The AI, Privacy and Security Agency

Data Protection and Digital Information Bill

AuthorNiamh Libonatti-Roche
Date1st December 2023

Executive Summary

While the DPA 2018 retains the GDPR in UK law, the Data Protection and Digital Information Bill (DPDI), due to be introduced in Spring 2024, will introduce radical changes to the privacy and data protection regime in the UK. Despite this, it will keep:

  • The fundamental obligations imposed by the GDPR.
  • The structure of the GDPR
  • The GDPR principles

This Briefing Note details the key changes made by the DPDI to the UK privacy and data protection regime and places them in context for businesses.

Key Changes

Legitimate Interest

The DPDI allows companies to rely on legitimate interests without conducting a balancing test against the rights and freedoms of data subjects where processing is for the purpose of:

  • national security/defence/crime prevention
  • emergencies and safeguarding
  • democratic engagement.

 It also provides a non-exhaustive list of possible situations where, following a balancing test, processing based on a legitimate interest is allowed. These include processing for the purpose of:

  • direct marketing.
  • intra-group transmission of personal data for internal administrative purposes; and
  • ensuring the security of network and information systems.

Pseudonymisation

The DPDI increases the scope for businesses to process personal data by increasing the scope of the definition of pseudonymised data.

Records of Processing Activities

The DPDI2 will massively reduce the burden on businesses to have “records of processing”. As, under the new bill:

  • Controllers/processors are exempt from the duty to keep records of processing unless they are carrying out high risk processing activities.
  • Where processing is “high-risk” the requirements of the record will be reduced in scope.

Technical and Organisational Measures

The DPDI will give companies more flexibility in implementing technical and organisational measures. Following the DPDI’s introduction businesses will have more freedom to decide:

  • What kinds of protection they put around personal data
  • Which situations require high level technical and organisational controls
  • What appropriate controls are, when weighed against business needs.

Data Protection Impact Assessments

The DPDI does away with the ICO’s six detailed ‘steps’ to completing DPIA’s. Instead, companies will only be expected to complete DPIA’s where there is high risk processing. For High-Risk Processing companies must-undertake an ‘Assessment of High-Risk Processing’ that considers briefly:

  • the grounds for processing,
  • the purpose of processing.
  • the risks to data subjects.
  • all risk mitigations in place.

As such companies who undertake high risk processing should look to begin to develop alternate policies, procedures and tools that are adapted to fit the scope of the new ‘Assessment of High-Risk Processing’ ahead of its introduction.

Data Subject Rights

The DPDI will enable companies to refuse Data Subject Access Requests where they can prove that they are “vexatious or excessive” or that the Data Subject submitted them purely to burden or gain advantage over a data controller. However, a failure to respond to legitimate requests is:

  • still a breach of Data Subject Rights
  • subject to a new Data Subject right to complain to you, before complaining to the ICO
  • punishable by notices and fines

It is advisable for businesses to remain vigilant in responding to requests and to implement more policies and procedures to enable DS’s to exercise their “right to complain” and other data subject rights fully.

Direct Marketing and Targeted Advertising.

The DPDI will:

  • Remove the need for commercial and non-commercial organisations to gain explicit data subject consent for direct marketing if they have obtained contact details from an individual expressing interest. (Soft opt-in)
  • Obligate electronic communications networks to notify the ICO of any person breaking the direct marketing rules.
  • Allow companies to upload Cookies to web users’ computers or software without consent if they are for statistical or functional purposes.

Automated Decision-Making and AI

  • The DPDI amends Article 22 UK GDPR to apply to automated processing only where this is undertaken without “meaningful human involvement”.
  • Profiling in general, will be considered to lack the necessary “meaningful human involvement”.
  • What counts as “meaningful human involvement” is not defined by the Bill. This may be clarified in case law.

Because of these changes companies will have a broader ability to use AI and undertake automated decision making so long as they can evidence some “meaningful human involvement”.

International Transfers

The DPDI2 sets a new test for assessing adequacy:

  • “the standard of protection for the general processing of personal data in that country or international organisation is not materially lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018.”
  • Alternative transfer mechanisms agreed before enactment between parties will continue to be a valid basis for data transfers. The UK’s existing transfer safeguards will remain in force.

PECR and Cookies

The DPDI proposes an increase to fines for breaches of PECR to £17.5 million or 4% of annual turnover.

UK representatives

The DPDI is due to eliminate the need for international controllers, who process UK data, to appoint a UK representative.

Senior Responsible Individual

The DPDI requires companies to designate a “senior responsible individual” to be responsible for data protection risks within their organisations:

  • The controller or processor is a public body
  • They are carrying out processing that is likely to result in a high risk to individuals

High risk processing includes where the organisation is:

  • Processing special category data on a large scale
  • Using innovative technologies to process large volumes of personal data. scale E.g. Artificial Intelligence

Organisations will not need to appoint an SRI if their processing activities were low risk.

ICO reform

The DPDI2 sets up for a reform of the ICOs governance structure, duties, enforcement powers, reporting requirements, data protection complaints processes and its development of statutory codes of practice.

Research

The DPDI2 has broadened the definition of scientific research:

“processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity” 

This new definition allows research data to be used for commercial purposes.

AIPRIVSEC

If you would like to get your business ready for the introduction of the data protection and digital information act in Spring 2024 and maximise the benefits for your business that this change of legislation offers. Or if you would like to know more about the DPDI or need help achieving best practice AI, Privacy, or information security in your business. Please get in touch by clicking here

DISCLAIMER

This document is intended to be read for reference only.

It is not intended as legal advice and should not be acted on as if it is.

Posted

in

, , ,

by

admin

Tags:

, , , , , , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *