UK GDPR replacement – update

The Data Protection and Digital Information (No. 2) Bill, which is set to replace the UK GDPR later this year, started its Committee Stage in Parliament last week. Some parts were televised, and a few observations on the proceedings are that:

  • Organisations that use our personal data, or represent those who do (like the DMA), generally felt the new Bill was a good thing, whilst organisations that represent data subjects generally felt it was not. This aligns with comments made here a while ago.
  • The largest savings, according to the government’s own impact assessment, are likely to come from not having to comply with as many subject access requests, and moving to an ‘opt out’ cookie consent model. There is more to this, and you can see the evidence on page 146 of
  • It was noted that 70% of households had registered with the Telephone Preference Service.
  • The DMA (Direct Marketing Association) recognises three categories of data subjects – data unconcerned, data pragmatists, and data fundamentalists. Whilst we would not necessarily agree with their terminology, these categories might be helpful in understanding the risks to different audiences.

The Committee Stage is set to be completed in May, at which time we should have a clearer picture of the shape of the final Bill. One comforting point that was stated, is that organisations who are compliant with the current UK GDPR should generally be compliant under the new Bill.