Skip to main content
Cyber Monday

Deal expires in

- Days
:
- Hours
:
- Minutes
:
- Seconds

Get up to 50% off on CookieYes!

Show popup

Privacy Laws

23 min read

GDPR vs DPA: Understanding Key Differences in Data Protection

By Safna November 20, 2024

Expert reviewed

GDPR vs DPA: Understanding Key Differences in Data Protection

The Data Protection Act of 2018 is the UK’s adaptation of the General Data Protection Regulation. Building on the foundation laid by the 1998 Act, the DPA safeguards the personal data of UK residents in an increasingly data-dependent world. Though the GDPR and DPA are almost identical, they are slightly different. Learn more about GDPR vs DPA in this blog.

Overview of GDPR and DPA

Let us begin with an overview of GDPR and DPA and identify the core elements of each law.

What is GDPR?

The GDPR is a European Union data privacy law that establishes a uniform data protection framework and strengthens privacy rights. It replaced the Data Protection Directive of 1995 and came into effect on 25 May 2018. The GDPR covers all entities processing the personal data of EU residents.

Relatable reads

Who does GDPR apply to?

GDPR is founded on the six data protection principles that businesses should follow while handling EU personal data. It also grants eight GDPR rights to EU data subjects. 

Businesses under GDPR must be able to demonstrate their compliance rather than making token gestures. They must be transparent about their data practices, and conduct impact assessments, prevent data breaches, or appoint a Data Protection Officer, under specific conditions.

Moreover, it introduces strict consent requirements, letting individuals make a real and informed choice. Earlier, the rules around consent were mostly regulated by the Data Protection Directive and were often interpreted as a lenient opt-out model. However, under GDPR, the consent must be freely given, informed, specific and unambiguous.

The Data Protection Authorities of member states have the power to enforce the law with fines of up to 20 million euros or 4% of the global annual turnover. 

What is DPA 2018?

The Data Protection Act 2018 is widely known as the United Kingdom’s implementation of GDPR. The law applies to entities processing personal data of UK residents.

DPA replaced the Data Protection Act of 1998, bringing changes that aligned with the European Union’s GDPR. However, it also modifies GDPR to suit the regional needs and context. A large part of the regulation covers areas such as law enforcement and national security. The act also implements the LED regime, which falls outside the scope of GDPR.

When the UK left the European Union, known as Brexit, the GDPR was incorporated into the domestic law as UK GDPR. Therefore Both DPA and UK GDPR are to be read in tandem to fully understand the data protection requirements.

The DPA, like the EU GDPR, is also based on data protection principles and grants 8 privacy rights to the data subjects. However, it provides some exemptions, particularly in the context of national security. 

The act is overseen and enforced by the Information Commissioner and can impose fines of up to 17.5 million pounds.

Main objectives of the GDPR and DPA

Both GDPR and DPA are more than just a legal framework; they are the blueprint for a world where individuals claim control over their personal data. All businesses connected with the European Union or the UK should have a basic understanding of the main objectives of these laws. Let us discuss them one at a time.

What are the main objectives of GDPR?

Unified data privacy framework

The GDPR harmonises data protection laws across the European Union. Though member states are allowed to modify some provisions to meet their regional requirements, it acts as a strong foundation. This creates consistency among different countries, saving businesses from multitudes of laws to comply with.

Strengthen data subject rights

There is a clear distinction in how individuals exercise control over their personal data before and after the implementation of GDPR.

Now, people have the right to be informed about how organisations intend to use their data, access the information held about them, and request the erasure or correction of their data. They also have the right to object to data processing, restrict its use, transfer their data to another service, and safeguard themselves against automated decision-making.

Aim of GDPR
Source: European Union’s website 

Ensure personal data flows freely while maintaining privacy

GDPR regulates the cross-border transfer of personal data by requiring businesses to look for adequacy decisions or have contractual clauses like Binding Corporate Rules and Standard Contractual Clauses. This means data can be transferred freely among countries that have adequate data protection or else must ensure such protection with an agreement. Some of the countries with adequacy decisions include Andorra, Argentina, Japan, and New Zealand.

Set standards for data security

EU GDPR establishes standards for how to safeguard personal data to protect its integrity and confidentiality. This includes training employees on data protection, and implementing access controls and authentication measures.

What are the main objectives of DPA?

Besides some of the previously mentioned points that EU GDPR shares with DPA, here are some more.

Align UK with data protection standards

DPA incorporates EU GDPR and its standards, controller obligations, data subject rights, consent provisions, security requirements, etc., into national legislation. 

Tailor the law to the UK’s unique requirements 

The Data Protection Act establishes specific provisions for areas not covered by GDPR such as law enforcement, security and intelligence service. It also provides additional safeguards for the personal data of offenders or suspected offenders. 

Define the role and powers of the Information Commissioner

The Data Protection Act (DPA) designates the Information Commissioner’s Office (ICO) as the primary enforcement authority. It provides guidance to data controllers on adhering to data protection regulations, and it actively investigates cases of non-compliance. Additionally, the ICO has the power to impose fines on those who violate these regulations.

