Data protection and digital information bill 2024 – some of the changes

·        The Information Commissioner’s Office (ICO) will change to the  “Information Commission” which will be a corporate body with a chief executive. 


·        Proposed changes to the definition of Personal Data which will limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.


·        Create a clearer legal basis for political parties and elected representatives to process personal data for the purposes of democratic engagement. 


·        Cookies will be allowed to be used without consent for the purposes of web analytics and to install automatic software updates.   Also, non-commercial organisations e.g. charities and political parties, will be able to rely on the soft opt in for direct marketing purposes, if they have obtained contact details from an individual expressing interest.


·        Data protection impact assessments (DPIAs) will be replaced by less prescriptive “Assessments of High-Risk Processing.”  


·        The obligation for some controllers and processors to appoint a data protection officer (DPO) will be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals will be required to designate a senior manager as a “Senior Responsible Individual”.  


·        Right of data subjects to access their records:

o   terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, will be replaced with “vexatious” or “excessive” requests.

o   data controllers may only be obliged to undertake a reasonable and proportionate search for information request under the right of access.  


·        Reform the way births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.