How will businesses save money via the UK’s GDPR equivalent?
Now into its second reading in the House of Commons, the new Data Protection and Digital Information Bill (the “Data Reform Bill”) aims to reduce organisations’ data protection compliance costs.
Rhiannon Hastings, paralegal in our commercial team, summarises the new bill and how this will enable organisations to save money.
Background
Michelle Donelan, technology secretary, explained the new Data Reform Bill will stand as the UK’s version of the EU’s GDPR.
The government anticipates the Data Reform Bill will save the UK economy over £4.7bn across the next 10 years while maintaining the importance of privacy and data protection and upholding its internationally recognised data protection standards.
Reducing ‘pointless’ paperwork
The Data Reform Bill will reduce the amount of paperwork that organisations need to complete to demonstrate their compliance with UK data protection legislation.
This includes removing the requirement to undertake a data protection impact assessment, albeit organisations will still be required to identify and manage risks; and eliminating the need to prepare a record of processing activities (i.e. a document mapping out the organisation’s processing).
However, organisations must maintain a ‘personal data inventory’ that describes what and where personal data is held, why it has been collected and how sensitive it is.
Reducing paperwork, and subsequent legal costs, will enable organisations to reuse personal data for research purposes without being limited by current UK data protection legislation.
This will also allow organisations to focus on managing internal data protection practices without having to demonstrate compliance regularly.
Organisations carrying out “high risk” processing (i.e. organisations processing large volumes of sensitive data about people’s health) will still need to maintain records of processing activities.
For more information on records of processing activities, please visit the ICO website.
Removing restrictions to increase international trade
The Data Reform Bill ensures businesses can continue to use their existing international data transfer mechanisms before the Bill is approved to share personal data overseas.
Otherwise, the Bill introduces a new data protection test to be conducted prior to international transfers.
Fewer website cookie pop-ups
UK data protection legislation requires organisations to obtain and maintain ‘valid consent’.
However, where cookies collect information for statistical purposes (to making improvements to the website and services), obtaining consent will not be required if the website user has clear and comprehensive information about the cookies’ purpose (such as providing a cookie policy).
Personal data collected using cookies must not be shared with other organisations, except to assist that organisation with making improvements to its website or service.
Additional changes
In addition to the above, the Data Reform Bill will:
- Provide guidance on the use of AI technologies and the safeguards to be applied
- Establish a framework for the use of digital verification services
- Create a statutory board with a chair and chief executive for the Information Commissioner’s Office (“ICO”)
- Make provision for commercial organisations to benefit from the same freedoms as academies to conduct scientific research.
ICO’s review of the Data Reform Bill
John Edwards, UK Information Commissioner, said: “I welcome the reintroduction of the Data Protection and Digital Information Bill and support its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights.
"Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society."
More information
Further information about how your organisation can reduce its administrative costs and time is available via the government’s website.
For more information on how the Data Reform Bill may affect your organisation’s data protection practices, or for support with general advice or reviewing/drafting records of processing activities and cookie policies from our data protection team, get in touch with Rhiannon directly using [email protected] or 0191 211 7891.
It aims to:
- Reduce the costs and burdens on organisations and charities
- Remove complex restrictions in data processing for international trade
- Lessen the number of repetitive website cookie pop-ups.
First introduced to the House of Commons on 18 July 2022, this bill was withdrawn on 8 March 2023. It was replaced with The Data Protection and Digital Information Bill (No. 2) on the same date.