The Data Bill, whilst not as ambitious as the previous Data Protection and Digital Information Bill (the DPDI Bill), introduces several new business-friendly changes to the UK data protection regime.
The background
The previous government had introduced the DPDI Bill as a progressive, business-friendly framework that would cut down on costs and paperwork. The DPDI Bill then went through several iterations and was described as a 'Christmas-tree' bill for the number of different provisions it sought to include. On the whole, however, the new regime would still have been very similar to the EU GDPR as too great a departure would threaten the UK's EU adequacy (also a concern with the new Data Bill).
Ultimately, the DPDI Bill did not pass through Parliament before its dissolution on 24 May 2024 ahead of the general election on 4 July 2024 and failed to become law. Eyes were on the new government as to whether it would resurrect the DPDI Bill and in what form.
The development
On 23 October 2024, the government introduced the Data Bill to Parliament. Like the DPDI Bill, the Data Bill serves multiple purposes. In addition to making GDPR-specific changes, the Data Bill introduces a new Smart Data scheme (that allows for the sharing and access of customer and business data), new digital verification services, and changes to the structure of the ICO.
The Data Bill introduces the following amendments to the UK data protection regime:
On the other hand, the Data Bill does not include the following amendments that were proposed in the DPDI Bill:
Why is this important?
The Data Bill is the Labour government's attempt at recalibrating the UK's approach to data protection, after the previous government failed to push the DPDI Bill through. The narrower scope of the Data Bill will disappoint businesses expecting a less burdensome regime, but this may be a tactical decision to ensure that the UK does not lose its EU adequacy. However, with the more ambitious DPDI Bill, organisations that operate across the UK and EU would have needed to decide how to manage both sets of requirements - either adopt a dual-track system for the UK and EU or require that the entire business complies with the stricter EU regime. With the more limited changes proposed by the Data Bill, such organisations will not need to make such strategic decisions but they may be able to take advantage of minor tweaks to their UK processing.
Any practicaltips?
The Data Bill is currently making its way through the House of Lords before continuing through the House of Commons. It's still very early days and the text may go through several rounds of amendments. However, much of the Data Bill had cross-party support when it appeared in the DPDI Bill and some of the more controversial reforms to the data protection regime have been removed, so the government's target of achieving Royal Assent by Spring 2025 with commencement later in the year does not seem overly ambitious.
Businesses should keep track of the draft through the Parliamentary process and begin initial analysis of how these changes would affect contracts and processes.