The Data Protection Act (2018)
- Oluwafemi Adesogbon
- Dec 5, 2024
- 6 min read
Updated: Jan 18
Photo Credit: ardent
Introduction
The Data Protection Act (DPA) 2018 became effective on May 25, 2018, with the aim of enhancing user privacy for UK citizens. The DPA was structured to work in tandem with the GDPR (General Data Protection Regulation) to ensure that UK and EU entities could function smoothly after the UK left the EU. The DPA builds on existing frameworks to ensure that personal information is collected, used, and disclosed in a transparent and secure manner.
Understanding the Data Protection Act 2018: Purpose and Key Features
The Data Protection Act 2018 is a UK law that sets out how personal data must be collected, handled and stored to protect people’s privacy. It also gives individuals the right to know what personal data is held about them and to have that data erased in certain circumstances. The Act replaced the Data Protection Act 1998 and introduced stricter requirements to reflect technological advancements and modern privacy concerns. It applies to data stored electronically and in manual filing systems, provided the data forms part of a structured record. The Information Commissioner’s Office (ICO) oversees the Act’s implementation and enforces compliance.
The DPA empowers UK residents (consumers) by outlining their rights to data privacy and protection. It also provides clarity on how data protection reforms operate following the UK's departure from the EU, aided by an approved adequacy decision. The Act adapts GDPR principles for the UK context, introducing specific conditions for processing sensitive data and exemptions unique to the UK. It also enforces the Law Enforcement Directive (LED) regime for competent authorities processing data for law enforcement purposes.
Additionally, the Act extends GDPR standards to areas not covered by GDPR or LED, such as a specific data protection regime for intelligence services based on Convention 108, a modernised European framework for personal data protection.
Meanwhile, the Data Protection Act (2018) defines two key roles:
Data Controllers – those who determine how and why personal data is processed.
Data Subjects – individuals whose personal data is being processed.
Photo Credit: Meta Lab
Persons Subject to the Data Protection Act
The DPA 2018 applies to the following businesses and organizations:
Material Scope: The DPA 2018 and UK GDPR apply to all forms of personal data processing within the UK, regardless of the location of the data subject. Processing for purely personal or household purposes is excluded.
Territorial Scope: The Act applies to UK-based businesses and organisations processing personal data, regardless of where the processing occurs. It also applies to non-UK entities offering goods or services to UK residents or monitoring their behavior.
This implies that companies and organizations who are headquartered outside of the UK but offer products or services to individuals within the UK are still need to abide by the DPA 2018. A company or organization headquartered outside of the UK that tracks the online activity of UK citizens or gathers their personal information is likewise subject to the DPA 2018.
It is recommended that website owners should update their privacy policies on a regular basis because regulations governing DPA 2018 are continually changing.
Exemptions from the Act
There are several different exemptions and these are detailed in Schedules 2-4 of the DPA 2018. They add to and complement a number of exceptions already built in to certain UK GDPR provisions. The exemptions in the DPA 2018 can relieve you of some of your obligations for things such as:
the right to be informed;
the right of access;
dealing with other individual rights;
reporting personal data breaches; and
complying with the principles.
Some things are not listed here as exemptions, although in practice they work a bit like an exemption. This is simply because they are not covered by the UK GDPR. Here are some examples:
Domestic purposes – Personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the DPA’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the DPA.
Law enforcement – The processing of personal data by competent authorities for law enforcement purposes is outside the DPA’s general scope (e.g., the Police investigating a crime). Instead, this type of processing is subject to the rules in Part 3 of the DPA 2018.
Intelligence services processing – Personal data processed by the intelligence services (e.g., MI5) and their processors is outside the DPA’s general scope. Instead, this type of processing is subject to the rules in Part 4 of the DPA 2018.
Important differences between the DPA 2018 and the EU GDPR
The Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) are closely related frameworks designed to safeguard personal data and privacy. The DPA 2018 tailors GDPR principles to align with the UK's legal and societal context post-Brexit, providing additional provisions for law enforcement, national security, and other specific areas.
Understanding the differences between the two is crucial, as they affect how organizations handle data protection compliance depending on whether they operate in the UK or the EU. Recognizing these distinctions ensures adherence to the correct legal standards and avoids penalties for non-compliance. Some of these key distinctions include:
● EU GDPR: A child can consent to data processing at age 16.
● DPA 2018: A child can consent at age 13.
● EU GDPR: Processors of criminal data must have official authority
● DPA 2018: Processors of criminal data do not require official authority.
● EU GDPR: Data subjects have rights to refuse automated decision making or profiling.
● DPA 2018: Permits automated profiling subject to legitimate grounds for doing so.
● EU GDPR: Enhances data subjects' rights relating to how their personal data is processed.
● DPA 2018:Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.
● EU GDPR: Many non-EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
● DPA 2018: Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.
● EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
● DPA 2018: The maximum fine for non-compliance is £17.5 million
Principles of the Data Protection Act
The seven principles underpinning the DPA are identical to those of the UK GDPR:
Lawfulness, fairness, and transparency: Data must be processed lawfully and transparently.
Purpose limitation: Data must be collected for specific purposes.
Data minimization: Only necessary data should be processed.
Accuracy: Data must be accurate and up to date.
Storage limitation: Data should not be kept longer than necessary.
Integrity and confidentiality: Data must be processed securely.
Accountability: Organizations must demonstrate compliance with data protection laws.
Authority Backing the Data Protection Act
The Information Commissioner's Office (ICO) is the authority in charge of the UK's Data Protection Act. It positions itself as a friendly and helpful group whose main responsibility is to assist companies in adhering to the law. However, for UK GDPR or DPA 2018 violations, the ICO may impose a maximum penalties of £17.5 million or 4% of yearly worldwide turnover, whichever is higher.
Photo Source: Secure Frame
Functions of the ICO
The ICO performs the following functions:
● Monitors compliance with data privacy laws including the DPA 2018 and the UK GDPR;
● Conducts audits and advisory visits;
● Receives and investigates complaints about breaches of the DPA 2018 or the UK GDPR;
● Offers advice and guidance on protecting and managing information;
● Enforces data privacy regulations, including issuing fines.
Additionally, the ICO collaborates with data protection agencies abroad, such as the European Data Protection Board, which is composed of representatives from each EU member state's data protection authorities.
Challenges Fashioned by the Act
The DPA rules are causing the following difficulties, which are now being faced by different organizations:
In order for DPA to be implemented smoothly, companies should have a complete "data footprint”.
Data mapping and inventory management must be done by hand in order to comply with DPA regulations, which include confirming and completing consumer requests (DSRs) within the allotted time frame or risk regulatory penalties.
Data minimization under DPA is being implemented.
Inability to remove the data, even though the DPA requires that data be deleted when the legal basis for processing ends.
Companies don't have a way to verify that data is being permanently erased.
Conclusion
The Data Protection Act 2018 forms the backbone of UK data privacy law. It integrates GDPR principles while addressing unique UK-specific needs, promoting transparency, security, and accountability in personal data processing. By emphasizing privacy and ethical data handling, the Act fosters trust in a digital society. The Act establishes the framework to be followed and thus allows one to focus not just on the protection of privacy but also on fulfilling operational requirements, ensuring security as well as the right to freedom of speech. It is not simply a matter of legal compliance, but of an ethical responsibility to the trust placed in the digital society. As data protection becomes central to professional life, adherence to such principles will remain a cornerstone of organizational responsibility.
Comments