United Kingdom: Issued Information Commissioner's opinion on Data Protection and Digital Information (No. 2) Bill, including cybersecurity regulation

On 30 May 2023, the Information Commissioner (ICO) published its opinion on the Data Protection and Digital Information (No.2) Bill. The ICO is an independent institution that enforces data protection regulations. The Bill would amend the UK Data Protection Regulation provisions in regard to the obligations of entities to safeguard the personal data they store. In particular, the Bill would require entities to adopt “appropriate measures, including technical and organisational measures”, to ensure the security of the data and comply with the data protection by design requirements. The ICO supports adopting a more adaptable and balanced method for showcasing accountability, noting that while organisations will still be held accountable, they are now empowered to demonstrate accountability in approaches that suit their specific needs rather than being bound by a uniform approach. The Government aims to implement a risk-based strategy and outline prescriptive requirements for organizations engaging in high-risk processing. To enhance clarity and certainty, the ICO suggests including further legislative details regarding the definition of high-risk processing. Additionally, the ICO stressed a more precise definition of what constitutes "appropriate measures" beyond the scope of "technical and organizational measures" should be provided.