In an expert interview, Ben Daley-Gage dissects the complexities of UK's Data Protection Bill, highlighting elements affecting your business, including data transfers, ePrivacy, and accountability changes. Ben not only forecasts implementation odds but also alleviates concerns for UK and EU businesses.
The new Data Protection and Digital Information (no. 2) Bill (short: DPDI No.2) in the UK holds the key to striking a delicate balance between promoting innovation and safeguarding individual privacy in an increasingly data-driven world.
Soma Ashty, Product Marketing Manager at DataGuard, interviewed Ben Daley-Gage - Data Protection and Privacy Consultant at DataGuard and Advisory Board Member of the International Association of Privacy Professionals (IAPP) – about the potential changes of the bill that UK businesses should keep in consideration.
Why is the UK Data Protection Bill relevant and what's the impact on data protection standards?
Soma: Ben, thank you for joining us today. Let's start by addressing the relevance of DPDI No.2. Can you provide some background on what's happening, and why this bill is important?
Ben Daley-Gage: Sure! Currently of course, post-Brexit data protection in the UK is driven by the UK GDPR (still a close reflection of the EU GDPR) and the Data Protection Act 2018.
The new DPDI Bill proposes a number of changes which would start to move the UK into a different stance on some key definitions, such as what is defined as personal data and how we process and manage it, even dealing with data rights, governance and taking overall direct responsibility.
In simple terms, I believe the aim is to find a solution that maintains and promotes equally high levels of data protection, yet at the same time makes the management of this more accessible and approachable in line with current business practices and approach - modernisation if you like.
Soma: Now, could you shed light on the impact of this bill? Which areas of privacy are likely to be affected by the proposed changes?
Ben Daley-Gage: The bill has several significant impacts. One key area is international data transfers. The bill aims to streamline this process by introducing adjustments to how data transfers are managed. It allows organisations more opportunity to self-assess if the data protection standards in the destination country align with those in the UK; this remains an area of particular discussion and interest at the moment.
The bill also introduces changes to ePrivacy, affecting cookie consent requirements and email marketing rules. Additionally, there are modifications in accountability and impact assessments. This includes changes in records of processing activities (RoPAs) and a rebranding of data protection impact assessments (DPIAs) for high-risk processing.
What does ePrivacy mean? ePrivacy is a directive focusing on electronic communication, cookies, and trackers. It complements the UK GDPR by safeguarding communication confidentiality, limiting tracking, and reducing spam.
What falls under high-risk processing? The use of innovative technologies (Artificial intelligence, machine learning, facial recognition, biometrics) as well as Profiling and Tracking (predictions, behaviour analysis, online monitoring)
What actions businesses should take
Soma: Considering these changes, what actions should businesses be prepared to take?
Ben Daley-Gage: Businesses need to be proactive in understanding and adapting to these changes.
- For international data transfers, it's crucial to familiarise themselves with the new data protection test and the factors considered for assessment to be ready for any changes in requirements should they fall into place.
- For ePrivacy, businesses should ensure that they understand the exemptions and changes in email marketing rules.
- Regarding accountability and impact assessments, businesses engaged in high volume or high-risk processing, including processing Special Category data, should make sure they assess or re-assess their processes to ensure they drop in line with the new requirements - although of course this should be a regular assessment any business undertakes already.
Soma: Thank you for those insights. Could you provide an expert analysis of the bill? How does it align with previous proposals, and what key points should stakeholders be aware of?
Ben Daley-Gage: The bill closely resembles abandoned 2022 proposals, emphasising changes to personal data definitions, processing rules, data rights, governance, and accountability.
It emphasises research purposes, modifies record-keeping obligations, and potentially supports a shift for some responsibilities from data protection officers (DPOs) to Senior Responsible Individuals (SRI) for smaller businesses. The government's goal is to balance innovation with data protection.
Watch the webinar: The evolving DPO role in the UK
Outlook and how to stay up to date
Soma: It's interesting to see the balance the government aims to achieve. Could you also share some critiques or concerns that have been raised about the bill?
Ben Daley-Gage: While the bill strives for innovation and simplification, there are concerns about the role of the Secretary of State in approving Codes of Practice. Some worry that this could lead to an institutional bias in favour of data controllers, potentially undermining the interests of data subjects. This aspect deserves careful consideration as the bill progresses through Parliament.
Soma: Thank you, Ben, for your valuable insights. Can you also provide an outlook on the next steps for businesses?
Ben Daley-Gage: You're welcome. The bill is currently undergoing the legislative process and is expected to be released in 2024. Meanwhile, I advise everyone to stay informed and engage in discussions around data protection. There is still a way to go yet before this becomes law.
Moreover, if you're uncertain about how it might impact your business, whether operating in the UK or EU, getting in touch with your Data Protection Officer (DPO) is always a wise move.
Curious about the impact of the Data Protection Bill on your business? Get in touch with our in-house experts today to receive guidance on the key steps needed to adapt to these changes.
