Editorial

The Data Protection and Digital Information Bill: A Guide for UK businesses

Michael Paye, VP of research and development at Netwrix, discusses what UK companies can expect from the proposed Data Protection and Digital Information Bill, and outlines the key considerations for preparing effectively for passage of the legislation.

Posted 26 October 2022 by Christine Horton


Introduced in the House of Commons in July 2022, the Data Protection and Digital Information Bill (formerly known as the Data Reform Bill) was scheduled to have its second reading in the House following the recent election of Liz Truss as new Conversative Party Leader and UK prime minister. However, the government recently announced that it has been paused to allow Ministers further time to consider. In the meantime, what do we know about the bill as it stands and how can British businesses prepare?

The government has previously stated that the bill is “intended to update and simplify the UK’s data protection framework to reduce burdens on organisations while maintaining high data protection standards.” Amongst other stated aims, the bill will “establish a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents.”

Indeed, the bill outlines several changes to data and user tracking requirements that will require UK organisations to assess and likely modify their data privacy and security practices in order to minimise the risk of substantial reputational and financial consequences. One of the main challenges that will need to be explored further is the areas in which the bill does not naturally align with the EU’s GDPR legislation. UK organisations will also be wise to keep in mind that the process of updating controls and processes can expose or introduce weaknesses that threat actors will be eager to exploit; accordingly, they should proactively look for areas of possible vulnerability and take measures to mitigate or protect against those gaps during the transition.

This article details four key considerations for businesses looking to ensure a smooth and secure transition to meeting the standards of the Data Protection and Digital Information Bill.

First, it is vital for organisations to carefully assess the roles and responsibilities associated with compliance across the business. This includes not just IT and security teams but legal teams and other business personnel as well. The objective is to clearly define each role and its responsibilities to ensure that they are in alignment with the provisions of the Data Protection and Digital Information Bill. Doing so will enable a consistent and complete approach to new data processes throughout the organisation.

Second, organisations should quickly identify which data processing and management workflows will be likely impacted by the new regulation. Key stakeholders and senior management should then prioritise the necessary adjustments. Organisations should keep in mind that while their current processes may comply with the GDPR, they may not meet the requirements of the new Data Protection and Digital Information Bill. This new legislation presents an opportunity for organisations to identify and mitigate inefficiencies and security flaws. A data discovery and classification solution can help organisations to identify regulated data and make sure that it is managed appropriately and securely.

Third, organisations must assess whether their compliance practices are in line with the new regulation and revise them as necessary. Again, this is a good opportunity to assess the overall cybersecurity posture of the business and identify any gaps in defences. After all, the risks of a data breach are not limited to compliance penalties; the knock-on effects of a data breach can include lasting damage to customer trust, as well as many financial repercussions.

Last, businesses should prepare to respond to questions from their customers about the bill as it stands, including what they should expect and whether and how it will impact their services. As the bill progresses through parliament, businesses should consider preparing an official corporate statement regarding the legislation and make this readily available to internal teams and external customers and partners. This helps to ensure a consistent message throughout the business.

Overall, UK firms should not view the new Data Protection and Digital Information Bill as a hinderance, but as an opportunity to improve the management and security of their most critical data. Indeed, complying with the new regulation will enable businesses to improve data processes, enjoy efficiency benefits, gain a faster return on investments such as data discovery and classification solutions, and support senior management in making informed long-term technology decisions.

Michael Paye is VP of research and development at Netwrix.