The UK Government recently released the Data Protection and Digital Information (No. 2) Bill on March 8, 2023. This updated version aims to reform the current data protection framework in the UK and is part of a broader package of legislative change designed to maximize the benefits of Brexit. The previous version was published in July 2022 but was put on hold by then-Prime Minister Liz Truss last September.
The original draft of the bill aimed to incorporate the UK’s GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 to promote innovation, reduce compliance burdens for businesses, and maintain the UK’s proper status under the EU General Data Protection Regulation. The proposed amendments included changes related to legal basis, data subject access requests, accountability, international data transfers, and cookies.
Key changes in the revised UK Data Protection and Digital Information (No.2) Bill:
- Definition of scientific research: The new bill retained the proposed definition of scientific research from the previous version but added further clarifications. The new definition includes scientific research for “transported commercial or non-commercial activities.”
- Recognized legitimate interests: The revised bill maintains the concept of “authorized legitimate interests” introduced in the previous version. This means that processing activities are automatically deemed to satisfy the balancing of legitimate interests test, providing greater certainty to controllers intending to rely on this legal basis. The new bill also confirms that legitimate commercial activity can be a legitimate interest.
- Record of processing: The revised bill removes the exception to the recording of processing requirements for organizations employing less than 250 employees. The recording of processing now applies to activities that may pose a high risk to the rights and freedoms of the data subject. The new bill also requires the Information Commissioner to publish a document containing examples of the types of processing that may pose a high risk to individuals.
- Automated decision-making: The revised bill expands on the previous version’s regulation of automated decision-making. It adds a provision that the Secretary of State may, by regulation, prescribe whether there is meaningful human involvement in decision-making.
- International data transfer: The new bill allows transfer mechanisms entered into before the bill’s entry into force to remain valid and allows companies to use existing international data transfer mechanisms to transfer data already transferred to third countries.
The revised bill will now go through the legislative process and start its “second reading” in the House of Commons. The date for the second reading has not yet been announced.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com