Spotlight on the Data Protection and Digital Information (No. 2) Bill

I have had a few requests now around my thoughts on version 2 of the Data Protection and Digital Information Bill. So, I thought it might be fun to put these thoughts down in an article.

A very brief summary of my thoughts:

Firstly, it keeps the GDPR principles and individual rights (with a few more rules), I think this is quite clever as it will support the EU adequacy decision we are all craving to retain. However, it removes the specifics on how you demonstrate compliance - so that would be down to the organisation to consider risk/ impact and proportionate measures.

The removal of a legal requirement of DPOs (sad face) but it creates a new role for a Senior Responsible Individual (SRI) with specific tasks listed in the legislation. I am interpreting this as keep your DPO to manage your company compliance but you can no longer call on the "DPO didn't know about the change or gave incorrect advice card." The SRI has to be a member of the senior management team so they should know whats going on in the business in regards to change. Potentially an in balance of power and may lead to internal bias of processing, depending on the company culture, but it does put the full responsibility on the board rather than, finger pointing blame at the DPO.?

So this would mean an individual or a team (internal or external) manages the framework and to demonstrate compliance.

The UK Regulator - the Information Commissioners Office becomes the Information Commission, moving to a chair and board rather than one person of authority. They will get more powers, for example the Information Commission will have the power to require the preparation of a report (at the controller’s or processor’s expense) when exercising its investigatory powers. Where the Information Commission suspects that a controller or processor is breaching data protection law, it would be able to issue an interview notice, requiring a manager or member of staff to attend an interview to answer questions. Giving a false statement in response to an interview question would be an offence. So all companies would would need the SRI to be prepared to respond to assessment notices and interview notices.

In practice, this would mean:

? ensuring that data protection accountability documentation is in place and maintained;

? conducting regular data protection training for all staff members who have data protection responsibilities; and

? fostering strong working relationships with key suppliers involved in personal data processing.

There are also new rules on business data, requiring data holders to provide customer data and business data either directly to an individual at their request or to a person authorised by the individual to receive the data. This information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about where they are supplied, the terms on which they are supplied or provided, prices or performance) there is quite a bit to this. This reminds me of something similar to an ISO 9001 quality standard. This may for a lot of organisation's require quite a bit of work to fully implement.

Then there is the removal of the UK representative, Article 27 requirement. I do struggle to understand the reasoning for this. The support it brings to individuals wanting to make data subject requests; engagement with an organisation in thier own language, as well as the support in an event of a breach to an international organisation and UK regulator. It brings international money into the economy and creates jobs, not sure how the removal saves established UK businesses any money?

A Softer GDPR, I really don't think so, the reality is, it potentially could be a lot more work for companies and they could make the mistake of not having people with the correct skill set.

At time of writing, the legislation has still got quite a way to go it has only had its first reading with the second reading provisionally scheduled for the 17th April 2023. I imagine it will meet with a lot of challenges when it reaches the house of Lords.

It should also be noted, our current government will need to call a general election by Jan 2025. I suspect it will be called Sept/October 2024 as they won't want to do a winter election as will be a lower turnout. So there is always the possibility that they won't get it over the line in time and then don't get voted back in. Not sure if the opposition party will want to pick it up, as is. They would probably want to put their own stamp on it, if they considered a priority.

Would be great to hear your thoughts, feel free to get in touch.