The second iteration of a set of proposals to reform the UK GDPR has been published: the Data Protection and Digital Information (No.2) Bill.

United Kingdom Flag Pictures | Download Free Images on Unsplash

Based on this publication there are a couple of interesting findings: 

  • The fundamental principles of the current UK GDPR, the obligations of controllers and processors, the data subject rights, and the wider constitutional and regulatory environment for privacy would remain unaffected by the proposals.  
  • There are targeted changes that reflect back on the experience of the GDPR so far, and are proposed in pursuit of the government’s policy objective to reduce compliance costs by introducing a more ‘common-sense-led’ version of the GDPR.  
  • There are targeted changes being made to current law. These changes may provide businesses more flexibility, and empowerment of future rule-making or guidance-issuing. 
  • Organizations that are compliant with the current UK GDPR will not be obliged to make changes to comply with the proposed UK GDPR. Although the proposed reforms will offer organizations the opportunity to make use of new compliance efficiencies. It is not to be expected that there will be conflicting requirements between the two versions. 


Some new proposals in the second iteration of the Bill include: 

  • That it is proposed to include a list of activities that may be regarded as in a controller’s legitimate interest to process data, although controllers are still required to ensure their interests are not outweighed by the data subject’s rights. It also clarified that any legitimate commercial activity can fall under the legitimate interest lawful processing ground, in case the processing is necessary and the balancing test is carried out. 
  • The proposal also contains a list of illustrative and non-exhaustive type of scientific research, that were previously to be found in the recitals and now moved to the operative parts of the UK GDPR, e.g. innovative research into technological development or applied or fundamental research. It also clarifies that research into public health only falls under scientific research if it is in the public interest, and it exempts controllers to provide notice where personal data has been collected directly from the data subject in certain instances. 
  • Regarding international data transfer mechanisms, there are alternatives proposed. 
  • The proposals also include a requirement to maintain a records of processing activities in case of processing activities that are likely to result in a high risk to the rights and freedoms of data subjects, so also for organizations with fewer than 250 employed people. 
  • The proposals create an obligation on providers of public electronic communication services and networks to report suspicious activity relating to unlawful direct marketing to the ICO. It is expected that there will be guidance published on what constitutes reasonable suspicion.


At DPO Consultancy we will keep monitoring any new developments regarding the UK GDPR. Do you want to learn more about the consequences of these proposals for your organization? Then contact us DPO Consultancy, experts in data privacy via: