View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Government Computing
March 8, 2023updated 17 Mar 2023 8:35am

Government launches new version of UK’s post-Brexit GDPR replacement

After months of delay, the government has revised its new data regime, and says it could save businesses up to £4.7bn in the next decade.

By Matthew Gooding

A revised version of the Data Protection and Digital Information Bill – the UK’s post-Brexit replacement for Europe’s GDPR data regime – will be introduced to parliament today. The government says it has co-designed the latest version of the bill with businesses, and that it could save organisations in Britain £4.7bn over ten years.

Secretary of State for Science, Innovation and Technology Michelle Donelan says new data laws will save businesses time and money. (Photo by Carl Court/Getty Images)

The bill was first introduced last Summer and paused in September so “ministers could engage in a co-design process with business leaders and data experts”, a statement from the newly created Department for Science, Innovation and Technology (DSIT) said.

In October, Tech Monitor broke the news that further consultation on the legislation would be taking place, and the government says the amendments will ensure the new laws build on “the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy”, while moving away from what it describes as the “one-size-fits-all” approach of GDPR.

Data Protection and Digital Information Bill may save businesses billions

Details of the bill are published alongside an impact assessment, which says businesses could save up to £4.7bn thanks to the new laws. The government had previously estimated savings of £1bn over the same time period were likely.

Digital secretary Michelle Donelan said: “Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs.

“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR.”

“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs and boost our economy.”

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

What’s changed in the Data Protection and Digital Information Bill?

The full text of the bill has yet to be published, but DSIT says the new version removes the stipulation, imposed as part of GDPR, for all businesses to keep data processing records. This requirement will now only apply to companies deemed to be engaging in “high risk” activities, such as working with health data. It will also detail circumstances where personal data can be processed without the subject’s consent for “certain public interest activities” around law enforcement and protecting vulnerable people.

The legislation also features an updated definition of scientific research, which clarifies that commercial organisations will benefit from the same freedoms as academics to carry out innovative scientific research, such as making it easier to reuse data for research purposes. “This will reduce paperwork and legal costs for researchers, and will encourage more scientific research in the commercial sector,” the department says.

It also tackles AI systems and their role in decision-making, giving citizens the right to appeal against any automated decision, and have a human review their case.

Will new data laws impact international agreements such as EU data adequacy?

The government says the new laws are compatible with GDPR and other data regimes around the world, meaning all international data transfer agreements will remain in place once the Data Protection and Digital Information Bill comes into effect. The UK has a “data adequacy” agreement with the EU which was signed in the wake of the Brexit deal, but the EU retains the right to revoke the agreement if it feels UK data protection standards have dipped.

“The UK is committed to maintaining high data protection standards and continuing the free flow of personal data between like-minded countries, which power services such as GPS navigation, smart home technology and content streaming services,” the DSIT statement said.

“The updated Bill ensures businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if they are already compliant with current UK data laws. This will ensure British businesses do not need to pay more costs or complete new checks to show they’re compliant with the updated rules.”

Revisions to the bill have been put together in consultation with organisations including tech vendor trade body techUK. Julian David, techUK CEO, said: “TechUK welcomes the new, targeted package of reforms to the UK’s data protection laws, which builds on ambitions to bring organisations clarity and flexibility when using personal data.”

“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU.”

Read more: This is how GPT-4 will be regulated

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.