UK GDPR: what’s changed in the latest UK GDPR bill?

After voting to leave the European Union, the UK government announced that it would be drawing up a draft for a new UK GDPR bill. In fact, in October 2022, the UK government announced that it would be entirely replacing the EU’s version of GDPR. However, such an about face on GDPR did not happen.

On 8th March 2023, the Department for Science, Innovation and Technology (DIST), introduced this new Data Protection Bill to Parliament. If passed, the bill will make changes to the current UK GDPR, the Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations – it does not, however, replace the previous bill with an entirely new one.

You can view the 212-page new UK GDPR bill, titled ‘Data Protection and Digital Information (No. 2) Bill’, here.

The government has stated that the new legislation is intended to make it simpler for all businesses to understand and implement GDPR protocols and guidelines. The legislation also purports to provide over £4.7 billion in savings for UK businesses that no longer have to spend exorbitant amounts of money on certain compliance rules and red tape (New UK GDPR press release).

However, the previous version of the GDPR law we all know and understand has not been forgotten. This new bill is built on the same foundations, obligations, and principles of its predecessor. This means that businesses that are already compliant with the current version of UK GDPR, will not need to make any required changes to qualify for the new bill.

Then, what exactly is the point of the new UK GDPR bill? In the government’s words: to make certain clarifications on data protection and privacy rights and build on everything they have learnt about GDPR compliance over the last five years.

In today’s article, we will be running through the major changes to UK GDPR introduced via the new bill and what the expert consensus is on the changes proposed.

What is new with UK GDPR 2?

There are a myriad of changes and additions with UK GDOPR 2.0, but we have put together a handy list of the major points CISOs, DPOs, and security leaders need to be aware of:

Cut out ‘pointless’ paperwork: The new bill will cut out 'pointless' paperwork that only intends to demonstrate compliance in a corporation. The goal here is to allow small and medium-sized businesses to kick on and not be bogged down by red tape and recurring instances of compliance verification. Instead, with the new bill, only organisations who process high risk data, involving an individual's rights and freedoms, will need to keep processing records. The government states that there is no need to have a one size fits all approach to UKGDPR because one size does not actually fit all – an example of the government looking to build on what they have learnt about GDPR since its initial adoption.

Simplify legitimate interests: the bill includes a list of 'recognised legitimate interests' that organisations can use without having to conduct and record a balancing test. Again, this is building on the actions and knowledge the lawmakers have gained about UK GDPR over the last five years. As you can already see, the new GDPR bill is all about streamlining the data protection and privacy process.

Encourage data analysis commercially: The new GDPR bill updates the definition of scientific research to encourage scientific research in the commercial sector as well as academia, but only in public interest-based cases. In the past, organisations that collected data from employees or customers were not allowed to process said data for analysis, in the same way a scientific study is able to. Under the new bill, commercial enterprises will be able to use data they collect to inform their decisions and actions moving forward – even if they have not specifically informed or gained consent of the individual whose data they possess.

Support international data sharing: The new GDPR bill allows the use of existing international data transfer mechanisms to share personal data, meaning British businesses will not need to pay for or complete new checks internationally. This was a big worry when the UK government announced an alternative to the EU’s GDPR rules, as many felt the new bill would just be swathes of red tape. In truth, or at least at first glance, the aim is to make it easier to share data inside and outside of European territories as the data sharing protocols are far more flexible now.

Increase fines for direct marketing: Another major change in the new GDPR bill is an exponential increase and ratcheting up of fines for direct marketing. In a bid to crack down on nuisance calls and texts, the maximum fine for unwanted direct marketing has been increased from £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher).

DPOs will be replaced by SRIs (Senior Responsible Individual): Data Protection Officers, a role created because of the original GDPR law, will make way for a new role called SRI. Organisations will need to appoint a senior person (can already be a part of your organisation or security leadership team) for this role responsible for high-risk processing.

