The Data Protection and Digital Information No. 2 (DPDI) bill proposes new changes to those made by the EU’s GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations that aim to empower consumers while still encouraging competition and innovation in the market.
The new legislation will particularly benefit fintech SMEs, start-ups, and researchers who will no longer have to maintain the balancing act of driving innovation and profit while also ensuring the highest data protection standards are met. This shift has the potential to turbocharge efforts toward leveraging new and evolving digital technologies, and ultimately support an improved digital economy.
Delayed by the withdrawal of the Bill’s predecessor and PM turnover in October last year, the new DPDI was brought before Parliament on March 8th, 2023 by the Department for Science, Innovation, and Technology (DSIT) and is now in the reporting stage in the House of Commons.
Seen by some as a golden post-Brexit opportunity to carve out the UK’s own tailor-made data rights programme, and a favouring of ‘big business’ over consumers by others, what exactly does DPDI propose?
Reducing the burden on businesses
DPDI’s proposed changes to existing UK data infrastructure such as GDPR centre largely on making it easier for businesses to understand and implement data protection legislation.
Secretary of State for Science, Innovation and Technology Michelle Donelan says that the Bill will “release British businesses from unnecessary red tape,” especially those who have been disproportionately affected by the ‘one size fits all’ approach to data like SMEs and researchers.
DPDI aims to:
- Reduce compliance costs and compliance demonstration (paperwork, etc.) costs
- Enable businesses to continue using their existing cross-border transfer methods if they are already compliant
- Encourage confidence among businesses about when/how they can process and use personal data without consent
- Increase public and business confidence in AI
The Bill will not require businesses that are already compliant with GDPR to make any changes but rather support those who are still struggling to implement changes five years after GDPR’s enactment.
Introducing new concepts
To ensure that the UK’s data rights framework keeps up with the fast-evolving digital landscape, DPDI also introduces a few concepts that do not currently exist under the likes of GDPR.
- Digital Identity: The Bill proposes new regulations for the use of ‘digital verification services’ with a “DVS trust framework” and “DVS register” to be developed by the Secretary of State. Individuals would apply to receive a re-usable digital identity that could then be shared with any necessary organisations.
- Smart Data: To create a wider open data economy, a smart data scheme in consumer markets would allow a customer to require a ‘data holder’ to safely share certain data with that customer or a chosen third party. It is not unlike open banking, for example.
- AI: DPDI also seeks to redefine automated decision-making to include those that are done ‘without meaningful human involvement’ such as AI. The current GDPR only references human involvement.
Of course, as with any sweeping framework changes, there are criticisms of the DPDI Bill.
General changes are being proposed around the definitions of personal data, records of processing, data subject rights, cookie consent exemptions, and more that are making some consumer nervous about how their data will be used under the new framework.
Abigail Burke, the policy manager for data protection at Open Rights Group told The Guardian earlier this year that she felt “it reduces some of the safeguards and the mechanisms that you have to make complaints, or try to challenge decisions that you think are unfair.”
- SARs: There are some fears around how the bill’s proposed changes to subject access requests (SARs) will change individuals’ control over and access to their data. SARs allow consumers to ask an organisation for copies of any personal information it holds about them. The DPDI Bill proposes changes to the threshold for when an organisation can reject a request or charge a fee, making it easier to do so at their discretion.
- ICO: Greater and more generalised power of discretion is proposed to be granted to the secretary of state when it comes to how the Information Commissioner’s Office collects and uses data without parliamentary oversight.
- Surveillance: While Secretary Donelan asserts that the new framework will improve the efficiency of data protection for law enforcement and national security partners, consumers are wary as to what this could entail. The Bill’s now looser definition of when/how data is collected and reused by the UK government has drawn some comparisons to the 2001 US Patriot Act, a long-criticised piece of legislation that some argue irreparably weakened citizen privacy expectations in favour of ‘national security’ and ‘crime prevention purposes.’
The UK’s new Data Protection and Digital Information No. 2 (DPDI) Bill aims to support the country’s businesses as they race to respond to the rapidly transforming digital landscape.
It may also entice international investment from businesses looking for the increased flexibility and lower cost of implementing a data protection alternative to GDPR. According to Donelan, the new laws could be expected to save as much as £4.7bn for the UK economy.
DPDI’s initiatives are geared toward improving the trust and confidence in the use of personal data for both businesses and consumers alike. The hope is that with further clarity afforded to businesses around their obligations, consumers will feel more confident about how and when their data is used.
We were the first communications agency to focus on fintech.
We’ve been building fintech reputations for 20 years, steering start-ups through launch, growth, and onto corporate action while protecting and enhancing established infrastructures.
For intelligent, informed and connected fintech PR which delivers results and value, let us help build your reputation and tell your story.