← Back to all briefings
Policy 6 min read Published Updated Credibility 91/100

UK Data Protection and Digital Information Bill Introduced

The UK government introduced the Data Protection and Digital Information Bill, proposing targeted reforms to UK GDPR accountability, international transfers, and digital identity governance that demand refreshed privacy controls and testing.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Policy pillar illustration for Zeph Tech briefings
Policy, regulatory, and mandate timeline briefings

On 18 July 2022 the UK government laid the Data Protection and Digital Information Bill before Parliament. The 240-page Bill proposes targeted reforms to the UK GDPR, Data Protection Act 2018 (DPA 2018), and Privacy and Electronic Communications Regulations (PECR), alongside new governance for trusted digital identity services and data sharing for public services. Ministers frame the package as a way to reduce administrative burdens while preserving the EU’s adequacy decision. Privacy, risk, marketing, and digital identity teams must now evaluate how the draft provisions would reshape accountability artifacts, legitimate interest assessments, international transfer documentation, and consent management workflows.

The Bill retains core UK GDPR principles—lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability—but amends the way teams evidence compliance.

It introduces a concept of “recognized legitimate interests” enabling certain processing without balancing tests, gives controller discretion to determine whether to conduct “assessments of high-risk processing” instead of prescriptive DPIAs, and replaces mandatory Data Protection Officers with a “senior responsible individual” (SRI) for most teams. It also revises PECR rules to permit analytics cookies without consent in more scenarios, expands smart data schemes, and sets the foundation for government-issued identity attributes.

Accountability reforms

While the government positions the Bill as reducing paperwork, the accountability changes require careful redesign of privacy management frameworks:

  • Senior responsible individual. Most controllers currently required to appoint a Data Protection Officer must instead designate an SRI from the organization’s senior management. Unlike DPOs, SRIs may have other responsibilities but remain accountable for oversight of processing, risk mitigation, and cooperation with the ICO. Teams must update governance charters, reporting lines, and conflicts-of-interest controls to reflect the new model.
  • Privacy management programs. Article 24 of the amended UK GDPR requires controllers and processors to implement a “privacy management program” proportionate to the organization’s size and processing activities. Expected components include policies, roles, risk assessments, training, and continuous improvement cycles. This codifies what many teams already maintain but gives the ICO explicit authority to assess program maturity.
  • High-risk assessment flexibility. The Bill removes the explicit DPIA requirement and instead asks controllers to assess high-risk processing using their privacy management program. Teams must define risk methodologies that still capture threats to individuals, integrate security and ethics reviews, and document decisions for accountability.
  • Record-keeping thresholds. Controllers no longer need Article 30 records of processing if they have fewer than 250 employees unless processing is likely to result in high risk, involves special categories, or is frequent. Larger enterprises should maintain RoPA artifacts to show accountability, but may simplify content.

Lawful basis and individual rights

The Bill introduces a schedule of “recognized legitimate interests” covering public interest communications, national security, crime prevention, democratic engagement, and certain business-to-business marketing. For these activities, controllers need not perform a legitimate interest balancing test. Your compliance team should evaluate whether relying on the schedule aligns with customer expectations and sector codes of conduct, particularly where EU operations remain subject to the stricter test.

Subject access requests may be refused or charged a reasonable fee when they are “vexatious or excessive,” broadening the previous “manifestly unfounded or excessive” standard. Controllers must establish policies defining criteria for vexatious requests, maintain audit trails, and ensure staff are trained to recognize legitimate requests. Timeframes for responding remain one month, with possible extension of two months for complex cases.

The Bill also modifies the definition of “scientific research” to help data use in R&D, clarifies that automated decision-making restrictions only apply when there is a “significant effect,” and aligns child’s consent age for information society services at 13 years. Teams should reassess profiling controls, human review triggers, and privacy notices to ensure they accurately reflect proposed changes.

International transfers and adequacy

To maintain EU adequacy while enabling more agile transfers, the Bill introduces a test for “data protection test” (DPT) decisions. The Secretary of State may recognize third countries, territories, or international teams if they ensure a “not materially lower” level of protection compared with UK standards. Controllers conducting their own transfer risk assessments may rely on similar thresholds, reducing formality compared with the current EU standard but still requiring documented analysis of legal frameworks, enforcement, and redress mechanisms.

