A revised version of the Data Protection and Digital Information Bill – the UK’s post-Brexit replacement for Europe’s GDPR data regime – will be introduced to parliament today. The government says it has co-designed the latest version of the bill with businesses, and that it could save organisations in Britain £4.7bn over ten years.
The bill was first introduced last Summer and paused in September so “ministers could engage in a co-design process with business leaders and data experts”, a statement from the newly created Department for Science, Innovation and Technology (DSIT) said.
In October, Tech Monitor broke the news that further consultation on the legislation would be taking place, and the government says the amendments will ensure the new laws build on “the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy”, while moving away from what it describes as the “one-size-fits-all” approach of GDPR.
Data Protection and Digital Information Bill may save businesses billions
Details of the bill are published alongside an impact assessment, which says businesses could save up to £4.7bn thanks to the new laws. The government had previously estimated savings of £1bn over the same time period were likely.
Digital secretary Michelle Donelan said: “Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs.
“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR.”
“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs and boost our economy.”
What’s changed in the Data Protection and Digital Information Bill?
The full text of the bill has yet to be published, but DSIT says the new version removes the stipulation, imposed as part of GDPR, for all businesses to keep data processing records. This requirement will now only apply to companies deemed to be engaging in “high risk” activities, such as working with health data. It will also detail circumstances where personal data can be processed without the subject’s consent for “certain public interest activities” around law enforcement and protecting vulnerable people.
The legislation also features an updated definition of scientific research, which clarifies that commercial organisations will benefit from the same freedoms as academics to carry out innovative scientific research, such as making it easier to reuse data for research purposes. “This will reduce paperwork and legal costs for researchers, and will encourage more scientific research in the commercial sector,” the department says.
It also tackles AI systems and their role in decision-making, giving citizens the right to appeal against any automated decision, and have a human review their case.
Will new data laws impact international agreements such as EU data adequacy?
The government says the new laws are compatible with GDPR and other data regimes around the world, meaning all international data transfer agreements will remain in place once the Data Protection and Digital Information Bill comes into effect. The UK has a “data adequacy” agreement with the EU which was signed in the wake of the Brexit deal, but the EU retains the right to revoke the agreement if it feels UK data protection standards have dipped.
“The UK is committed to maintaining high data protection standards and continuing the free flow of personal data between like-minded countries, which power services such as GPS navigation, smart home technology and content streaming services,” the DSIT statement said.
“The updated Bill ensures businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if they are already compliant with current UK data laws. This will ensure British businesses do not need to pay more costs or complete new checks to show they’re compliant with the updated rules.”
Revisions to the bill have been put together in consultation with organisations including tech vendor trade body techUK. Julian David, techUK CEO, said: “TechUK welcomes the new, targeted package of reforms to the UK’s data protection laws, which builds on ambitions to bring organisations clarity and flexibility when using personal data.”
“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU.”