Skip to content
Freeths - Law firm
GDPR software graphic with padlocks
Articles IT & Data 17th Mar 2023

Back to the Future – UK Government publishes new Data Protection and Digital Information Bill

After a stuttering start to its legislative existence, the Data Protection and Digital Information Bill (No.2) (the “Bill”) has been introduced to the UK Parliament by Michelle Donelan, the Secretary of State for Science, Innovation and Technology.

The UK government’s intention is that the Data Protection and Digital Information Bill will provide a “simple, clear and business-friendly framework that will not be difficult or costly to implement”. As an example of this, the Bill would do away with the need for organisations to keep records of data processing, unless that processing is “high risk”.

Whilst UK business will welcome the potential reduction in paperwork, the business community remains concerned that the UK should remain an “adequate” country to receive frictionless transfers from the EU. To this end, the Bill is intended to retain enough GDPR elements to ensure that UK data laws are essentially equivalent to those in the EU. The hope is that the UK will therefore remain on the EU “whitelist” for international data transfers.

Data professionals are currently poring over the 200-plus pages of provisions in the Bill and their potential implications. In the meantime, here is a quick summary of what the Data Protection and Digital Information Bill proposes:

  • Changes that facilitate scientific research
    The Bill amends the concept of consent so that it can include scientific research purposes that were not fully identified when the original consent was sought from the data subject.
  • Changes that simplify legitimate interests as a basis for processing data
    The Bill introduces a list of “recognised legitimate interests”. Organisations that can rely on these recognised legitimate interests would not then have to conduct and record a balancing test before they can rely on the relevant legitimate interest.
  • An increase in fines for direct marketing
    The maximum fine for direct marketing would be increased considerably, from the current £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher), with the government intending to crack down on nuisance calls and texts in particular.
  • Goodbye “DPO”, hello “SRI”
    The role of the Data Protection Officer will be replaced with that of the Senior Responsible Individual (“SRI”). Organisations will only need to appoint a SRI where they are a public authority or otherwise are engaged in high-risk processing. As the name implies, the SRI must be a senior person in the organisation but can carry out this role in addition to other functions (as is currently the case with many DPOs).
  • Continuity on international data flows
    Organisations that transfer data outside the UK will be relieved that the Bill does not significantly change the status quo in this area. Where an organisation has implemented mechanisms to safeguard data, those mechanisms would remain valid after the Bill becomes law.
  • Cookies rules to be relaxed
    As part of the drive to cut “red tape”, the Bill relaxes the currently strict rules around website cookies. A website operator would be able to place certain types of statistical, security and location cookies without the need for obtaining the current “pop-up” consents.
  • Reform to the UK Information Commissioner’s Office
    The Bill would abolish the UK Information Commissioner’s Office (“UK ICO”) in its current form and create a new “Information Commission” in its place. The Information Commission will assume the responsibilities of the UK ICO.

For its part, the UK ICO has welcomed the re-introduction of the Bill, saying that it supports the Bill’s ambition to enable UK organisations to grow and to innovate whilst maintaining high standards of protection for the data rights of individuals.

The Bill is in the early stages of its legislative development and must clear several more hurdles before it enters force. There remains scope for the Bill to be amended before it becomes law.

It remains to be seen whether the Data Protection and Digital Information Bill achieves the government’s goal of saving £4.7billion for British business over the next 10 years. We shall continue to monitor the Bill’s progress and will provide further comments as it makes its way towards gaining Royal Assent.

If you have any questions about the new Data Protection and Digital Information Bill, or any other data queries, please contact Luke Dixon or Will Richmond-Coggan in our Data and Information Team.

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.

Client service

‘Doing the right thing’ is at the heart of Freeths. Find out more about our excellent client service and the strong set of values that guide the way we work.

Our values


Talk to us

Freeths are a leading national law firm with 13 offices across the UK. If you have a query about our services or just want to find out more, why not give us a call?

Contact: 03301 001 014

Choose an office:

Portfolio close
People CV Email

Remove All

Click here to email this list of people to a colleague.