Potential impacts of the new UK Data Protection and Digital Information Bill

Last week, the UK government’s Data Protection and Digital Information Bill was introduced to parliament.

Initially put forward in September 2022, its progress was paused “so ministers could engage in a co-design process with business leaders and data experts” – although the timing also coincided with a change in government and Liz Truss becoming prime minister.

The reinvigorated bill will amend current regulations to, in the government’s words, create “a new common-sense-led UK version of the EU’s GDPR”. The government claims the new law will “take the best elements of GDPR” while providing businesses and charities with more flexibility about how they comply with new data laws.

It is hoped that the legislation will save the UK economy £4 billion over the next 10 years by reducing regulatory red tape and boosting international trade through the removal of barriers under existing legislation.

For consumers, it will also seek to curb those cookie pop-ups which have become so ubiquitous in a post-GDPR world.

The language used in announcing the bill is a clear indication of the UK government’s desire to position the UK as a dynamic, commercially focused place to do business post-Brexit.

On the surface, it does appear that the legislation will create a simpler and more streamlined landscape for businesses through lighter-tough regulation. The proposed changes include:

• Slimmed-down assessment requirements for high-risk data processing activities
• Increased flexibility for the government to assess the adequacy of third countries and international organisations for the purpose of international transfers
• The removal of the requirement for organisations without a UK establishment, but which offer services to UK data subjects, to designate a UK representative
• A new legal framework and registration system for providers of digital verification services
• More flexibility for websites to use cookies without user consent
• New explicit lawful grounds for processing (under the ‘legitimate interests’ umbrella) where this is necessary for the purposes of direct marketing, transferring personal data between group companies, or ensuring the security or network and information systems
• The abolition of the UK Information Commissioner creation of a new “Information Commission”, adopting a board structure
• The replacement of the role of data protection officer with “senior responsible individual”

Of course, for international businesses, these changes will only be of benefit if they are still able to seamlessly transfer data between the UK and the EU.  For that reason, ensuring that the new law meets EU standards of adequacy is key. The UK currently benefits from an adequacy decision in relation to its existing law (the Data Protection Act 2018), which closely aligns with the EU GDPR. That adequacy decision is due to be reviewed in June 2025.

The UK government has expressed confidence that its new regime with “comprehensive data protection standards” will still meet EU standards of adequacy, though this will be a matter for the European Commission to determine.

Furthermore, while a streamlined and flexible UK regulatory approach will likely benefit businesses focussed on the UK market, this could present a challenge to those which also operate in the EU where more prescriptive controls remain in place.

Such businesses may be faced with the choice of shaping their compliance practices around two distinct regulatory regimes or adopting what is perceived to be the ‘gold standard’ (likely the EU GDPR), potentially reducing the impact of the UK legislation.

Related News, Insights & Events