Navigating the new Bill and how the proposed changes outlined above can have several

implications for cybercrime in the UK

there are some important changes affecting cyber security which are introduced by the bill, and which
businesses will need to consider should they come into effect as proposed, below.
Businesses should also be aware that the bill includes changes to the definition of personal data.

Records of processing
CHANGE: Businesses (whether controllers or processors) will only need to keep records of
processing where a processing activity is likely to result in a high risk to the rights and freedoms of
individuals, regardless of the size of their business (including the number of employees the business
has).
In practice, the requirement to create and maintain records of processing under the General Data
Protection Regulation (GDPR) has become something of an administrative burden for many
businesses, so this proposed change may well save some businesses time and costs.
POTENTIAL IMPACT: The reduction in the requirement for businesses to keep records of
processing may result in less documentation, potentially making it challenging to trace and investigate
cyber-attacks.
Example: If a cyber-attack occurs, investigators may find it more difficult to analyze and understand
the data processing activities that led to the security breach due to fewer comprehensive records.

Removal of Data Protection Officers

CHANGE: Businesses will no longer need to appoint a Data Protection Officer (DPO); instead, if
they carry out high risk processing (or are a public authority), they will be required to designate a
"senior responsible individual" who will be accountable for data protection compliance.
While the day-to-day obligations of this role will not change dramatically, the individual must now be
part of the business's senior management, as opposed to the current position, where the DPO reports
to senior management but has to be independent of it. This flexibility is likely to be welcome news to
businesses.
POTENTIAL IMPACT: Without the mandatory appointment of Data Protection Officers, there
could be a shift in focus from independent oversight to internal management, affecting the vigilance
and response to potential cyber threats.
Example: A business without a designated Data Protection Officer may experience delays or
inefficiencies in responding to data breaches, making it easier for cybercriminals to exploit
vulnerabilities.

Removal of DPIAs
CHANGE: Businesses will no longer need to conduct data protection impact assessments (DPIAs).
Instead, they will need to implement an "assessment of high-risk processing".

This change aims to streamline data protection records by focusing a business's attention on how it
operates, and introducing appropriate measures depending on the type of data it processes: for
example, the bill removes the list of activities deemed to be high risk which was in the GDPR.
 Navigating the new Bill and how the proposed changes outlined above can have several
implications for cybercrime in the UK

It remains to be seen whether this will amount to little more than a change of name in practice.
POTENTIAL IMPACT: The removal of Data Protection Impact Assessments (DPIAs) may lead to a
potential decrease in proactive risk assessments, making businesses more susceptible to cyber threats.
Example: Without a DPIA, a business might implement new data processing activities without a
thorough understanding of potential risks, making it easier for cybercriminals to exploit weaknesses in
the system.

Removal of need for a UK representative

CHANGE: Data controllers that are not established in the UK no longer need to appoint a data
protection representative within the UK.

POTENTIAL IMPACT: A potential reduction in localized oversight. This change may make it more
challenging for UK authorities to regulate and ensure compliance with data protection laws for
foreign entities. It could create gaps in monitoring and enforcement, potentially leading to increased
risks of data breaches and inadequate protection of individuals' privacy rights within the UK
jurisdiction.

Data subject access requests

The bill changes the test for refusing and charging for data subject access requests. If enacted, the
"manifestly unfounded and excessive" test would be replaced by a "vexatious and excessive" test.

The government proposes that the adoption of this new test will allow businesses greater autonomy in
refusing requests when the system is clearly being abused, although the devil will be in the detail as to
how the Information Commissioner's Office (ICO) interprets the new test.

Expanding use of cookies without consent

CHANGE: Currently, only "strictly necessary" cookies may be used without consent. The bill
expands the categories of cookies that do not need consent to be dropped, including cookies collecting
data for purposes such as statistical analysis and improvement of service or website use; however,
users would still need to be given comprehensive information, and an opportunity to opt out.
POTENTIAL IMPACT: The expanded use of cookies without explicit consent may increase the
collection of user data, potentially leading to privacy concerns and an elevated risk of unauthorized
access or data breaches.
Example: Cybercriminals could exploit the broader use of cookies to gather more information about
users, increasing the likelihood of successful phishing attacks or targeted cyber-attacks.

Legitimate interests
CHANGE: In its operative provisions, the bill now includes examples of the types of processing that
may be considered necessary for the purposes of a legitimate interest. These include processing for
 Navigating the new Bill and how the proposed changes outlined above can have several
implications for cybercrime in the UK

direct marketing purposes, intra-group transmission of personal data for internal administration
purposes, and processing which is necessary to ensure the security of network and information
systems.
However, these are only examples and, unlike the new concept of "recognised legitimate interests"
(below), a controller will still be required to ensure its interests are not outweighed by the data
subject's rights and interests.
'Recognised legitimate interests'
CHANGE: The bill introduces a limited number of "recognised legitimate interests". This means that,
provided a business can demonstrate that processing is "necessary" for one of the recognised
legitimate interests, that business will no longer be required to balance its legitimate interest against
the data subject's interests, rights and freedoms.
Currently, the list of recognised legitimate interests is limited to areas including processing necessary
in the public interest; national security, public security and defence; emergencies; safeguarding
vulnerable individuals; and democratic engagement. The bill enables the Secretary of State to add new
categories.
POTENTIAL IMPACT: The changes to legitimate interests may impact the balance between
business interests and data subject rights, potentially affecting the privacy and security landscape.
Example: If a business can claim a recognized legitimate interest for certain data processing activities,
it may reduce the checks and balances that could prevent malicious use or abuse of personal data.

