The UK Government introduces its new Data Protection and Digital Information (DPDI) bill to alleviate administrative burdens while continuing to ensure high levels of data protection.
The UK government introduced new data laws in Parliament this week, indicating a move away from the General Data Protection Regulation (GDPR) of the European Union by revising its data processing requirements.
The proposed reforms seek to provide businesses with additional pro-growth opportunities and legislative clarity while maintaining adequate customer protection standards.
Amendments defining legitimate interest
In promoting this agenda, the latest edition of the bill contains amendments to three key areas of existing regulation.
The first is the incorporation of the EU’s General Data Protection Regulation into domestic law under the UK GDRP, followed by revisions to the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR) accordingly.
These amendments aim to redefine the scope of ‘personal data’ while eliminating specific constraints and prohibitions, introducing exemptions and establishing a clearer legal framework around certain data processing activities.
One of the most notable changes is the enhanced clarity provided on the definition of legitimate interest, which will prompt more businesses to use it as a valid justification for data processing when suitable.
Many advisors provided incorrect guidance to businesses that consent should be the primary legal basis for data collection, particularly for marketing purposes. This advice limited the businesses’ ability to leverage data for their operational advantage.
The bill now clarifies attracting and retaining customers and donors through direct marketing as a legitimate interest. However, customers still retain an overriding right to object to marketing should they not wish to do business with a specific organisation.
The arrival of this bill in Parliament is timely considering the advent of data-driven regulations, like the Consumer Duty, set to come into force this year.
On this, the DPDI will reduce the amount of paperwork that organisations need to complete to demonstrate compliance in several areas, especially beneficial to smaller organisations.
It has also expanded the range of exemptions to consent for cookies. This will improve the customer experience by reducing the number of consent banners and red tape for legitimate website functionality, to the benefit of online users and businesses.
Consultation period
The UK Parliament first received the DPDI on 18 July 2022, representing a crucial milestone in the UK’s data protection regulations’ post-Brexit development.
In September 2022, the UK’s governmental leadership made changes that resulted in putting the legislative process for the bill on hold to allow for additional assessment.
During the most recent phase of consultation, Chris Combemale, CEO of the Data and Marketing Association (DMA) chaired the Business Advisory Group which provided input to the Secretary of State and the Department for Science, Innovation and Technology.
Combemale says he is “confident that the bill should act as a catalyst for innovation and growth while maintaining robust privacy protections across the UK – an essential balance which will build consumer trust in the digital economy.”
A tentative approach?
Adding to the industry response on the UK Government’s proposed replacement to GDPR, Alistair Dent, chief strategy officer at the UK data consultancy Profusion, confirms that “there’s a lot to like in the announcement of the DPDI bill, not least that it may finally end the uncertainty for British businesses.”
“Reducing the compliance burden on smaller businesses and improving the online experience by tackling cookie pop-ups are sensible and very welcome moves,” he adds.
However, Dent recognises the risk that “in trying to do too much at once,” the Government risks creating “a sprawling, complex and ineffective set of rules.”
“One of the key issues around the bill is whether it lives up to its goal of ensuring businesses can continue to use their existing international data transfer mechanisms to share personal data overseas,” he explains.
“This is very important to UK businesses, as failure to make it compatible with, for example, GDPR, will mean that companies which deal with EU citizen’s data will have to comply with both sets of legislation – which will significantly increase costs.
“This bill is obviously at a very early stage and there are a lot of areas that still need clarification – not least how it will be adequately enforced. We must remember that, despite its flaws, GDPR has really helped to improve online privacy and increase accountability for businesses.
“The Government is very keen to be seen to be cutting red tape and using ‘common sense’ in its rulemaking, but this must not come at the expense of protecting people online,” concludes Dent.
Data governance
Philip Dutton, CEO and founder of the UK-based data lineage solution Solidatus, argues businesses need to urgently check they have the right processes and controls in place to manage their digital records and meet the incoming data governance requirements
“As the DPDI bill is being introduced by parliament, the pressure is on for organisations to ensure they’re ready,” Dutton comments.
“While the bill aims to update and simplify the UK’s data protection framework to reduce burdens on organisations and maintain high data standards, the onus is still on them to ensure they have a robust data governance strategy in place.
“Bad data governance practices result in poor decision-making and breaking compliance. If organisations don’t have the right capabilities in place to analyse their critical data sets and extrapolate key insights to support decision-making and ensure regulatory compliance, they could be sleepwalking into a data disaster.
“By using technology to manage and visualise your ecosystem, you can rapidly analyse your data sources and data flows to identify negative impacts. This clear mapping is a critical step in identifying data risk and avoiding errors that could disrupt compliance, cause significant fines and damage your reputation.”
