- DPO's Blog
The Data Protection Act 2018 explained
Learn more about what Data Protection is, its purpose, and how it affects you.
By eleanor blackwood
Mon 29 June 2020
The Data Protection Act (2018) is a huge step forward. It aims to empower individuals to take control of their personal data and protect their rights. It also places further restrictions on what organisations can legally do with personal data.
In essence, the Data Protection Act is the UK’s tailored version of the EU's General Data Protection Regulation (GDPR). Both relate to data rights and outline how to process personal information, but the Data Protection Act goes further. This is because GDPR was designed so that individual member states could interpret it to suit their own needs, such as data processing standards for national security and other types of special data categories. We'll come onto that bit later.
What is the Data Protection Act?
As we mentioned, the Act is the UK’s implementation of the GDPR. It’s tailored to the UK by setting out separate data protection rules for law enforcement authorities, extending data protection to areas of national security and defence, and setting out the Information Commissioner’s functions and powers.
The Data Protection Act applies to any organisation, person or government that uses or holds personal data on individuals within the EU and UK.
Although the Act tailors and incorporates GDPR standards, and so the two are similar in many ways, there are key differences between the two, such as the Act covering standards outside the scope of the GDPR, more detail on that below!
The influence of Brexit
There's also a political element to the Act that we should probably note. It ensures that the UK will retain the GDPR’s requirements after it leaves the EU.
For example, the Department for Digital, Culture, Media & Sport, argue that the Act is 'essential to the UK in forging its own path as an ambitious trading partner'. They argue that by having strong data protection laws and appropriate safeguards, businesses will be able to operate across international borders with unhindered data flows after leaving the EU.
According to the Department’s Secretary of State at the time, Matt Hancock:
“The Data Protection Act gives people more control over their data, supports businesses in their use of data, and prepares Britain for Brexit.”
What are the principles of the Data Protection Act?
For any organisation or business that processes personal data, the Act outlines 6 ‘data protection principles’ for you to follow. In order to avoid any penalties and fines, and to help secure the rights of your customers, companies must make sure the personal data is:
- Processed lawfully, fairly and transparently- Companies need a legal basis under the GDPR for collecting and using personal data. They should use personal data in a way that is fair, and not in a way that is excessively detrimental or misleading to the individuals concerned. They should also be clear and honest with people from the start about how you will use their personal data.
- Used for specified, explicit, and legitimate purposes- Companies need to be clear about their purpose for processing personal data from the start, and the processing must be necessary and proportionate to this specified purpose. They should not use data for any other purpose than specified unless you get consent from the data subject or have a clear obligation set out in law.
- Processed in a way that is adequate, relevant and limited to only the purpose for which it was collected- Companies should collect enough data so that they can properly fulfil their purpose, but it should only be data that is relevant to that purpose. They should not hold more data than they need.
- Accurate and, where necessary, kept up to date- Companies should take reasonable steps to ensure that the personal data they hold isn't incorrect or misleading, and if it is, that it's erased or rectified as soon as possible. Companies may alsoneed to keep personal data up to date depending on the type of data. The quality of personal data also needs to be verified before it's processed, and the information used to verify it should be documented.
- Kept for no longer than is necessary- Personal data should not be kept for longer than it's needed to fulfill its purpose. Companies must be able to justify this time period. For example, data can be kept longer if you're only keeping it for public interest archiving or scientific or historical research. Data should be periodically reviewed, erased or anonymised if it's no longer needed.
- Handled in a way that ensures appropriate security- Companies need to ensure personal data is processed using appropriate technical or organisational measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. This is needed to ensure individual confidentiality and integrity.
A checklist for companies on how to process personal data in compliance with the Act can be found here.
There is also stronger legal protection for more ‘sensitive’ information, such as: race, ethnic background, political opinions, religious beliefs, trade union membership, health, genetics, sex life or orientation, and criminal offence data. This is called ‘special category data’.
Unlike other personal data, there are special conditions for processing special category data, e.g. you can’t claim ‘legitimate interest reasons’ and use special category data such as health to market for your pharmaceutical business. Companies must also take extra precautions to ensure the security of this data, e.g. sometimes you're required to hold an ‘appropriate policy document’ where you describe the data processed, the reasons for processing this data, and the procedures followed to ensure all 6 principles have been met.
What is covered in the Data Protection Act?
The way that the Act is written and structured is full of jargon, so we've tried to break it down into a brief overview below. If you have any questions, please feel free to tweet us @rightlydata.
It consists of 7 major sections called Parts, followed by 20 explanatory notes called Schedules. The Parts outline the basic rights of data subjects, methods in which data may be handled by those who possess it, special exemptions and modes of enforcement. The Schedules explain the Parts in greater detail.
You can read the Act itself online, but for a quick overview here are the 4 major 'regimes' that it's structured by, each one focusing on the regulation of a specific type of data. The four regimes and where they can be found are:
- Part 2 Chapter 2: Supplements and tailors the GDPR- This covers elements covered in the GDPR but adds to and tailors them, e.g. it sets the age for children to be able to give consent for data processing as 13, which is lower than the GDPR age at 16.
- Part 2 Chapter 3: Extends a modified GDPR- This extends the GDPR to some other (rare) cases, e.g. the principles for processing data are extended if you are a public authority to unfiled papers and notes to ensure that freedom of information rules work properly.
- Part 3: Law enforcement authorities- This sets out a separate data protection regime for authorities that are processing personal data for law enforcement purposes, e.g. you can process criminal convictions data if processing satisfies the substantial public interest test.
- Part 4: Intelligence services- This sets out a separate data protection regime for the intelligence services - MI5, MI6, and GCHQ – and their processors, e.g. personal data should not be transferred to a country outside the UK or to an international organisation unless the transfer is necessary for the purposes of that controller’s statutory function, or for purposes provided for in the Security Services Act 1989 or the Intelligence Services Act 1994.
The last two regimes were added to protect the rights of victims, witnesses and suspects while ensuring the UK is sufficiently able to tackle any domestic or international threats.
What is the history of the Data Protection Act?
The Data Protection Act of 2018 replaced the Data Protection Act of 1998, and implements the government's manifesto commitment to update the UK’s data protection laws.
In 1998, google had just been founded, offices were still using word-processors and most people had never heard of the internet. A lot had changed in 20 years when the data protection laws in the UK were finally modernised to be more suitable for our increasingly data-central world.
In general, the 2018 Act strengthens most provisions under the 1998 act to reflect the value of people's personal data today, and addresses the way technological advancements have affected data collection, data use and storage. For example, the use of web cookies to collect data from our internet searches and use them for advertising purposes was not around in 1998.
The key changes between the Data Protection Act of 2018 and the Data Protection Act of 1998 are:
- Harsher penalties; the 1998 Act gave the ICO the power to issue penalties of up to £500,000, the 2018 Act allows penalties of up to £17m or 4% of global turnover.
- Seeking consent and holding data for no longer than necessary; the 2018 Act requires organisations, with only a few exceptions, to gain people's consent to use their information, and requires organisations to hold personal data for no longer than necessary.
- Transparency and explicit purpose; the 2018 Act requires organisations to make efforts to be transparent with individuals about exactly why they are collecting their personal data, and the type of data they are collecting, this was not necessarily required under the 1998 Act.
- Type of data collected; the type of data that could be collected by companies was also up for interpretation under the 1998 Act, as long as data processing was not ‘excessive’ to its original purpose. Under the 2018 act, processing is limited to only that data considered relevant.
The implementation of all principles of the GDPR; unlike the 1998 Act, the 2018 Act implements principles from the GDPR, for example, before the GDPR was implemented in 2018, organisations could charge a specified fee for responding to a Subject Access Request (SAR) of up to £10, now there is no fee. Therefore, your right to receive a copy of the data a company holds on you is strengthened.
What is the difference between the Data Protection Act and GDPR?
The GDPR applies in all Member States without needing to be implemented by national legislation. This means that the Data Protection Act 2018 doesn’t need to re-state the GDPR as organisations have to comply with GDPR anyway, and the two should be looked at side by side. However, GDPR gives Member States opportunities to make provisions for how it applies in their country specifically.
