• United States



UK Editor

UK Data Protection and Digital Information Bill introduced in Parliament

News Analysis
Mar 08, 20235 mins
ComplianceData and Information SecurityData Privacy

Bill seeks to help UK businesses take advantage of post-Brexit data sharing and protection opportunities. Experts say divergence from EU GDPR only increases compliance complexity and cost.

The UK Data Protection and Digital Information Bill was reintroduced in Parliament today as the UK government looks to implement a new, UK version of the European Union (EU) General Data Protection Regulation (GDPR). The Data Protection and Digital Information Bill was first introduced last Summer but paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts. This was to ensure that the new regime is built on the UK’s high standards for data protection and privacy, protecting data adequacy while moving away from the ‘one-size-fits-all’ approach of the EU’s GDPR.

The bill, introduced by Secretary of State for Science, Innovation and Technology Michelle Donelan, aims to reduce the amount of paperwork organisations need to complete to demonstrate compliance, increase public and business confidence in AI technologies, and allows businesses to use their existing international data transfer mechanisms to share personal data overseas if they are compliant with current UK data laws. It also introduces changes such as increased fines for nuisance calls/texts and establishes a framework for the use of trusted and secure digital verification services.

Bill seeks to take advantage of post-Brexit data sharing, protection

As it has been co-designed with businesses, the bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and customs, according to Donelan. “Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR. Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”

The government claims the improved bill will:

  • Introduce a simple, clear, and business-friendly framework that will not be difficult or costly to implement. It takes the best elements of GDPR and provides businesses with more flexibility about how they comply with the new data laws.
  • Ensure the new regime maintains data adequacy with the EU and wider international confidence in the UK’s comprehensive data protection standards. This will ensure British businesses do not need to pay more costs or complete new checks to show they’re compliant with updated rules.
  • Further reduce the amount of paperwork organisations need to complete to demonstrate compliance. Only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms will need to keep processing records.
  • Support even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation.
  • Provide organisations with greater confidence about when they can process personal data without consent.
  • Increase public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making. People will be made aware when such decisions are made and can challenge and seek human review when those decisions may be inaccurate or harmful.

Bill increases fines for nuisance calls/texts, reduces consent pop-ups

The bill will also increase fines for nuisance calls and texts, and aims to reduce the number of consent pop-ups people see online, read a Department for Science, Innovation and Technology press release. Furthermore, it will establish a framework for the use of trusted and secure digital verification services, allowing people to prove their identity digitally if they choose to do so.

The Information Commissioner’s Office (ICO) will be strengthened, too, with the creation of a statutory board with a chair and chief executive to help it remain an independent data regulator and better support organisations to comply with data regulation. The data reforms are expected to unlock £4.7 billion in savings for the UK economy over the next 10 years and maintain the UK’s internationally renowned data protection standards so businesses can continue to trade freely with global partners, including the EU, according to the Department for Science, Innovation and Technology.

“I welcome the reintroduction of the Data Protection and Digital Information Bill and support its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights,” said John Edwards, UK information commissioner. “Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The bill will ensure my office can continue to operate as a trusted, fair, and independent regulator. We look forward to continuing to work constructively with the government to monitor how these reforms are expressed in the bill as it continues its journey through Parliament.”

Divergence from EU GDPR increases compliance complexity, costs

The UK government fails to realise that by diverging from the EU GDPR, they are adding complexity for those companies that will now need to comply with two different sets of legislation, argues Tash Whitaker, global data compliance director at Whitaker Solutions Ltd. “This will not reduce costs for any business that trades outside the UK. Rather, it will increase them,” she tells CSO.

The government have been very uncertain about the progress of this on-off bill, and it’s ironic when the whole idea is to create certainty for businesses – the way they have managed this has had the opposite effect, adds Jonathan Armstrong, data and technology compliance lawyer, partner at Cordery Compliance. “They still haven’t demonstrated any real benefits in tinkering with GDPR. There is no credible evidence to support the claimed costs savings. Changing definitions doesn’t make compliance easier. In fact by introducing different rules from the rest of the EU, it increases the costs.”

Many businesses are already struggling with a Brexit burden – the added costs of doing business since the UK left the EU. “For most businesses, this just adds to the Brexit burden for no tangible benefit,” Armstrong says.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author