Government releases supporting documents to Data Protection and Digital Information Bill (No.2)

Bethany Paliga
Bethany Paliga

Published: May 11th, 2023

7 min read

On 10 May 2023, the Government released supporting documents, outlining how the Data Protection and Digital Information Bill (No.2) (the Bill) proposes to amend the Data Protection Act 2018 (DPA), UK General Data Protection Regulation (UK GDPR) and Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The Bill, which was reintroduced into Parliament on 8 March 2023, is currently in its first reading. If approved and enacted, the Bill will introduce some key changes to the UK's current data protection regime, in a partial departure from the previous regime.

The Government's most recent update has prompted us to consider the effects of these changes across sectors, but predominantly the education and wider public sector.

Proposed departures from the existing data protection legislation

As currently drafted, the Bill arguably produces a more relaxed data protection regime, than what has previously been required under the EU General Data Protection Regulation. In effect, this should offer organisations a greater degree of certainty and flexibility in dealing with their data protection compliance.

The key departures proposed offer organisations the opportunity to consider their current level of compliance with the existing data protection legislation and begin to plan for what their compliance arrangements may need to look like moving forwards.

Subject Access Requests

The Bill intends to clarify the UK GDPR and DPA, by confirming that organisations, as controllers of personal data, can delay dealing with a Subject Access Request until they have confirmed the identity of the individual making the request. Whilst this isn't necessarily a departure from current known practices, it does give individual's clear indication of an organisations right to delay their responses for this purpose.

Vexatious and excessive requests

Similarly, the Bill introduces further guidance surrounding the factors organisations should consider when deciding if a request is 'vexatious' or not, alongside examples of the same, which are:

  • requests intended to cause distress;
  • requests not made in good faith; or
  • requests that are an abuse of process.

Arguably, many organisations will consider these welcome additions to the existing UK GDPR and DPA, as they will most likely generate greater confidence in decision making and provide greater support, in the event of complaints from individuals about the circumstances in which their requests may be refused.

Removal of the need to appoint a Data Protection Officer

Perhaps most significantly, the Bill intends to introduce a departure from the appointment of a 'Data Protection Officer' (DPO) in the existing UK GDPR and DPA, in favour of the appointment of a 'senior responsible individual.' This appointment will apply to both public sector bodies (such as local authorities and schools) and those who are considered to be involved with 'high risk' data processing.

The senior responsible individual should generally be one individual and be a member of an organisation's 'senior management.' For the purposes of the legislation, 'senior management' will be taken to mean "individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised." For schools, this will likely require their senior responsible individual to be a member of their senior leadership team, or above.

Whilst the responsibilities of a 'senior responsible individual' will largely reflect the existing role of any existing DPO, these departures will require all organisations to reflect on the suitability of their current arrangements.


Under the new regime, existing DPIAs are to be replaced by a perhaps more prescriptive, 'Assessment of high-risk processing.' The amendment appears to propose a more simplistic approach to conducting such assessments, covering the following areas:

a summary of the processing;

  • an assessment of whether the processing is necessary for those purposes,
  • an assessment of the risks to individual; and
  • a description of how the controller proposes to mitigate those risks.

This should support organisations in producing more consistent and structured assessments of anticipated processing risks and the factors they are required to consider, to satisfy their obligations to give due consideration to, and implement, appropriate safeguards to protect personal data.

Access to a full copy of the Bill's supporting documents, outlining the changes to the UK GDPR, DPA and PECR is available to view here:

What is the effect on organisations moving forwards?

Whilst the Bill proposes the introduction of some welcome clarification and guidance, it also poses important questions about how organisations, and in particular public sector organisations such as schools, delegate responsibility for data protection compliance moving forwards. For some, this will be a fairly straightforward task and involve making sure that those with data protection responsibility are of sufficient seniority. For others, this will be anticipation of moving their DPO role 'in-house' moving forwards. This will likely require organisations to invest in a sufficient degree of upskilling in the short to medium terms, to ensure those appointed in such a role have the experience required by the legislation.

At present, the Bill remains in the early stages of Parliamentary approval, though it is vital organisations remain aware of the potential effects of such proposals on their business operation, including anticipation of what training and support may be required to assist in making any necessary changes.

If you would like to discuss your current degree of data protection compliance and/ or your proposed arrangements moving forwards, we are more than happy to provide advice and support, alongside preparation and delivery of bespoke training packages, aimed at educating and supporting your organisation with data protection compliance. If you would like to discuss this with us further, please contact Bethany Paliga, Senior Associate and Accredited Data Protection Practitioner in our Governance, Procurement and Information team, via email at Bethany Paliga or via telephone on 01254 222347.

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.