As the DPDI Bill completes its passage of Parliament techUK sets out the key benefits of the Bill as well as areas for improvement
The Data Protection and Digital Information (DPDI) Bill is an important evolution of the UK's data protection framework.
The Bill strikes a delicate balance between reform and upholding high data protection standards. It is designed to make the UK's data protection regime clearer and easier to comply with for low-risk scenarios, to support data driven research and innovation and provide clarity to organisations on how they can process data for clear public interest reasons such as for crime prevention, safeguarding and to support the Government and public services respond to serious incidents.
These reforms will clarify and enhance the flexibility of the UK's data protection system, benefitting researchers, innovators, and smaller companies as well as citizens and public authorities.
It will also empower citizens through the establishment of the Digital ID Trust Framework, which will spur the use of digital identities, enhancing security, simplifying authentication processes, and providing convenient and efficient access to various online services. The Bill also upholds a high standard of data protection rights that are among the strongest in the world.
The reforms are also expected to grant the UK the flexibility needed to adapt to a rapidly changing global trade environment.
The opportunity to better use data to solve the UK's challenges
The DPDI Bill will amend the UK's (General Data Protection Regulation) GDPR in ways that support the use of data to solve some of the UK's most pressing challenges from providing clearer bases for using data in research and development to giving companies more certainty to process data to prevent crime, respond to emergencies and to safeguard children or vulnerable adults.
Clarifying the Data Protection Framework Scientific Research and Legitimate interests
The Bill clarifies existing provisions in the GDPR that the research provisions for processing data covers privately funded projects in the public interest. It also includes an illustrative and non-exhaustive list of types of scientific research, including technological development, fundamental or applied research or for scientific advances to support public health.
techUK welcomes these provisions for bringing clarity and expects they will foster innovation and the development of cutting-edge technologies in fields like artificial intelligence, healthcare, and environmental science, thus enhancing the UK's position as a global hub for scientific research.
The provisions should operate alongside the UK's new expanded R&D tax credit that since April 2023 covers data license and cloud computing costs. The combination of these two recent policy changes will provide clearer regulation and greater incentives for data driven research with the greatest benefit for innovation intensive SMEs.
The Government will also introduce a limited, exhaustive list of legitimate interests no longer requiring a lengthy legal assessment (balancing test), such as crime prevention, the safeguarding of children, and public emergencies, which will empower organisations to clamp down on fraud and develop safer products and services.
We anticipate that the reforms on scientific research and legitimate interests will give the UK a competitive advantage and unlock substantial opportunities for societal benefit, encompassing areas such as fraud prevention, enhanced competition, safeguarding the vulnerable and broader public interest, and crisis management, for example:
- Tackling financial exclusion: LexisNexis® Risk Solutions, part of RELX Group combined 2.6 million records with powerful statistical linking technology to provide a detailed, regional overview of financial exclusion and its underlying causes across the UK adult population.
- Investigating emerging societal needs: BT's Global Research and Innovation Programme brought together BT's research ecosystem and was leveraged during the pandemic to explore growing concerns such as the future of work, impact on SMEs and in-person industries such as food, retail, and leisure.
- Supporting medical research: Vodafone UK's DreamLab is an award-winning crowdsourcing app, developed by Vodafone Foundation, that uses the processing power of mobile phones to accelerate scientific research. For cancer research, DreamLab has identified over 110 anti-cancer molecules and potential reproposed drugs, while for COVID-19 research, the app has employed AI to analyse virus-host interactions data, identifying potential antiviral treatments.
However, concerns persist regarding the application of Automated Decision Making (ADM) applies to the recognised list of legitimate interests in the situations when the decision carries significant or high-risk implications. To alleviate these concerns, the Government should provide clearer guidance on how ADM fits within the recognized list of legitimate interests for high-risk scenarios. This will reassure data subjects that their interests are being carefully considered and that avenues for redress are readily available.
At the moment the Bill does not provide additional clarity on the how organisations should process personal data for bias mitigation purposes. Given the importance of ensuring that AI and algorithmic systems are not biased and coming regulation via the Government's AI whitepaper to ensure this we believe the Government should look to provide further clarification in the law around how data can be processed to train systems for bias mitigation purposes.
Streamlining international data transfers for data-driven innovation
The Bill adopts a more proportionate and risk-based approach to international data transfers, fostering a more flexible environment while upholding robust data protection standards, thus aligning with the UK's ambition for global leadership in data-driven innovation and economic growth.
These changes are welcome and much-needed as the global landscape for international data flows becomes more fragmented, enabling the UK to respond effectively to a rapidly changing world. Further details on this approach can be found in the first report of the independent International Data Transfers Expert Council.
Nurturing a Thriving Digital Identity Ecosystem for Inclusive Growth
The digital identity measures in the Bill will enable the Secretary of State to exercise governance functions in relation to the digital verification services register. This is a crucial step towards a thriving, safe and trustworthy digital identity ecosystem, which will enable real and inclusive economic growth by fostering increased financial inclusion, and the provision of public services by unlocking access to banking, government benefits, education, and many other critical services.
Crucially, this will also reduce fraud, and promote secure digitization of a range of public and private services.
