Excuse me for not writing an update to the proposed data protection bill changes earlier. The Government published the Data Protection and Digital Information (No. 2) Bill earlier this month. This is the second version of its proposal for data protection legislation;

  • Data Protection Act 2018
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
Read more: Data Protection and Digital Information (2) Bill – unpacked

The first thing to note is that this is not new legislation but a bill that amends current legislation. It makes reading the new bill ‘interesting’ as you need all three documents to see the proposed changes.

Key Points

  1. For businesses that have already implemented GDPR and data protection, there will be fundamental changes that you need to implement.
  2. If you are working with the EU, you will still have to abide by their FULL regulations.
  3. The legislation changes offer ‘marginal’ or ‘slight’ flexibility.

Lets’s unpack

Legitimate Interest conditions

The Bill sets out a list of recognised legitimate interests where the balancing test does not need to be undertaken. This list started in the first Bill and is an uncontroversial list. It lists the reasons why processing personal data is essential. For example, in the context of safeguarding national security and preventing crime).

Types of processing that may be “processing that is necessary for the purposes of a legitimate interest” have been added. Also, note that the balancing test will still need to be undertaken. This includes processing necessary for direct marketing, the transmission of personal data for internal administrative purposes and ensuring the security of network and information systems.


The inclusion of “direct marketing” in this list has not been accompanied by a significant change to PECR, meaning that all of the rules that currently apply to electronic marketing under PECR, including the obligation to obtain consent or rely on soft opt-in consent for email marketing, will still apply.

Except for a notable change around permission to send direct marketing from political parties, charities and other non-profits IF they have an existing supporter relationship with the recipient (an extension of the so-called ‘soft opt-in’)

One other significant change is around fines; the Bill proposes to increase the fines for infringement from the current maximum of £500,000 to UK GDPR levels, up to £17.5m of 4% of global annual turnover (whichever is higher).

Cookies have been a big focus. The significant changes would be can only be used to store or access information on end-user terminal equipment without express consent where it is ‘strictly necessary’ – for example, website security or proper functioning of the site. The Bill proposes allowing cookies to be used without consent for web analytics and to install automatic software updates.

Records of Processing Activities (ROPA) and DPIAs.

The Bill removes the requirements for data protection impact assessments and records of processing. Instead, it proposes being replaced with new requirements around risk assessment of high-risk processing and streamlined record keeping. These new provisions will allow greater flexibility and for businesses to make decisions on risk assessment and be accountable for their own operation. 

Information Commission

Proposes the change and structure of the Information Commissioner to the Information Commission, in line with other regulatory bodies. This will mean it moves to be a corporate body with a CEO (presumably John Edwards, the current commissioner). It looks more like a modernising rather than a fundamental shift.

Decision-making is likely to be more collegiate and will bring in more continuity.

The interesting point is complaints will need to be made to the data controller first to resolve, rather than the commission.

International Trade

Ok, this is going going to be in 2 parts

  • if you are dealing with the EU, regardless of the changes to this legislation, you are going to have to follow the EU GDPR, and currently, there is an adequacy decision between the UK and the EU for data flows between the 2. This is due to expire in 2025 if not renewed, so technically no changes need to be made – including cookies.
  • Regarding other international transfers, the changes look to be more proportionate and risk-based. It comes in the form of a ‘data protection test’ which sets out the transfers of personal data to a third country. This moves away from the adequacy test to consider whether data protection in the third country is ‘not materially lower’ than that under the UK GDPR. The test focuses on looking at protection as a whole and allows for greater flexibility when assessing a third country, e.g. judicial or non-judicial redress for data subjects is now considered.  


When you look at the 260+ pages of the Bill, you would expect there to be lots of changes to UK data protection law. The changes can be seen as an evolution of the current legislation. There are some tweaks and added slight flexibility, but the core framework of the UK GDPR has been kept.
In essence, if you are already doing GDPR, then based on the current Bill, there will be no major changes to be made.

One last point, this blog will be updated as and when amendments and changes are made. Currently, this is the Bill after its first reading. it has a long way to go to become law.