Data Protection and Digital Information (No. 2) Bill

On 8 March 2023, the UK Government introduced the Data Protection and Digital Information (No. 2) Bill for its first reading.  This long-awaited Bill is intended to “update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards”.

Key proposed changes of note to SMEs are as follows:

1. Legitimate interests: the Bill includes examples of processing that may be necessary for the purpose of legitimate interests, including processing for the purposes of direct marketing, intragroup transmission of personal data where necessary for internal admin purposes and processing necessary for ensuring security of network and information security systems.
2. Ability to refuse or charge for “vexatious or excessive” data subject requests: the threshold beyond which business may refuse to respond to, or charge a reasonable fee for responding to, data subject requests has been reduced from the current “manifestly unfounded and excessive” standard to a “vexatious or excessive” standard. The Bill gives examples of requests that may be considered vexatious, including those that are intended to cause distress, are not made in good faith, or are an abuse of process.
3. UK representative: the requirement for a business that processes personal data of UK residents, but is not established in the UK, to appoint a UK representative has been removed.
4. Removal of requirement to appoint a data protection officer: this obligation has been replaced with a requirement to designate a “senior responsible individual”, who must be part of the business’s senior management team – i.e. a person who plays a significant role in the decision making of the organisation.
5. Abolition of the requirement to keep records of processing activities: this has been replaced with a requirement, applicable only to those organisations who carry out high-risk processing activities, to maintain an appropriate record of processing of personal data carried out by them.
6. Cookies: consent will not be required to the placing of cookies (or similar technologies) on a user’s device if those cookies are solely for the purpose of either:

(a) collecting statistical information about how a website is used, with a view to making improvements to the website; or

(b) allowing a user to adapt a website to their appearance or functional preferences.

Individuals should still, however, have the ability to opt-out of these cookies being placed.

7. Increased penalties for breach of PECR: fines for breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 have been increased from the current maximum of £500,000 and brought in line with GDPR-level fines. This means that, for the most serious of breaches, fines may be up to the greater of £17.5 million or 4% of global worldwide turnover.

The Bill still has some way to go before being passed as law and commentators remain concerned that the UK’s divergence from EU data protection regularly could cause future difficulties for the free flow of personal data between the UK and the EU.

Whilst the changes proposed by the Bill would reduce some red tape for some businesses operating in the UK, it remains to be seen how the law will be enforced in practice and the expectations the new regulator will have; particularly given that the key principles of current data protection laws (including the requirement to be able to demonstrate compliance) remain unamended.

If you require any advice in respect of your business’s data protection obligations, please contact Kuits’ Data Protection Team on 0161 832 3434.