International Cyber Expo International Cyber Expo
  • About Us
Friday, 17 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Data Protection and Digital Information Bill – what are the changes?

By Joe Kirk, Data Protection Support Desk Consultant - Data Protection People

by The Gurus
August 7, 2023
in Featured
Data Protection and Digital Information Bill – what are the changes?
Share on FacebookShare on Twitter

Everyday I’m immersed in the challenges faced by organisations and individuals navigating the complex world of Data Protection. Recently, this has been compounded by the developments surrounding the Data Protection and Digital Information Bill, after the government released a keeling schedule for the bill. 

Complications and Considerations

Upon reviewing the keeling schedule of the reform bill, I must admit, my initial impression was one of disappointment. The changes proposed by the UK government seem to complicate matters unnecessarily, leading one to wonder if there might be a touch of superiority complex at play. Let’s take a closer look at some of the key amendments and their potential implications. 

  1. Data Protection Officer (DPO) to “Senior Responsible Individual”: The bill suggests changing the title of DPO to “Senior Responsible Individual.” This alteration may seem insignificant, but it raises questions about the underlying motivations. Renaming the role could inadvertently dilute the importance and expertise associated with the position, potentially undermining the effectiveness of Data Protection practices within organisations.
  2. Data Protection Impact Assessment (DPIA) to “Assessment of High-Risk Processing”: Similarly, the proposed change from DPIA to “Assessment of High-Risk Processing” introduces unnecessary complexity. The term DPIA is widely recognised and understood within the industry and altering it might create confusion and additional hurdles for compliance.
  3. Adequacy Decision to “Data Protection Test”: The concept of an adequacy decision is vital when it comes to international data transfers. However, the bill suggests replacing it with the term “Data Protection test.” While it’s commendable to emphasise the need for robust Data Protection laws, the bill’s apparent willingness to grant adequacy to any country as long as they have a “materially lower” set of Data Protection laws raises concerns. We must ensure that data transfers do not compromise individuals’ rights and freedoms. Additionally, the biggest concern in my opinion, is the possible threat to the UK’s adequacy decision with the EU.
  4. The “watering down” of RoPAs: One of the most baffling changes is the removal of Records of Processing Activities (ROPA), except in cases where personal data processing poses a high risk to individuals’ rights and freedoms. As we discussed extensively on a previous podcast episode (118), ROPAs are the backbone of an organisation’s Data Protection practices. They play a crucial role in shaping and influencing various aspects of an organisation’s data processing activities. Removing the requirement for ROPAs seems counterintuitive and could have unintended consequences.
  5. Additional lawful basis: There is a potential new lawful basis that has been suggested by the secretary of state. It’s called ‘Recognised Legitimate Interest’ They are as follows:
    • processing that is necessary for the purposes of direct marketing,
    • intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and
    • processing that is necessary for the purposes of ensuring the security of network and information systems.

Now, on the face of things this may not seem like such a bad idea, but please bear with me whilst I explain my concerns around this.

The EU Commission has previously expressed concerns about the Dutch data protection authority’s strict interpretation of legitimate interests, considering it not to be in line with the GDPR, guidelines of the Article 29 Working Party/ EDPB and the case law of European Court of Justice (CJEU). The concerns focus on guidance issues by the Autoriteit Persoonsgegevens (Dutch Supervisory Authority) in 2019, stating that purely commercial purposes, such as maximisation of profits would not be considered a legitimate interest.

Essentially, what I’m trying to say is the EU Commission has expressed concerns that purely commercial purposes such as maximising profits would not be considered a ‘legitimate interest’ and yet in the new DPDI bill, there is a suggestion to add “recognised legitimate interests” as an additional lawful basis – one of these being processing necessary for direct marketing. Could you not argue that this is purely commercial purposes?

In my view, this adds to concerns I already have over the UK putting their adequacy decision with the EU at risk if/when the new bill is approved. 

Expert Insights

During the examination of the Data Protection and Digital Information Bill at the committee stage, John Edwards, the UK Information Commissioner’s Office commissioner, shared his insights. Here are the key takeaways from his testimony:

  1. Clarity of Definitions: Edwards highlighted the need for greater clarity around terms such as “high-risk activity” within the bill’s definitions. Ambiguities in these definitions can impede effective implementation and compliance.
  2. No Threat to Adequacy: The commissioner reassured us that there is “nothing in the bill that threatens adequacy.” While this provides some relief, we must remain vigilant to safeguard individuals’ data when it traverses international borders.
  3. Importance of Clarity in Legitimate Interest: Edwards stressed the significance of clarity in the term “legitimate interest.” Providing businesses with clear guidelines and circumstances in which legitimate interest can be invoked reduces uncertainty and promotes compliance.
  4. The ICO’s New Role: Edwards expressed excitement about the ICO’s new role, positioning it as a supporter of the “empowered citizen.” This suggests a commitment to protecting individuals’ rights and promoting transparency in data processing practices.
  5. Citizen Rights and Access: Importantly, Edwards stated that the bill presents no challenge to citizens’ ability to access their rights, including the possibility of charging them. This reassurance underscores the ongoing commitment to ensuring that individuals can exercise their Data Protection rights effectively.

In conclusion, the Data Protection and Digital Information Bill has generated both praise and concerns within the Data Protection community. As an advocate for Data Protection practices, I must admit that some of the proposed changes appear to complicate rather than simplify matters. Renaming key roles, altering terminology, and removing the requirement for ROPAs all raise valid concerns about the effectiveness and transparency of Data Protection measures.

Remember, Data Protection is a collaborative effort, and your voice matters. Let’s continue to navigate the ever-changing landscape together, empowering individuals and safeguarding their rights in the digital age.

By Joe Kirk, Data Protection Support Desk Consultant – Data Protection People

ShareTweet
Previous Post

techUK and Axiologik join forces to present the UK Tech Plan at major political party conferences

Next Post

Evolution of Enterprise IT and AI: DTX + UCX Europe 2023 prepares teams for new realm

Recent News

AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

July 16, 2026
Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

July 15, 2026
Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

July 15, 2026
Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

July 14, 2026

Eskenzi PR banner ad

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol