Data Protection Act 2018 (original) (raw)

The Data Protection Act 2018 (DPA) is the main data protection law of the United Kingdom (UK). It brings the EU General Data Protection Regulation (GDPR) into UK law. Any business operating in the UK, whether it is from the UK, the EU, or any other country, should be familiar with the DPA and how the law impacts its day-to-day activities.

The DPA covers every aspect of the processing of personal data, from marketing communications to staff administration. It brings new powers and responsibilities to the UK's Data Protection Authority, the Information Commissioner's Office (ICO).

We're going to help you understand the DPA, consider its relevance to your business, and look at some practical ways you can abide by UK data protection law.

On this page

Many people in the UK are familiar with the DPA. Its predecessor legislation, the Data Protection Act 1998, was the primary source of data protection law in the UK for two decades.

However, perhaps even better known than the DPA is the EU law from which it derives - the GDPR. When it took effect in May 2018, the GDPR had such a transformative effect across the EU that many British people don't even realize that it has a UK equivalent.

The GDPR is the EU's main data protection law. The GDPR firmly establishes the EU as the strictest jurisdiction in the world when it comes to data protection and consumer privacy.

The DPA is the UK's version of the GDPR, and so it brings all its rules into the UK.

Under the GDPR, any business operating in the EU must:

The GDPR also requires certain actions from the governments and parliaments of EU countries. For example, EU countries must:

The GDPR is an EU regulation. Regulations are powerful legal instruments that, although created by the EU, take direct effect in each EU country.

Much of the GDPR is addressed directly to people living and working in the EU. Individual EU citizens can oblige national governments to enforce EU regulations even if they have not been entered into national law. To this extent, the DPA is not necessary.

However, the GDPR left some scope for EU countries to amend and adapt certain parts of the law via "implementing legislation." The DPA is one such piece of implementing legislation. Every EU country has one.

So, the DPA serves three main purposes:

  1. It formally brings the GDPR into UK law via the UK's national legislating process
  2. It amends and exempts certain parts of the GDPR as they apply to the UK
  3. It extends UK data protection law to certain areas that are not covered by the GDPR

Overview of the DPA

The DPA is split into seven parts. Not all of these are likely to be relevant to your company.

  1. Overview of the DPA
  2. Supplement to the GDPR and extension of the GDPR into new areas
  3. Law enforcement
  4. Intelligence services
  5. The Information Commissioner's Office (ICO)
  6. Enforcement of the DPA
  7. Other provisions

The DPA also contains twenty schedules which provide further detail about how the law should be applied.

A lot of the most useful information for businesses is contained in Parts 1 and 2 of the DPA.

The DPA does not contain the entire text of the GDPR, so reading the text directly requires some cross-referencing with the GDPR.

Definitions of Key Terms

The definitions of key terms in the DPA can mostly be assumed to be identical to the GDPR. However, some definitions are expressed slightly differently.

For example, the DPA defines "personal data" in Part 1:

Legislation Gov UK - DPA 2018 definitions of personal data and identifiable living individual

Personal data is any information relating to an identified or identifiable living individual.

This definition of personal data is somewhat more clear than that in the GDPR. The definition is equally broad, and so you should be aware that your company probably holds a lot of personal data.

Here's the DPA's definition of "processing", which sets out an organized list of examples:

Legislation Gov UK: DPA 2018 definition of processing

Processing means an operation or operations performed on information or information sets. Examples of operations are given, including collecting, storing, disclosing, using, altering and destroying.

Again, you can see how it's very likely that your business is processing information in the eyes of the DPA.

Requirements of the DPA

The DPA's main purpose is to make the GDPR officially binding on people and businesses in the UK. So the most important requirement under the DPA is to obey the GDPR.

Here are some of the most important requirements of the GDPR that must be met by businesses operating in the UK.

Apply the Principles of Data Processing

The principles of data processing form the backbone of data protection in the EU. These principles are set out in Article 5 of the GDPR.

The DPA applies these principles slightly differently when it comes to UK intelligence and immigration services. But these differences won't apply to most businesses in the UK.

The six principles state that personal data must be:

Here are three practical ways to implement these principles:

Respect Data Subject Rights

The GDPR provides individuals ("data subjects") with a strong set of rights over their personal data. Anyone who controls an individual's personal data (for example, an ecommerce store that stores customers' addresses, or the developer of an app which logs user activity) is required to facilitate these rights.

The DPA brings the GDPR's data subject rights directly into UK law. Again, there are exemptions (some of which are quite controversial) to these rights for intelligence and immigration services. These are on top of the exceptions and restrictions on the data subject rights already present in the GDPR at Article 23.

Most businesses will not be affected by the DPA's exemptions. You should be prepared to respond appropriately if a person approaches your business about their data subject rights.

Where you are processing an individual's personal data, that individual has the right to:

  1. Receive transparent information about your company's data processing practices
  2. Access a copy of their personal data
  3. Rectify their personal data if it is inaccurate
  4. Erase their personal data where appropriate
  5. Request that you restrict your processing of their personal data
  6. Request a portable copy of their personal data in an accessible format
  7. Object to your processing of their personal data
  8. Request human intervention if you make certain highly significant automated decisions about them using their personal data

If you receive a valid request then you must normally respond within one calendar month. Unless requests are "manifestly unfounded or excessive," you may not charge a fee.

Here are three practical ways to make it easier for you to facilitate these rights:

Determine Your Lawful Bases

The DPA and the GDPR only allow for the processing of personal data on one of six lawful bases. The lawful bases can be considered a set of legal justifications for processing a person's personal data.

The lawful bases are below. You may only process an individual's personal data if:

Every time you process an individual's personal data, you need to know and have a record of your lawful basis for doing so.

This isn't as hard as it might sound. After all, you need to record someone's email address to fulfill an order (contract). If you want to send someone marketing communications, it shouldn't be a problem to ask them first (consent). And if you need to email a customer to let them know there's an issue with their account, this is a minor intrusion with a clear benefit (legitimate interests).

Here are three practical ways you can help ensure you always have a lawful basis for processing:

The Information Commissioner's Office

A big part of the DPA gives new powers to the Information Commissioner's Office (ICO). This is the UK's Data Protection Authority.

What Does the ICO Do?

The ICO plays several important roles:

Your business might encounter the ICO if:

The ICO is keen to promote itself as an approachable and supportive organization, and a large part of its work is about helping businesses comply with the law.

But remember that the ICO is also capable of imposing huge fines of up to €20 million (around 17.7 million GBP or 22.4 million USD) or 4 percent of annual turnover.

Do You Need to Pay an ICO Data Protection Fee?

Most businesses who process personal data in the UK must register and pay a fee to the ICO.

Regardless of size, your business will probably need to pay a data protection fee if:

The ICO provides a self-assessment checklist to help companies determine whether they need to pay a data protection fee.

There are exemptions for elected representatives and data processors (who process personal data on behalf of a data controller).

How Much Is the ICO Data Protection Fee?

The amount you'll have to pay will vary depending on the size of your company. Don't worry - it's unlikely to break the bank.

Here's a table that shows how the data protection fee varies depending on company size. Note that a company only needs to fulfill either the staff or turnover criteria to fall within a tier.

Annual turnover Number of staff Annual fee
Tier 1 £632,000 or less 10 or fewer £40
Tier 2 Between £632,000 and £36 million Between 10 and 250 £60
Tier 3 Over £36 million More than 250 £2,000

Charities are Tier 1 regardless of their size.

You can pay your fee via the ICO's website.

History of the DPA (1998)

The Data Protection Act or DPA was drafted and released to public use in 1984 and then superseded in 1998 by the version of the DPA discussed in the earlier part of this article. The older DPA covered individuals' safety since it protected them against misuse or abuse of their personal information.

It had 8 principles that you can still see in action today in global privacy laws, and maintained in the updated DPA.

The 8 Principles

The DPA had 8 principles that defined how you, as a business, could collect and use personal data from users. It also included what rights the users had on the collected personal data you had on them.

Principle #1: Process personal data fairly and lawfully

The Data Protection Act required you to process any kind of personal data fairly and lawfully.

This means that you needed to:

Principle #2: Process personal data only for the specified purposes

It was against the DPA's #2 Principle to inform users that you were collecting data only to improve the website, for example, but then actually use the collected data to run remarketing campaigns or send commercial messages to users (without a proper notification through the Privacy Policy agreement).

This means that you needed to:

Principle #3: Collect only personal data you need and ensure that it's sufficient

Principle #3 of the DPA act said:

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

"Adequate, relevant and not excessive" is not defined by the act, but consider the Principle #3 in the context of the entire act:

Principle #4: Keep collected personal data accurate and up-to-date

The Principle #4 of the DPA act was clear:

Personal data shall be accurate and, where necessary, kept up to date.

You needed to make sure you took all steps to ensure that whatever collected data you had on users was accurate.

This may have include prompting users to update the information they had with you.

Principle #5: Don't retain collected personal data longer than it is necessary

The retention requirement of the Data Protection Act didn't state a specific period for how long or how little you could store user data.

However, you may have needed to review how long you kept the user data and if it was necessary to keep it for that long in the context of your stated purposes.

If the collected data didn't need to be stored for a very long period, it should have been deleted. Considerations should have been given on whether to update or archive the data if it was out of date.

Principle #6: Individuals have rights

The DPA gave individuals rights in regards to the what personal data you had collected from on/from them:

Principle #7: Manage the security of the collected personal data

The main points of Principle #7 of DPA meant that you were responsible for safely keeping user data.

For example, if you were an ecommerce store it was recommended to use SSL certificates as it could increase the level of security when you process user data.

Principle #8: Don't transfer collected personal data outside the European Economic Area unless...

Here's what the DPA said on where you could transfer collected personal data, usually referenced to as "International Data Transfer":

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

You could transfer the collected data, either you or through the third-parties that you used, as long as the country you were transferring data to had an adequate level of protection of protecting the privacy of individuals data.

Safe Harbor, a program between the EU and U.S., is an example of this.

Summary

The DPA is the third generation of UK data protection law. The DPA brings the GDPR into UK law. It also adapts and extends the GDPR in certain areas.

Compliance with the DPA will be an ongoing process. But some good early steps include: