UK Digital Bill: A delicate balancing act

Karen Bollard and Marc Marrero, Senior Consultants


Despite a rocky start, the UK Data Protection and Digital Bill 001 2023-24 (called the no. 2 bill following the withdrawal of Bill 265 2022-23) has finally made it through its third reading in the House of Commons and is set to move into the House of Lords later this year or early next year.

The raft of changes and updates since its original introduction have many implications for privacy professionals, some of which will be very welcome and others not so much.

⇒ The inclusion of a list of ‘recognised legitimate interests’ for which the need to carry out a balancing test has been removed.

The intention is for the list to be updated on a periodic basis. Each update will mean another LIA you don’t need to complete unnecessarily.

We find that doing an LIA provides a moment for stakeholders to ‘pause and reflect’ on the data processing. Care needs to be taken to ensure that complacency doesn’t become the norm in your company if you no longer do LIAs on a routine basis.

⇒ The replacement of the DPO role with that of an SRI (Senior Responsible Individual).


The SRI role does not contain an independence clause. DPOs have lost some of the protections they had under GDPR.

⇒ The introduction of the ‘vexatious or excessive’ concept for DSARs.

This change could potentially be very helpful BUT make sure at the earliest opportunity that the DSAR is (a) intended to cause distress (b) not made in good faith or (c) is an abuse of process, before calling it ‘vexatious or excessive’.

We see a potential conflict of interest here between the company and the privacy professional, should you feel the DSAR is in good faith, but the company decides it’s vexatious (see above re: no independence clause).

⇒ GDPR level consent is no longer required for cookies relating to security updates, user preferences and collecting information for statistical purposes about how the website/service is used with a view to making improvements.

Less complicated cookie banners – who wouldn’t love that?

Beware! We can envisage occasions where the marketing department decides that collecting information on the performance of ads is for ‘statistical purposes’ or to ‘improve the website’.

⇒ The requirement to carry out a Data Protection Impact Assessment (DPIA) is removed.

You still need to carry out an assessment of ‘high risk processing’ but it should be a lot easier and the requirements of what needs to be included are more straightforward. The proposed changes require the inclusion of the following: a summary of the purposes of processing, assessment of necessity and risks to individuals and a description of how those risks will be mitigated.

The ‘DPIA-Lite’ approach misses out on some items that we feel are very important under the GDPR – such as the need for consultation. If this is no longer mandated by law, many companies will choose not to do it and will assume that they know the impact on individuals rather than actually truly assessing the impact.

⇒ The provisions regarding automated decision-making now only apply to processing that involves special category data.

The impact of this change will mean fewer DPIAs or their equivalents (the new ‘high risk processing’ assessment) to carry out.

We foresee a potential decrease in ‘privacy by design and default’ as a result of the removal of other conditions for which DPIAs (or their equivalents) need to be produced. For example, processes or projects that are ‘novel’ to the organisation but which do not involve special category data may not be fully investigated in advance of the processing taking place and risk having unforeseen consequences for both the Data Subject and the organisation.

⇒ An extension of the ‘soft opt-in’ exemption for Direct Marketing to include the purposes of furthering charitable, political or other non-commercial objectives.

Great if you are the SRI for a political party or 'afficionado' of politics in general.

This change promises to be not so great for everyone else as it basically means a bigger ‘spam’ folder in your inbox or a longer ‘block’ list on your phone. Be prepared for a possible rise in the identification of ‘phishing’ emails within your organisation.

On balance, as privacy specialists, one of whom has spent her career working in Ireland, we find that the changes aren’t too removed from the GDPR and that, taken on its own merits, the new Digital Bill won’t necessarily have a major impact on the day-to-day lives of UK privacy professionals or UK adequacy itself. 

However, there are some red flags we cannot ignore. We are concerned about the subtle dilution of individual rights by enabling government to monitor bank accounts under the aegis of combatting ‘fraud’. In a similar vein the politicisation of the Bill by opening up the ‘soft opt-in’ to political parties in addition to the existing purpose to benefit charities and other non-commercial enterprises remains troubling.

Passage of the Bill is expected in Spring 2024 so add this to your 'To Do' list for Q1 with a note to look out for further updates.

Act now and speak to us about your privacy requirements

Start a conversation about how Privacy Made Practical® can benefit your business.

Click here to contact us.

Back to top