The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018. The UK Data Protection Act (DPA) took effect on the same day because it is meant to be read in conjunction with the GDPR.
Currently, there is a lot of confusion on the DPA connections with the GDPR. Are DPA and GDPR the same? Is the GDPR enforceable in the UK? Does the GDPR replace the DPA? Let’s clarify.
What is the UK Data Protection Act?
First of all, let’s go deeper into the UK DPA. The United Kingdom’s Data Protection Act (DPA ACT) is a domestic law governing the use of personal data and the flow of information in the United Kingdom. This Act of Parliament was passed in 1988. It was developed to control how personal or customer information is used by organisations or government bodies. It protects people and lays down rules about how personal data can be used.
The UK DPA 2018 was passed in April 2016 and took effect on May 25, 2018. After Brexit, the law no longer refers to the EU’s GDPR but the UK GDPR. The DPA implements the EU’s GDPR legislation, codifying its requirements into UK law and adding additional requirements or exemptions to the GDPR.
Under the Data Protection Act 2018, people have the right to find out what information the government and other organisations store about them. Everyone responsible for using personal data has to follow strict rules called ‘data protection principles. They must make sure the information is:
- used fairly, lawfully, and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant, and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage
To learn more about the future of data protection law in the UK, listen to the TrustArc podcast: Of Tigers and Laws: UK Adequacy Assessed with Ralph O’Brien
Why is the DPA important?
The Data Protection Act provides guidance and best practice rules for organisations and the UK government on how to use personal data, including:
- Regulating the processing of personal data
- Protecting the rights of the data subject
- Enabling the Data Protection Authority (The ICO) to enforce rules
- Holding organisations liable to fines in the event of a breach of the rules
The law also provides stronger protection for more sensitive information such as:
- Ethnic background
- Political opinions
- Religious beliefs
- Sexual life
- Criminal history
To get advice for data protection officers and other privacy professionals on how to embrace privacy proactively, download the TrustArc whitepaper: To Penalties and Beyond: Looking Ahead by Looking Back on Enforcement Actions
Differences between the GDPR and the UK DPA
The GDPR and the UK Data Protection Act are mostly built on similar principles. However, here are some items differentiating both laws:
- While the language and requirements are essentially the same across all member states, the GDPR allows members wiggle room to change aspects of the legislation under the terms of Article 23. These changes are generally kept within specific scenarios such as national security, crime and legal proceedings, and other types of special data categories.
- The DPA requires that organisations keep ‘appropriate policy documents’ in place when processing these special categories of data that explain how the controller complies with the data protection principles and policies for the retention and erasure of the data in question.
- The DPA exempts application of the GDPR for processing necessary to safeguard national security or defense purposes or concerning unstructured manual data held by certain government bodies designated by freedom of information legislation.
- There are exceptions to data subject rights in specific scenarios, meaning a company can refuse data subject access requests (DSARS).
- Other differences include the minimum age of consent for processing a subject’s data being lower; 13 in the UK versus 16 in the GDPR.
- The DPA also stipulates that the ICO shall produce codes of practices that guide companies to stay compliant when processing data in specific scenarios and/or industries.
In the UK, data protection is governed by the UK GDPR and the DPA 2018, which should be read together as the DPA adds layers to the GDPR. It may seem challenging for organisations in the UK to comply with these two privacy laws. With PrivacyCentral, TrustArc helps you meeting data regulation standards successfully.
Click here to schedule a PrivacyCentral demo.