The differences between the GDPR and Data Protection Act 2018 are:
- The DPA states that a child can consent to data processing at age 13, whilst the GDPR sets this at 16.
- The GDPR requires those processing criminal data to have official authority, the DPA does not.
- The GDPR states that data subjects have a right not to be subject to automated decision making and profiling, whereas the DPA allows for this whenever there are legitimate grounds for doing so and their individual rights and freedoms are protected.
- The DPA allows some of the rights of data subjects, ensured by the GDPR, to be ignored if they hinder an organisation’s ability to carry out their functions when processing data for historical, scientific, statistical and archiving purposes.
- The DPA provides additional lawful bases than the GDPR for processing sensitive personal data. With appropriate safeguards, it's permitted for use in cases of employment, social security, and social protection purposes, health and social care purposes, archiving, research and statistics purposes, public interest purposes, and criminal convictions data.
- The GDPR gives Member States the opportunity to balance the right to privacy with the right to freedom of expression and information. The DPA uses this opportunity and provides an exemption from certain personal data protections when personal data is processed for publication in the public interest.
The DPA is also wider in scope than the GDPR and covers areas such as:
- Criminal sanctions and fines for GDPR infringements e.g the introduction of an unlimited fine for the new offence of intentionally or recklessly re-identifying individuals from anonymised data.
- Processing relating to national security and immigration.
- The duties and powers of the UK’s Information Commissioner’s Office (ICO).
Who enforces the Data Protection Act?
Whilst the GDPR is governed by the Court of Justice of the European Union, when the UK leaves the EU, the Act will be governed solely by the UK justice system.
The Act gives additional powers for the Information Commissioner to regulate and enforce data protection laws. The Commissioner has the power to fine data controllers and processors up to £17m (€20m) or 4% of global turnover for the most serious data breaches. The Act also allows the Commissioner to bring criminal proceedings against offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request.
What data protection means for you
Thanks to the updated Data Protection Act 2018 we have greater rights over our data as individuals, and companies that process our data are held to higher standards.
Under this Act, you can now also get a copy of the data a company holds on you back for free, and even ask for it to be deleted. You can do this easily and quickly through Rightly, below!
GOV.UK. 2020. Data Protection. [online] Available at: <https://www.gov.uk/data-protection> [Accessed 1 June 2020].
Legislation.gov.uk. 2020. Data Protection Act 2018. [online] Available at: <http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted> [Accessed 1 June 2020].
Assets.publishing.service.gov.uk. 2020. Data Protection Act 2018 [online] Available at: <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/711162/2018-05-23_Factsheet_1_-_Act_overview.pdf> [Accessed 1 June 2020].
Ico.org.uk. 2020. Data Protection Act 2018. [online] Available at: <https://ico.org.uk/for-organisations/data-protection-act-2018/> [Accessed 1 June 2020].
Ico.org.uk. 2020. An Overview of the Data Protection Act 2018 [online] Available at: <https://ico.org.uk/media/for-organisations/documents/2614158/ico-introduction-to-the-data-protection-bill.pdf> [Accessed 1 June 2020].
Rouse, M., 2020. What Is U.K. Data Protection Act 1998 (DPA 1998)? - Definition From Whatis.Com. [online] WhatIs.com. Available at: <https://whatis.techtarget.com/definition/UK-Data-Protection-Act-1998-DPA-1998> [Accessed 1 June 2020].
Burton, L., 2020. Summary Of The Data Protection Act 2018 (2 Minute Read). [online] The Hub | High Speed Training. Available at: <https://www.highspeedtraining.co.uk/hub/data-protection-act-summary/> [Accessed 1 June 2020].
Adnan Zaheer, o., 2020. Data Protection Act 2018 Vs Data Protection Act 1998. [online] Seersco Articles. Available at: <https://seersco.com/articles/data-protection-act-2018-vs-data-protection-act-1998/> [Accessed 3 June 2020].
Itpro.co.uk. 2020. [online] Available at: <https://www.itpro.co.uk/data-protection/28085/what-is-the-data-protection-act-1998> [Accessed 8 June 2020].