Upholding high standards of data protection
Consumers' trust in the UK's data protection is paramount to maintaining confidence in digital products and services, upholding the UK's global reputation for robust data protection standards, and ensuring UK companies remain competitive internationally and can continue to innovate.
The UK's GDPR grants individuals comprehensive rights over their personal data, including the right to access personal data held about them, the right to be informed about how and why their data is used, the right to have their data rectified, erased, or restricted, the right to object to data processing, the right to data portability, and the right not to be subject to automated decision-making based solely on personal data.
The DPDI Bill prioritizes these rights, maintaining existing provisions, for example:
- Maintain individuals' right to request a copy of their personal data;
- Empower individuals with enhanced data portability rights through Smart Data schemes that enable seamless transfer of personal data across different platforms and services;
- Protect individuals' rights by ensuring they have the right to request human review or challenge any decision made through automated decision-making processes that significantly affects them and with which they disagree.
Some concern has been raised about the proposed legitimate interest list including within the Bill and changes to the accountability framework and the potential impacts these will have on data subject rights. techUK sets out our perspective below.
Legitimate interests:
The DPDI Bill will establish a list of "recognised" legitimate interests, exempting a recognised list of a range of non-commercial interests like national security and child protection from the usual balancing test, thus allowing organisations to respond to often time sensitive situations with pace.
The Bill will also provide illustrative examples of legitimate interests for commercial purposes, ensuring organisations have greater confidence that a balancing test is appropriate for a range of scenarios - such as direct marketing and intra group transfers.
These changes will improve the UK's data protection regime in a variety of ways, including enhancing fraud prevention, improving product safety, and supporting the implementation of the Online Safety Act and the government's fraud strategy. The list is limited and organizations still will have to perform a balancing test for the vast majority of circumstances where they use the legitimate interest processing ground - similar to as under the law today.
Accountability framework:
The Bill will also make important changes to the accountability framework, i.e. how organisations are held to account for how they process data.
The current framework requires organisations to comply with a set of detailed requirements, generally regardless of the risk associated with their data processing activities. This places a disproportionate burden on SMEs and organisations that undertake low-risk processing.
The proposed changes aim to introduce a more risk-based and adaptable approach to data protection and management, enabling organisations to tailor their compliance efforts to their specific circumstances and foster a robust and risk-driven approach embedded within their operations.
This approach will place a stronger emphasis on the fundamental principles of accountability, including leadership and oversight, risk assessment, policies and procedures, transparency, staff training and awareness, and monitoring, evaluation, and improvement.
For example, even though businesses will no longer be mandated to have dedicated data protection officers, they will be required to designate a Senior Responsible Individual who will be responsible for embedding a data protection-conscious culture within the organisation.
Given that all employees must be actively engaged in data protection to some extent for it to be effective, we view this as a positive step. Similarly, even though businesses will no longer be required to carry out Data Protection Impact Assessments (DPIAs), they will still be required to identify, manage, and mitigate data risks. The steps organisations need to take to comply with these new requirements will be set out in guidance by the ICO, updating existing guidance already in use.
We expect that the overall effect of these changes will mean a more risk-based approach to data governance with organisations who do not process large quantities or sensitive personal data likely seeing a reduced level of compliance burden suitable to their needs.
Having discussed the proposed changes to the accountability framework extensively with our members the vast majority do not expect these changes to affect their approach to data governance as they expect to be held to the strongest standards and will have to build a globally facing compliance approach that meets the needs of multiple jurisdictions.
Data adequacy:
This is consistent techUK's members views on the Bill as seeking to maintain important data flow agreements, such as EU data adequacy, while seeking to minimise burdens on businesses who do not engage in risky data processing.
The reforms enacted in the DPDI Bill do not substantially change data protection rights in the UK and British data protection standards will remain essential equivalent to the EU's. We therefore expect the UK will retain its adequacy status. Data adequacy is a flexible designation accommodating 14 other non-EU countries with diverse legal frameworks.
These include countries such as the UK, Argentina, Israel, New Zealand, Uruguay. The UK has an enhanced adequacy status covering both personal data transfers and data exchanges for law enforcement.
Areas for improvement:
The DPDI Bill represents well-considered and balanced modifications to the UK GDPR that will foster enhanced data-driven innovation in the UK. As it enters the House of Lords, we need to ensure that it seizes the full opportunities for reform.
We encourage peers to look at clarifying how the ADM will apply to the legitimate interest list, and to provide additional clarity on how to use personal data to prevent bias in AI and algorithmic systems
There are also other areas we would welcome further changes in. For example, while we support the government's efforts to address nuisance calls and streamline data frameworks in health and social care.
As the Bill moves progresses through the House of Lords, techUK will continue to work closely with the government, peers, and the regulators to ensure that full advantage is taken from this opportunity for reform.
techUK will be calling for:
- Making the UK a more attractive place for data driven research;
- Ensuring the recognised list of legitimate interests works as intended;
- A more flexible approach to International transfers;
- Allowing the UK's Digital ID market to grow;
- Maintaining EU Adequacy;
- Addressing concerns over the Secretary of State's Powers;
- Automated telephone marketing - technical feasibility of new obligations to report on nuisance communications;
- Ensuring a unified, cohesive, and interoperable legislative framework for health and social care.
Please see click here to download techUK's full briefing on the DPDI (No. 2) Bill.