Understanding the Changes to UK Data Protection Laws

Understanding the Changes to UK Data Protection Laws
By Amisha Jain, April 29, 2023

The UK Government introduced the Data Protection and Digital Information Act (No. 2) ("Act") in Parliament on 8 March 23. The law gives organizations flexibility in the use of personal information by reducing compliance requirements. Businesses that are not yet compliant will benefit from the changes.

The main points of the strategy are:

  • Reducing barriers: The bill has introduced definitions "statistical surveys", "scientific research", "historical research" and “consent” for processing personal data. It intends to reduce the legal requirements for the use of personal data in various forms of research.
    In addition, if the processing purpose of the data owner is "legitimate interest ", that is, the processing is necessary for the investigation, investigation or prevention of terrorism, the organization should not equate legal interest with rights. and the likes of the curriculum. The law also empowers the Secretary of State to create, modify and/or revoke recognized legitimate interests in the future.
    The law also regulates a non-exhaustive list of other examples of legitimate interests, including direct marketing, group transfers of personal data, and/or the processing security of networks and information systems. But organizations need to make a satisfactory assessment for this type of work.
  • Reducing the burden on businesses and increasing benefits for people: Organizations should only keep records of activities when they carry out activities that may pose a "high risk" to individuals' rights and freedoms. Such risks should be identified using the "nature, scope, content and purpose of the business", some examples of high risk are organizations working on particularly large data (eg. health insurance companies) or using new technologies to process large amounts of personal data (such as public face cameras).
    Data Protection Officer role replaced by Senior Data Protection Officer ("SRI"). Organizations should appoint an SRI only if the controller/processor is a government agency (a court or tribunal acting in its jurisdiction) or is a controller/processor that would pose a high risk to people. SRIs will be responsible for protecting information risks in their organizations unless they can assign this role to people with the necessary skills. The SRI must be part of the organization's senior management but may take on other roles within the organization in addition to the SRI roles.
    Data controllers and processors not established in the UK will also not be required to appoint a representative pursuant to Article 27 of the UK GDPR.
  • Reducing Barriers to the Flow of Information: This Act establishes new tests (also known as "information bridges") for the Secretary of State to comply with necessary regulations. The foreign minister will be asked to make a joint effort to test, be more efficient and set the protection standards of the third country/entity. In practice, this means that the Secretary of State will have the authority to verify that many countries have adequate data protection.
    This law will increase penalties for direct marketing violations (such as wiretapping and wiretapping) under the Privacy and Electronic Communications Regulations ("PECR"). The maximum fine will be increased from £500,000 to £17,500,000 or, in the case of a business, 4% of the business's global annual turnover, whichever is higher. Finally, the proposal has amended the PECR Law to expand the list of exceptions where it is necessary to allow cookies to be placed on the end user. These exemptions include, for example:
    • 1. Collecting statistical information on community service information for improvement;
    • 2. Adapting the appearance or functionality of the website to the user's preferences;
    • 3. Install necessary software updates to secure End Device; and
    • 4. Locate a person in an emergency.

In addition to the exception for defining the area in an emergency, users should be provided with clear, detailed information about the storage (and access) of information stored on their edge devices, with the option to disable it.



For all new customers, kindly provide your enquiry as detailed as possible. Our team shall get back to you as soon as possible

Please Visit our Contact Us Page for more information