New UK GDPR proposals released

9 March 2023

The Department for Science, Innovation and Technology has this week released proposals to reform the UK GDPR [General Data Protection Regulation]. The Data Protection and Digital Information (No. 2) Bill was introduced to the House of Commons on 8 March 2023 and will regulate the processing of information relating to identified or identifiable living individuals, as well as reforming the Information Commissioner’s Office.

These changes will be of particular interest to New Zealand businesses carrying on business in the UK. 


With the recent succession of UK prime ministers and cabinets, the first iteration of UK privacy reform, the Data Protection and Digital Information Bill, was shelved last year. 

Following the demise of the Bill, Secretary of State for Science, Innovation and Technology, Michelle Donelan, commented in October 2022, “we will be replacing GDPR with our own business and consumer-friendly, British data protection system… we will co-design with business a new system of data protection. We will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand.”1 

Data Protection and Digital Information (No. 2) Bill

The Data Protection and Digital Information (No. 2) Bill (Bill) is intended to update and simplify the UK’s data protection framework.  On its introduction to the House of Commons, Michelle Donelan stated:2

Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR. Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.

Some of the proposed reforms include:3

  • Changing the time limits for responding to requests from data subjects – requests must be responded to within one month, however, the data controller may extend the time period by two further months where the complexity of the request, or the number of such requests, requires an extension.
  • A data controller may charge a reasonable fee for or refuse to act on a request which is “vexatious or excessive”. This replaces the previous provision to refuse or charge a reasonable fee for “manifestly unfounded or excessive” requests.
  • Establishing a regulatory framework for the provision of digital verification services in the UK to enable public authorities to disclose personal information to trusted digital verification service providers for the purpose of identity and eligibility verification.
  • Improving data portability between suppliers, service providers, customers, and relevant third parties. Data portability (known as Smart Data schemes in the UK) is the secure sharing of customer data, upon the customer’s request, with authorised third-party providers.
  • Introducing new requirements on record-keeping. The data controller must maintain appropriate records of processing of personal data carried out by or on behalf of the controller. A controller or processor is exempt from the duty to keep records, unless they are carrying out high-risk processing activities.

The Bill also contains provisions to reform the regulator, the Information Commissioner. This is a key reform and will first establish the Information Commission as a body corporate, to replace the existing regulator, the Information Commissioner, which is currently structured as a corporation sole. Other reforms include changes to the Commission’s governance structure, duties, enforcement powers, reporting requirements, data protection complaints processes and its development of statutory codes of practice. 

The Information Commissioner, John Edwards (who was also the former New Zealand Privacy Commissioner), commented, “I welcome the reintroduction of the Data Protection and Digital Information Bill and support its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights… The Bill will ensure my office can continue to operate as a trusted, fair and independent regulator.”4


The above changes will be of note to New Zealand businesses that carry on business in the UK. These businesses should prepare for upcoming changes.

The Bill also comes at a time when other jurisdictions are also reconsidering their privacy regulations. 

New Zealand’s Privacy Act 2020 gave greater powers to the Office of the Privacy Commissioner, similar to the reform proposed to the UK Information Commissioner. This potentially reflects the UK Government’s desire to emulate New Zealand privacy laws, as referenced in Michelle Donelan’s October 2022 speech, cited above. 

The Australian Government has also recently released a long-awaited report detailing their review of the Privacy Act 1988, as shared in a previous Bell Gully publication here

It will be interesting to see how the Bill progresses through the House of Commons and House of Lords, and whether any further amendments are made that are inspired by the privacy landscape in New Zealand and Australia.

If you have any questions or require any other guidance, please contact our team or your usual Bell Gully adviser.

1 Our plan for digital infrastructure, culture, media and sport ( British Businesses to Save Billions Under New UK Version of GDPR - GOV.UK ( Data Protection and Digital Information (No. 2) Bill - Parliamentary Bills - UK Parliament4 ICO statement on re-introduction of Data Protection and Digital Information Bill | ICO

Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.