Key differences between GDPR and DPA

Let us understand the key differences between the European GDPR and the UK Data Protection Act read with UK GDPR.

Scope and Jurisdiction

The scope of EU GDPR extends to all processing activities involving the personal data of individuals in any of the EU member states. This includes entities outside the European Union if they offer products or services to EU residents or monitor their behaviour by using trackers such as internet cookies.

The UK law’s scope is exclusively limited to the data processing activities within the country or of its residents. DPA also has an extra territorial reach similar to GDPR.

The law applies to controllers who decide the purposes and means of processing personal data, data processors who process personal data on behalf of the controllers, intelligent services, and law enforcement authorities.

Criminal data processing

As per GDPR, the right to process data related to criminal convictions can only be processed by the public authority. Whereas, the UK law modifies the provisions to allow persons without official authority under certain circumstances such as employment, social security, public health, consent, etc.

Consent age 

GDPR sets the minimum age for consent at 16 years while also allowing member states to modify the age. Hence, the United Kingdom in the Data Protection Act allows children above 13 to give consent. 

Data subject rights

Both GDPR and DPA empower data subjects with the following GDPR rights. 

  • Right to information: All entities handling personal data of both EU and UK citizens must provide information regarding the types of data collected, the legal basis for processing, information about the controller, etc. Businesses like yours usually provide them with a privacy policy/privacy notice.
  • Right to access: Data subjects have the right to know whether their personal data is being processed by an organisation and access such data and information related to it such as the purpose and legal bases of processing, retention period, etc.
  • Right to rectification: Individuals can request the controller to correct any mistakes or update their personal data in the database.
  • Right to erasure/restriction: Data subjects can request controllers to delete or restrict the processing of their personal based on certain conditions.
  • Right against automated decision-making including profiling: Individuals also have the right to not be subjected to automated decision-making that significantly affects that person.
  • Right to object: Data subjects can object to the processing of their personal data under specified conditions.
  • Right to data portability: Allows individuals to get their personal data in a portable format to use it for different services.

The DPA makes supplementary provisions requiring data controllers to inform the data subjects whether the request has been fulfilled or the reasons for its denial. It also gives more clarifications to the GDPR rights and specifies the exemptions, though similar to GDPR. 

Enforcement authorities

The GDPR appoints the Data Protection Authorities of each member state as its enforcement agency. On the other hand, the Information Commissioner’s office is responsible for the UK DPA’s enforcement.

Cross-border transfers

The data transfer to third countries or international organisations must be based on the adequacy decision which is like a filtered list of countries with adequate personal data protection. The European Commission decides the adequacy based on several factors. The United Kingdom is now a country with adequacy decision of GDPR, making data transfers easy.

For the UK, the adequacy decision is made by the secretary of state. 

Penalties for non-compliance

The penalties for GDPR non-compliance can range from €10 million or 2% of the global annual turnover to €20 million or up to 4% of annual turnover. 

Relatable reads

GDPR fines and penalties

However, for ICO, the standard maximum fine it can impose is £8.7 million or 2% of global annual turnover and a higher maximum of £17.5 million or 4% of the global annual turnover.

Compliance requirements for GDPR vs DPA

Businesses catering to both EU and UK residents might be confused about what to do to become compliant with both laws, especially after Brexit. Luckily, both laws have similar obligations for businesses. Here are the key requirements under DPA and GDPR

Have a lawful basis for processing

This means you should have a valid ground for processing personal data. It can be consent, a contract, legitimate interest, vital interest, public task or a legal obligation. If you are relying on consent as a legal basis, it must be an affirmative action that is freely given, unambiguous, specific and informed. A common example of its application is the cookie consent banners that appear on a website when visiting. 

Consent requirements

Consent is a keystone in the GDPR and DPA framework and is defined as a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The laws make it clear that an influenced or coerced action cannot be considered valid consent, instead should be a real informed choice of the data subject.

Though consent is only one of the six valid grounds for processing personal data, it is quite popular among businesses. One of the reasons is the legal obligation to obtain cookie consent from users to deploy non-essential cookies. These are the cookies that are not necessary for the functioning of the website or an application. 

However, many use them for marketing or analytics purposes. All websites deploying such non-essential cookies should also provide users with a cookie banner. It is not as tough as it sounds. CookieYes can easily meet this requirement in a few simple steps and let you focus on your business’s growth. 

Lead with transparency in cookie consent

Make your website cookie-compliant with CookieYes

14-day free trialCancel anytime

Follow the six data protection principles 

The data protection principles under GDPR and UK DPA are the same, especially for businesses. Here are the six principles that you must incorporate into your business practices while dealing with personal data from the UK and EU.

