Lauren Wills-Dixon quoted by IT Pro on DPDI Bill | Gordons

Tuesday 12th September 2023

Lauren Wills-Dixon, solicitor and a data privacy expert, has been quoted by IT Pro discussing the Data Protection and Digital Information (No.2) (DPDI) Bill and its potential impacts on small businesses.

A shift in the UK’s approach to data protection is underway, with the finished product potentially representing a benefit for small and medium-sized businesses (SMBs) who undertake limited data processing activities.

Discussing how the changes in the DPDI Bill could impact SMB’s specifically, Lauren said: “The key purpose of the new legislation is to promote innovation, in part, by helping introduce regulatory certainty for businesses.

“Consequently, this will aim to remove ‘red tape’ which comes with the legacy GDPR for organisations who do not undertake any high-risk processing activities but carry the regulatory burden of complex, costly internal and external facing documentation.

“In reality, as the government has previously stated, organisations that are GDPR compliant will automatically be compliant with the proposed new legislation.

“There may be some nuances to the proposed UK data protection laws, for example, Section 14 of the Bill removes the requirement for a data protection officer instead of a ‘senior responsible individual’ with a slightly different function. However, it is difficult to envisage organisations overhauling their current regimes, particularly when so much time, energy and cost was invested when GDPR was introduced.”

Lauren also states that: “One area where there could be an impact is for organisations who are operating in both the UK and the EU. These will be dual regulated by the UK regime and the EU GDPR which could add some complications and complexities to their privacy and governance frameworks. Yet this is another reason not to completely overhaul data privacy compliance functions.”

Looking at the potential benefits and downsides to the new regulations versus the status quo, Lauren said: “Taking a more risk-based approach to compliance feels overwhelmingly sensible.

“However, the proposed removal of certain document-heavy requirements imposed by the EU GDPR, such as completing long-form Data Protection Impact Assessments (DPIAs) or a Record of Processing Activities, could dilute values embedded into organisations regarding people’s privacy.”

Using DPIA’s as an example, Lauren added: “DPIAs can be time-consuming, but they also show that an organisation has both identified a lawful basis for processing and fully considered the effects a project or relationship has on individual privacy rights whilst obtaining sign off from a data protection officer and those who ‘own’ a project.”

Offering advice to SMBs on what they can be doing to prepare ahead of the new regulations coming into force, Lauren noted: “Until the new legislation is passed, organisations are still under an obligation to comply with the Data Protection Act 2018 and the UK GDPR.

“The Bill is currently progressing through the Commons and is in its report stage. As there will be a third reading before the Bill progresses through the House of Lords, organisations should not rush to make any changes until legal obligations are clear and finalised.

“In the meantime, it is useful for senior management teams to note and consider how things like changes to the DPO function and lighter record keeping requirements would affect their organisation’s structure and affect their current allocation of roles and responsibilities.”

You can read Lauren’s comments on IT Pro here.

As more businesses turn to digital tech to support their customers, it is essential they have the right legal partner providing high-quality regulatory and data protection guidance. Find out more about what our data privacy lawyers can do for you.