Privacy teams must therefore refresh transfer impact assessments, update standard contractual clauses (SCCs) to the UK International Data Transfer Agreement (IDTA) or addenda, and monitor adequacy decisions for divergence from EU lists. Teams operating across the EEA and UK should maintain dual-track assessments to satisfy both regimes.

Digital identity and public sector data sharing

Part 2 of the Bill sets up a trust framework for digital verification services. Providers seeking certification must meet security, privacy, and integrity requirements set by the Secretary of State, with oversight from the Office for Digital Identities and Attributes (ODIA). Businesses planning to rely on government-backed identity credentials should prepare for accreditation processes, interoperability testing, and liability apportionment when identity assertions fail.

The Bill also expands data-sharing gateways for public sector bodies, including better use of civil registration data and simplified mechanisms for combating fraud. Private teams collaborating with government programs must ensure data sharing agreements account for new legal gateways, retention schedules, and audit obligations.

Outcome testing and assurance considerations

Even if the Bill reduces formal documentation, the ICO expects teams to evidence effectiveness. Privacy leaders should improve testing and assurance mechanisms:

  • program effectiveness reviews. Conduct annual internal audits of the privacy management program, measuring policy adoption, incident response times, training completion, and risk treatment closure rates.
  • Rights handling drills. Perform tabletop exercises simulating vexatious subject access requests, complaints to the ICO, and cross-border transfer queries. Document decision rationale and ensure SRI sign-off.
  • Cookie consent testing. Monitor analytics and marketing deployments to verify that PECR exemptions are applied correctly, banners remain transparent, and user preferences are honored across devices.
  • Transfer resilience checks. Validate technical and organizational safeguards for international transfers, including encryption key management, access controls, and vendor oversight.

Interdependencies with other reforms

The Bill sits alongside the UK’s Online Safety Bill, forthcoming AI white paper, and sectoral initiatives like the Financial Conduct Authority’s data strategy. Teams should coordinate responses to ensure consistent governance of automated decision-making, children’s data, and transparency obligations. Multinationals must also prepare for divergence from EU GDPR interpretations, particularly in adtech, employee monitoring, and scientific research contexts. Maintaining EU-standard controls may be prudent to avoid fragmentation and preserve adequacy status.

Follow-up actions

The Bill will proceed through second reading, committee scrutiny, and potential amendments. Political changes have already delayed progress, and the government signaled in autumn 2022 that it would refine the draft before resubmitting in 2023. Nevertheless, teams should treat the July 2022 text as a strong indicator of policy direction. Recommended roadmap:

  • 0–3 months: Map proposed changes to existing accountability artifacts, identify where EU requirements are stricter, and brief executive sponsors on governance adjustments.
  • 3–6 months: Prototype privacy management program metrics dashboards, update subject rights playbooks, and rehearse SRI reporting to the board or risk committee.
  • 6–12 months: Align digital identity strategy with ODIA certification criteria, update vendor contracts for international transfers, and engage with industry consultations to influence secondary legislation.

By preparing now, UK and multinational teams can absorb the reforms without sacrificing data protection maturity or regulatory trust.

Similar analysis

Additional analysis covering similar themes.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • AI Policy Implementation Guide

    Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

  • Digital Markets Compliance Guide

    Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

  • Semiconductor Industrial Strategy Policy Guide

    Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published
Coverage pillar
Policy
Source credibility
91/100 — high confidence
Topics
UK data protection reform · Accountability program · Digital identity trust framework · International data transfers
Sources cited
3 sources (publications.parliament.uk, assets.publishing.service.gov.uk, ico.org.uk)
Reading time
6 min

Further reading

  1. Data Protection and Digital Information Bill — UK Parliament
  2. Data: a new direction – government response — UK Department for Digital, Culture, Media and Sport
  3. ICO initial response to the Data Protection and Digital Information Bill — Information Commissioner’s Office
  • UK data protection reform
  • Accountability program
  • Digital identity trust framework
  • International data transfers
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.