Video Call

Reject or Accept All? What's Changing in the UK Government's Proposed Data Protection Bill

Published 10 March 2023

This week, the UK Government has introduced the 2nd version of the Data Protection and Digital Information Bill. The bill, introduced by Technology Secretary Michelle Donelan is designed to “reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.”

The bill is described as being “common-sense” led and expected to save the UK economy more than £4 billion over the next ten years. It was first introduced in the summer of 2022 but was paused in September of that year. Since then, ministers have been engaged in a co-design process with data experts and business leaders to improve upon the bill. Their goal has been described as “moving away from the ‘one-size-fits-all’ approach of European Union’s General Data Protection Regulation (GDPR).

What Are the Main Benefits of the New Data Protection Bill?

In the press release published by the Department of Science, Innovation and Technology, this week, they described the bill as delivering the following benefits:

  • Introducing a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws
  • Ensuring our new regime maintains data adequacy with the EU, and wider international confidence in the UK’s comprehensive data protection standards
  • Further reducing the amount of paperwork organisations need to complete to demonstrate compliance
  • Supporting even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation
  • Providing organisations with greater confidence about when they can process personal data without consent
  • Increasing public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making

These benefits are supported by the Data and Marketing Association (DMA) and the Information Security Office (ICO) who have expressed their confidence and welcome the bill.

Looking for guidance on this new, potential legislation? Register for our webinar: "A Guide to Preparing for Upcoming Data Protection Legislation Change"


How Will the New Data Protection Bill Impact Your Organisation?

As expected, the publication of the bill brings with it lots of potential changes. The latest proposals will create intricacies for organisations doing business across the United Kingdom, Europe, and further afield, particularly when it comes to maintaining processing records, undertaking direct marketing, utilising cookies and sharing data internationally.

Despite this, the fundamental principles of the current UK data protection landscape will remain the same! Core controller and processor obligations are unaffected by proposals, as are the range of rights available to empower data subjects when it comes to the use of their personal data.

Ultimately, organisations that are already compliant with the current legislation will not have to make changes to conform with requirements outlined by the bill. There will, however, be opportunities to seek efficiencies in places based on its less rigorous obligations.

Our guidance is to continue to benchmark and use the current UK and EU regime as the standard of your organisation's practice, while aligning to globally recognised standards such as ISO27701:2019 .

This will facilitate an approach that is complementary to driving your business objectives while also ensuring flexibility and ongoing compliance with each diverging set of legal obligations.

Whether you’re an organisation that is solely affected by UK Data Protection legislation or one that has additional obligations in the EU, or elsewhere, Bridewell’s Data Privacy experts can assist with implementing a compliance framework that meets each of your obligations.


Chris Linnell

Data Privacy Principal Consultant