A Closer Look at the Data Protection and Digital Information Bill: What You Need to Know.

Currently passing through Parliament for approval, the Data Protection and Digital Information (No 2) Bill (the Bill) is revised data protection legislation that would largely shift the balance of interests in existing law favourably towards controllers.  Existing law—the UK GDPR and Data Protection Act 2018—is very much based on EU law and this change would depart from the EU GDPR. This article highlights three key changes in those respects.

Automated decision-making

The Bill proposes redefining decisions based solely on automated processing of personal data as decisions with “no meaningful human involvement”. This affords controllers more scope to rely on automated personal data processing. The Bill balances this by affording individuals more explicit safeguards over automated decision-making, including requirements for controllers to provide information about such decisions and enable affected individuals to make representations about such decisions. This departs from current law (and the EU GDPR) by removing the general prohibition on automated decision-making, subject to certain conditions being satisfied.

Appropriate measures

The Bill would change controllers’ current obligation to implement “appropriate technical and organisational measures” to “appropriate measures, including technical and organisational measures”, reflecting the Government’s proposal to make accountability less prescriptive, while being more flexible and outcomes-based. Controllers would, then, implement measures informed by their particular costs, technology, risk tolerances and relevant personal data, aiming to correct what the Government considers a market failure disproportionately limiting competition for small organisations. However, this change is projected to have little practical impact because controllers are still required to make a risk-based assessment and manage this risk. Again, this departs from current UK law and the EU GDPR, which operates “appropriate technical and organisational measures” language.

Senior responsible individuals

The Bill proposes renaming what is currently a “data protection officer” (a “DPO”) to a “senior responsible individual” (an “SRI”), appointed from senior management within public sector bodies and organisations carrying out high-risk personal data processing. The requirement for SRIs to play significant roles in organisations’ decision-making differs from the current condition that a DPO must act independently, so this could lead to conflicts of interest—especially if an organisation is bound by the EU GDPR as well and subject to two different compliance regimes. This change also removes the option for organisations to outsource compliance to an independent DPO.

Conclusion

Whilst these changes may make data processing simpler for controllers in the UK, the shift from EU law principles is likely to bring greater scrutiny from the EU and, if any changes are considered a concern, could complicate data sharing arrangements with EU countries.

Written by Jacob Lewis, Trainee Solicitor.