuable insights. Can you also provide an outlook on the next steps for businesses?

Ben Daley-Gage: You're welcome. The bill is currently undergoing the legislative process and is expected to be released in 2024. Meanwhile, I advise everyone to stay informed and engage in discussions around data protection. There is still a way to go yet before this becomes law.

Moreover, if you're uncertain about how it might impact your business, whether operating in the UK or EU, getting in touch with your Data Protection Officer (DPO) is always a wise move.

Curious about the impact of the Data Protection Bill on your business? Get in touch with our in-house experts today to receive guidance on the key steps needed to adapt to these changes.

 

About the author

Ben Daley-Gage Ben Daley-Gage
Ben Daley-Gage

Senior Privacy Consultant

Ben is a Senior Privacy Consultant in DataGuard’s UK Privacy Practice and is a legal expert for UK and EU Data protection law. With over 10 years’ experience as a data protection and privacy practitioner, he holds the CIPP/E, CIPM and CIPT certifications from the International Association of Privacy Professionals (IAPP), as well as the Practitioner Certificate in Data Protection issued by the British Computer Society (BCS). Having previously worked as a Data Protection Officer for a UK Government agency, Ben also has experience working in higher education, healthcare, and fundraising, and is passionate about providing practical data protection and privacy advice that allows organisations to meet business goals while upholding people’s rights.

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk