After a long wait, on 8 March the UK government finally introduced the Data Protection and Digital Information (DPDI) Bill II into parliament for its first reading. The new legislation enhances and replaces the reforms originally proposed to the UK GDPR by the first DPDI Bill, published last summer.
That first bill faced a difficult task: balancing reforms which could promote data-driven innovation while supporting good data flows with partners such as the EU, withstanding scrutiny from a UK-based independent regulator, and maintaining a high standard of data protection rights. Although the original bill captured this balance reasonably well, techUK and other business groups across the UK had urged the government to take a more ambitious and bolder approach to reform – not least to address the barriers organisations face when trying to innovate with data and deliver basic business services.
That is what DPDI II is trying to deliver. Through informal consultation with a range of stakeholders, including techUK, the UK government has set out five key areas they have targeted for further reform: legitimate interests, scientific research, reducing compliance for low-risk processing, international transfers, and automated decision-making.
The introduced changes point to a welcome understanding from government on the opportunities the DPDI Bill presents the UK and businesses across the country. Reforming the UK GDPR, which has often complicated processes for businesses and individuals alike, is also an opportunity for Whitehall to address the biggest challenges organisations face when handling personal data.
Making the new data protection regulations work
Even so, there are still outstanding questions on how some reforms will work in practice. While an opt-out model for cookie consent and new obligations around tracking and reporting unwanted calls will be a relief for people bombarded day in, day out by telephone marketers or worse, it is yet to be clarified how tech businesses will need to work with government in order to make sure these provisions become a workable reality.
The real test of the bill’s importance and resilience will be whether it can survive scrutiny from both houses of parliament during its passage to royal assent. In this process, it’s vital for parliamentarians to consider that, unlike legislative files such as the Online Safety Bill – where implementation of the regime will start from scratch – the privileges of the DPDI Bill II can be leveraged as soon as the bill commences, as all companies using personal data will already be UK GDPR-compliant.
This means the sooner the bill is passed, the sooner organisations of all sizes can take advantage of the new proposals which enable them to leverage data to solve challenges like advancing medical research, clamping down on fraud and increasing productivity by delivering basic business services with ease. With that said, we’re one step closer to getting the bill over the line than before. Considering its complexity and political sensitivity, it’s a milestone worth celebrating.