The UK’s latest Data Protection and Digital Information (No. 2) Bill was introduced to Parliament on March 8, 2023. The Bill, which will retain the “UK GDPR” title if it is passed, proposes numerous reforms to current privacy legislation in the UK.

This is the second time the Bill has been introduced to Parliament. The first was in July, 2022 but was put on hold in September.

According to the government’s press release, the latest iteration of the Bill aims to “introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement.” It claims the revised bill offers businesses more flexibility about how they comply with the new law while maintaining ‘data adequacy’ with the EU.

However, there is opposition to some aspects of the new legislation and over 25 civil society groups have already submitted an open letter to the country’s secretary of state for science, innovation and technology, Michelle Donelan, to express their concerns. Among these are provisions that permit organizations to refuse a subject access request in some circumstances and individuals’ rights not be subjected to solely automated decision-making, as well as extensions to the ‘legitimate’ grounds for processing of data.

Further challenges may lie ahead for businesses that opt to modify their processes in line with the new Bill, in ways that don’t align with other global privacy legislation, not least EU GDPR. More specifically, in withdrawing the requirement for some organizations to maintain a Record of Processing Activities, which is mandated by the EU regulation and requires organizations to understand the data they process, where it resides and how it is used.

Among the more significant changes introduced, the Bill:

  • Modifies the definition of personal data stating that an individual is ‘identifiable’ only if the means to identify them are available to the controller, processor or others likely to receive the data.
  • Requires a Record of Processing Activities only where processing activities are likely to result in “high risks to the rights and freedoms of data subjects.”
  • Removes the requirement for organizations to conduct Data Protection Impact Assessments (DPIA), instead they’ll need to implement as assessment, but won’t need to follow specific DPIA templates.
  • Supports existing data transfer mechanisms for sharing personal data overseas, while enabling new agreements to be established in line with the UK’s own ‘data adequacy’ requirements.
  • Increases penalties for nuisance calls and texts currently defined in the UK’s Privacy and Electronic Communications Regulations (PECR) to the greater of 4% of global turnover or £17.5m.
  • Reforms the Information Commissioner’s Office (ICO), replacing it with a new Information Commission that will have reporting obligations to the government.


Ground Labs’ Enterprise Recon supports compliance with global privacy and data protection regulation. To find out more and to book a demo, visit

Want to keep up with all our blog posts? Subscribe to our newsletter!