  • Data must be processed in a transparent, fair and lawful manner (lawfulness, fair and transparent)
  • Limit the use of personal data to the specific and informed purpose (purpose limitation)
  • Collect and keep a reasonable and necessary amount of personal data (data minimisation) 
  • Keep the data accurate and updated (accuracy)
  • Do not store the personal data for more than a reasonable period(storage limitation)
  • Secure the personal data with adequate safeguards (integrity and confidentiality)
  • Be able to demonstrate the compliance efforts (accountability)

Provide a privacy policy

Transparency between the controller and the data subject is a key requirement under both laws. To comply with this requirement, you must provide a privacy statement that contains all relevant information regarding the processing of a data subject’s personal data including the categories of data you collect, how long you will keep the data, the purpose for which they are collected, what their privacy rights are and how it can be exercised.

The privacy policy must be prominently displayed and easy to understand. Websites usually place it in their footer so that it is easily accessible to individuals. In the below example from CookieYes, the privacy policy is hyperlinked under the legal section.

Honour data subject rights

Establish practical measures to honour data subject rights. You can start by implementing a robust data management system that enables you to find and retrieve the data to fulfil the request. Furthermore, provide convenient data subject request mechanisms, ensure to verify the requests, and train your employees to efficiently handle the requests.  

Data subject request mechanism as seen on Airbnb’s website

Secure the data

Implement necessary security safeguards to protect the integrity and confidentiality of the personal data. This is to prevent any unauthorised access including data breaches. Some of the most used and relevant measures include encryption, regular data backups, access controls, multi-factor authentication, using strong passwords, and training the employees on security practices.

Also, ensure security even when sharing data outside your organisation, whether with processors, third parties, or even third countries. 

How do you determine which applies to your business?

Ask the following questions to yourself to see whether EU GDPR, UK DPA or both apply to your business.

Where is your business located?

The geographical location of your establishment plays an important role in determining the law that governs your business. If it is located within the European Union, you must adhere to GDPR, whereas, if it is the United Kingdom, the DPA read with UK GDPR applies to you. 

Establishments in the UK include persons residing in the country, an entity incorporated under the laws of the UK, a partnership or other associations registered under UK laws, or having an office, branch or other stable arrangement in the United Kingdom. A stable arrangement generally refers to an organised system.

Similarly, any businesses having a stable arrangement in any of the EU member states are bound by the EU GDPR.

Example

A business headquartered in Germany but has branches in the United Kingdom would have to comply with both EU GDPR and the DPA.

Do your data processing activities involve EU or UK personal data?

If your answer is yes, you must get ready for compliance. Businesses that process the personal data of individuals in the EU should comply with EU GDPR and those processing the personal data of individuals in the UK must comply with the DPA. This stands regardless of the location of your business. The main factors determining whether you process their personal data are whether you offer products or services to them or monitor their behaviour.

Businesses processing personal data of both EU and UK residents would have to comply with both laws

Are you a data processor for EU or UK data controllers?

All data controllers in the EU and UK processing the personal data of their residents should abide by the concerned law. Not just that, even the data processors processing personal data on behalf of the controllers should also comply with the law. 

Therefore, if you process personal data for the EU data controllers, GDPR applies to you and if for UK controllers, DPA applies. 

FAQ on GDPR vs DPA

Are the GDPR and DPA the same?

The General Data Protection Regulation (GDPR) is a data privacy law in the European Union. It was implemented in the UK as the Data Protection Act. After Brexit, the UK established its own version of GDPR with some modifications, known as UK GDPR. Currently, both the Data Protection Act and UK GDPR are essential privacy legislations, alongside the Privacy and Electronics Communications Regulation.

Did GDPR replace DPA 1998?

The Data Protection Act of 1998 was replaced by the Data Protection Act of 2018, which implemented the GDPR in the United Kingdom.

What is the purpose of DPA?

The Data Protection Act governs how organisations handle the personal data of UK residents. It provides individuals with control over their personal information and establishes privacy responsibilities for businesses.

Safna

Safna Y Yacoob is a data privacy writer at CookieYes with a law degree and certifications in the field. Dedicated to simplifying complex legalese, she stays current with data privacy trends through continuous learning.

Keep reading

Featured image of Best Black Friday & Cyber Monday SaaS Deals for 2024

Best Black Friday & Cyber Monday SaaS Deals for 2024

Here are our top picks for Black Friday and Cyber Monday SaaS deals for 2024. Grab them before they expire and save big!

Read more
Featured image of 10 Must-Have Clauses in Your Data Processing Agreement

Privacy Laws

10 Must-Have Clauses in Your Data Processing Agreement

Establish a strong and effective controller-processor relationship by incorporating these key clauses into your Data Processing Agreement.

Read more
Featured image of What Is Consent-Based Marketing? Benefits, Strategies & More

Consent

What Is Consent-Based Marketing? Benefits, Strategies & More

Consent-based marketing more than just ticking boxes— it's about building a privacy-first, user-centric strategy that respects user preferences. Let’s explore what it is, how it works, & why it’s essential.

Read more

Show all articles