UK data protection reform: A second bite of the cherry

On 8 March 2023, the UK Department for Science, Information and Technology (DSIT) published the Data Protection and Digital Information (No.2) Bill (DPDI 2) which provides an update to the Government's reforms to the UK data protection framework, ending months of speculation as to what would be changed.

In July last year the Government released their long awaited reforms to the UK's data protection framework, the Data Protection and Digital Information Bill (DPDI 1), which made amendments to a number of laws including the UK GDPR, Data Protection Act, and Privacy and Electronic Communications Regulations. The aim of the reforms was to simplify the data protection framework by reducing burdens on organizations while maintaining high data protection standards.

After the 2022 leadership changes within Government, the DPDI 1 was put on hold shortly after it entered its legislative journey, with a view to create a 'new data protection plan'. In the meantime, the Government engaged in further consultation with industry leaders, business groups, and consumers with a view to making UK law more aligned with the reality surrounding data processing activities and the objectives of the legislation.

With the DPDI 2, the Government aims to further lessen the compliance burdens on business by cutting 'pointless paperwork' whilst unlocking '£4.7 billion in savings for the UK economy'. Crucially, in addition to creating a new data protection framework that is better suited to the Government's needs and aims, the UK is also trying to make a contribution to the global debate about privacy regulation by putting forward a proposal of what may constitute a solid baseline for global compliance.

The changes

  • Commercial activities can fall under scientific research definition

The DPDI 2 amends the definition of scientific research so that it now includes research for the purposes of commercial activity.

  • Legitimate interests get clarification

The DPDI 2 introduces a non-exhaustive list of instances where organizations may rely on the 'legitimate interests' legal basis, including for the purposes of direct marketing, transferring data within the organization for administrative purposes and for the purposes of ensuring the security of network and information systems.

Direct marketing was already considered as a legitimate interest under the recitals of the UK GDPR, but intra-group administrative transfers and security are new additions to the list.

  • Clarifying the restrictions around automated decision making

The DPDI 2 clarifies the meaning of 'meaningful human involvement' in automated decision making by ensuring there is consideration of the extent to which profiling is involved. The secretary of state may also publish further guidance on the meaning of 'meaningful human involvement'.

  • Only keep records of processing personal data if high-risk

The DPDI 2 amends the obligation to maintain records of processing activities, so that records will only need to be kept where the personal data processing is likely to result in a high risk to the rights and freedoms of individuals.

  • Existing SCC will remain valid 

The DPDI 2 clarifies that existing safeguards for international personal data transfers will still be lawful once the new law takes effect.

The impact

The changes made to DPDI 1 are, on the whole, relatively minor. When the reforms were originally published last year, Hogan Lovells published an article-by-article analysis of the changes (which you can find here) and we concluded that none of the proposed changes represented a radical departure from the current law in the EU.

In the same way that DPDI 1 did not affect the essence of the UK data protection framework on the basis of which EU adequacy was granted, the revised version does not change that either. Therefore, the adequacy determination granted by the European Commission for restrictions-free transfers from the EU should not be affected.

The future

The DPDI 2 has been introduced as a new bill at the first reading stage. Its second reading is due to be scheduled within the next few weeks, which will be the first time these data protection reforms will be debated in the House of Commons. The DPDI 1 will fall away as the DPDI 2 proceeds through the houses.

The last data protection law to go through the domestic legislative process was the Data Protection Act 2018, and it was most the amended piece of legislation that session. However, DSIT expect the DPDI 2 to pass through in a form similar to the one now published.

In terms of timelines, it now seems likely that the reform of the current data protection framework will take effect during the course of this year. In practical terms, this means that organizations operating in the UK or targeting the UK market have a few months to consider their compliance strategy and decide whether to simply assume that their current level of compliance is acceptable or to explore the potential advantages of following the new regime.


Authored by Eduardo Ustaran, Dan Whitehead.

Kathleen McGrath, a Knowledge Paralegal in our London office, contributed to this post.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.