Reduce 'annoying' cookie pop-ups: The bill switches from the current cookie pop-up option to a browser-based opt-out model to conduct its online tracking. The bill permits cookies to be placed on a user’s device without explicit consent “for a small number of other non-intrusive purposes.” The bill then goes on to state websites will now need to give the user clear information of how to opt-out of cookie collection rather than opt-in.

Changes to record keeping: In what some are labelling a regressive step, the government has lessened the requirements on businesses to keep records and be proactive in data processing activities. Experts state that this will lead to businesses being slower to respond to user requests for data and will impact their ability to provide information and comprehensive accounts following a security breach.

Changes to ICO (Information Commissioner’s Office): Another worrying aspect of the new GDPR bill is the proposed changes to the watchdog ICO. The new bill states that the DSIT secretary of state will appoint a new board with new members to the ICO. Some commentators have stated that this could undermine the office’s independence and could even lead to the secretary of state influencing guidance and priorities. Experts are worried about this proposed change as it seems to be railing against something that does not exist. The ICO is not anti-business as this change seems to suggest – so, are there other intentions with this change?

What do the experts think?

Privacy experts and data protection champions are split on the strengths and weaknesses of the new GDPR bill, with everyone highlighting a myriad of pros and cons. Let’s run through a few takes:

• Edward Machin, associate at Ropes & Gray data, privacy & cybersecurity, told TechCrunch: “The proposals to broaden the scope of scientific research are positive and seek to address the challenges of current practice in a reasonable and sensible way for UK research. But not all the changes will be welcomed (or are needed) and interference with the ICO’s independence remains a concern that will hopefully be corrected during the legislative process.”
• On the 7th of March 2023, the Open Rights Group, consisting of 26 civil society groups wrote an open letter to the secretary of state stating the new proposal contains “many concerning and ill-considered proposals which endanger UK residents and UK data protection”.
• Julian David, CEO of TechUK, is full of praise of the bill’s new data collection encouragement: “TechUK welcomes the new, targeted package of reforms to the UK’s data protection laws, which builds on ambitions to bring organisations clarity and flexibility when using personal data. The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop innovative technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU.”
• Jonathan Kirsop, Partner and Head of Technology, Media, and Telecoms at Pinsent Masons, has been commenting on the new permissions organisations have for data collection and analysis: “Businesses will welcome reforms that promote innovation – like new rules that should make it easier for them to use technologies like artificial intelligence (AI) systems in a way that supports automated decision making – as well as a reduction in some administrative burdens, like those around record keeping. However, they are also likely to look for simplifications and clarifications to emerge in some areas as the Bill passes through parliament – for example, businesses will be looking for clarity on whether or when their technological development could reasonably be described as scientific.”
• Jonathan Armstrong, Partner at Cordery told Infosecurity that the new bill removing red tape is not necessary: “The general idea was to remove some red tape, to help the plumber who thinks GDPR is a burden. However, in some ways, it would bring more red tape. A UK organisation with links with any EU economy will have to comply to two data protection regimes instead of one.”

UK GDPR: in the UK government’s own words

Michelle Donelan, Secretary of State for DSIT, said: “I can promise you here today ... that [data protection legislation] will be simpler and clearer for businesses to navigate.”

She continues by stating the bill will ensure “we are the most innovative economy in the world and that we cement ourselves as a Science and Technology Superpower” and that it will “reduce costs and burdens for UK businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.”

If it is not clear already, the new UK GDPR bill is all about reducing administrative steps that small and medium sized businesses only view as obstacles and red tape. And whilst many of the changes in the new bill do indeed lessen the level of friction you can expect, it does come with critics and obvious drawbacks that security leaders need to be aware of and prepared for.

We must keep in mind that the new GDPR bill has not been passed into law just yet and is still subject to alteration. A date for the second reading of the new bill in the House of Commons has still to be confirmed.

Not only will DSIT be considering the response of experts and businesses to the proposed bill, but they may also need to combat legal challenges if our international partners are not convinced of the strength of the new bill compared to the EU version.

If you would like more information about how The Security Company can help your financial organisation to deliver data protection and privacy training ... or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.