10 Min Read

UK data protection reform, reformed? Data Protection and Digital Information (No.2) Bill published

Read more

By Jade Kowalski & Nadia Belkacemi


Published 10 March 2023


It has been a busy week for privacy professionals. The Government has published the second iteration of its proposals to reform the UK General Data Protection Regulation in the form of the Data Protection and Digital Information (No.2) Bill (“DPDI (No.2) Bill”). The original iteration of the Bill, published last year, will proceed no further.

Like its predecessor, the DPDI (No.2) Bill is intended to update and simplify the data protection framework in the UK, with the aim of reducing burdens and associated costs on organisations while maintaining high data protection standards.

There are targeted measures to reduce administration and compliance costs for business, in an effort to advance, in the Government’s words, a ‘common-sense’ version of the UK GDPR.

Speaking at the IAPP Data Protection Intensive, Michelle Donelan (Secretary of State, Department for Science, Innovation and Technology) said the DPDI (No.2) Bill is “not a step back, but a massive step forward…it is a constructive progression of the EU GDPR and one that we hope will be an example for the rest of the world”.

As with the original draft, rather than replacing existing UK data protection legislation, the DPDI (No.2) Bill amends the UK’s existing and retained version of the EU General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”), meaning that readers need to cross refer between the relevant content.

We will provide a detailed analysis of the proposals in the coming weeks, and provide updates at regular intervals as they progress through Parliament over the coming months. An initial summary of the key proposals, both new and retained from the original iteration of the Bill, is set out below:


The DPDI (No.2) Bill:

  • Maintains the change to the definition of personal data introduced in the original iteration which specified that information would only be deemed to relate to an identifiable individual (i) where the individual is identifiable by the controller or processor by reasonable means at the time of processing; or (ii) where the controller or processor knows, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing and the individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing.

  • Expands the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement.

  • Retains the clarification of the concept of purpose limitation from the original iteration of the Bill.

  • Provides for further specific activities or interests which may be regarded as in a controller’s legitimate interest to process data. In addition to those set out in the original iteration, the DPDI (No.2) Bill includes direct marketing, intra-group transmission of personal data for internal administrative purposes and ensuring the security of network and information systems. These examples are highlighted as non-exhaustive, and that other legitimate activities may exist, providing the legitimate interests assessment is carried out.

  • Further amends proposals regarding Records of Processing Activities. It is proposed that records will only be required where processing is likely to result in a high risk to the rights and freedoms of individuals.

  • Maintains amendments to a controller’s ability to refuse to comply with data subject requests (or charge a fee for handling such requests) in circumstances where it is ‘vexatious or excessive’, replacing the existing threshold of ‘manifestly unfounded’ or ‘excessive’ requests. Requests can be considered ‘vexatious or excessive’ where they are intended to cause distress, abuses of process or those made in bad faith.

  • Maintains reforms the existing “adequacy” assessment process and rebadges it as a “data protection test” which focuses on risk-based decision-making and outcomes. The test will be met if the standard of data protection is “not materially lower” than that provided under UK law.

Maintains proposals to replace the office of the “Information Commissioner” with a new body, the “Information Commission”. The Commission will consist of members appointed by the Secretary of State, or any such members appointed by those on the Commission already. It also maintains new measures to strengthen the role of the Information Commissioner, including a new principal objective and duties. The Commissioner will be required to publish a forward looking strategy document for carrying out its functions, and have regard to a statement of strategic priorities published by the Secretary of State.

Next steps

The draft DPDI (No.2) Bill will now proceed to the second reading stage, which is expected to take place within the next few weeks. The subsequent committee stage will involve a detailed examination of the Bill, and parliamentarians will be able to propose amendments, and evidence may be taken from experts and interest groups.