Changes to international transfers

CHANGE: A risk-based approach to the international transfer of personal data is introduced, meaning
that organisations would be able to assess the data protection risks involved in using mechanisms such
as the ICO's international data transfer agreement (IDTA) or Addendum for those transfers, and then
decide on appropriate mitigation measures.
The bill also confirms that data transfer mechanisms lawfully entered into before it comes into force
will continue to be valid afterwards.
Using the same risk-based approach, the Department for Science, Innovation & Technology would be
able to make future UK adequacy decisions; however, this approach is different to that required for
adequacy decisions under the GDPR. The requirement under the bill is a "not materially lower"
standard of protection in the recipient country, whereas under the GDPR it is an adequate level of
protection, interpreted as "essentially equivalent".

POTENTIAL IMPACT: A risk-based approach to international data transfers may result in varying
levels of data protection, potentially impacting the security of transferred data.
Example: Businesses might choose less secure mechanisms for international data transfers to cut
costs, making it easier for cybercriminals to intercept or compromise sensitive information during
transit.

Automated decision-making
 Navigating the new Bill and how the proposed changes outlined above can have several
implications for cybercrime in the UK

CHANGE: The bill reframes the provisions on automated decision-making to be a requirement for
safeguards to be in place, rather than a prohibition with exceptions. More stringent provisions apply
where an automated decision is based entirely or partly on special categories of personal data.
The Secretary of State may also make secondary regulations providing for cases where there is, or is
not, to be taken to be meaningful human involvement in decision-making (meaningful human
involvement being required to prevent processing from constituting automated decision-making).
POTENTIAL IMPACT: The shift from a prohibition to a requirement for safeguards in automated
decision-making may affect the fairness and transparency of such processes, potentially leading to
unintended consequences.
Example: If safeguards are not effectively implemented, automated decision-making systems may
become susceptible to manipulation by cybercriminals, leading to biased or harmful outcomes.

Scientific Research
CHANGE: The existing exceptions which apply for processing for the purposes of scientific research
have been amended to make clear that they cover any research that can reasonably be described as
scientific, whether publicly or privately funded, and whether carried out as a commercial or non-
commercial activity.
POTENTIAL IMPACT: While this change facilitates a wider scope for research, it also raises
concerns about potential risks associated with the handling and protection of sensitive data, requiring
a heightened focus on cybersecurity measures to safeguard against potential threats and unauthorized
access to research data.
Example: With the expanded scope of scientific research exceptions, a private company conducting
commercially funded research in the field of artificial intelligence may now be covered under these
exceptions. While this change encourages innovation and collaboration between public and private
entities, it also introduces new cybersecurity challenges.

ICO restructure and new identity

CHANGE: The ICO's name will change to the Information Commission. The Information
Commission will act as an independent body corporate, with new reporting obligations to the
government.
The Secretary of State will have greater oversight over the Information Commission, which means the
government has the potential to influence guidance and codes of conduct.
POTENTIAL IMPACT: This shift could lead to even greater government influence on cybersecurity
guidance and codes of conduct. The government's enhanced role may further shape the direction of
regulatory decisions, potentially impacting the focus, priorities, and approach to addressing UK
business’ cybersecurity issues.
Example: The increased influence of the Secretary of State could potentially lead the Commission to
prioritize recommendations aligned with government objectives, as opposed to the public’s and
smaller business’ objectives, thereby creating a potential divergence from impartial cybersecurity
regulations.
 Navigating the new Bill and how the proposed changes outlined above can have several
implications for cybercrime in the UK

Changes to PECR
CHANGE: The bill increases the maximum amount of fines under The Privacy and Electronic
Communications (EC Directive) Regulations 2003 (PECR) to be brought in line with the UK GDPR
and Data Protection Act 2018, enabling the ICO to issue fines of up to £17.5 million or 4% of a
business's global turnover for breaches of certain regulations under PECR, and up to £8.7 million or
2% of a business's global turnover for other breaches of PECR.
Providers of public electronic communications services will have an obligation to notify the ICO if
they have reasonable grounds for suspecting that their users have contravened the direct marketing
rules.
POTENTIAL IMPACT: Increased fines under PECR aligning with the UK GDPR and Data
Protection Act may serve as a stronger deterrent for non-compliance, potentially reducing certain
types of cybercrimes.
Example: The higher fines may encourage electronic communication service providers to invest more
in cybersecurity measures to avoid significant financial penalties, making it more challenging for
cybercriminals to exploit vulnerabilities in communication systems.