With the United Kingdom’s exit from the European Union, many businesses across the UK and the world have been left with questions about GDPR compliance in the country. This article will look at the UK Data Protection Act 2018 (DPA) and how it’s different from the EU GDPR. We will also glimpse into the UK GDPR that is now read in conjunction with the DPA 2018.
What is the UK Data Protection Act?
The UK Data Protection Act 2018 is a comprehensive data protection framework for the UK, which came into force on 25 May 2018 – the same day as the EU General Data Protection Regulation (GDPR). It was amended on 01 January 2021 to reflect the UK’s status outside the EU, after the Brexit. As per the UK Government’s website,
“The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR)”.
The Data Protection Act extends GDPR standards to areas of processing not covered by the GDPR. It also creates four distinct data protection regimes to cover processing in specific areas:
- Within the scope of the GDPR (UK GDPR)
- Outside the scope of the GDPR
- By competent authorities for law enforcement purposes
- By the intelligence services
What is the UK GDPR?
UK GDPR is the data protection regulation in the UK. Following Brexit and the end of the EU-UK transition period, the EU GDPR was incorporated into British domestic data privacy law – the Data Protection Act (2018) to become the UK GDPR. It is defined in section 3(10) of the Data Protection Act 2018 (DPA 2018), supplemented by section 205(4).
In short, the UK GDPR is the UK’s version of the EU GDPR that lays down key principles and obligations for processing personal data in the UK and provides rights for consumers.
Which data protection laws apply in the UK?
With effect from 1 January 2021, UK organisations that process domestic personal data must comply with: the UK Data Protection Act 2018 and the UK GDPR. The two pieces of privacy legislation are intended to be read in conjunction with each other.
The PECR (Privacy and Electronic Communications Regulations) is another law that regulates electronic communication such as marketing messages, website cookies, trackers and sets out privacy rights for users. It is the UK law that implements the EU’s ePrivacy Directive or the EU cookie law. The PECR uses the UK GDPR’s standard of consent.
What are the principles of the Data Protection Act 2018?
The seven principles of the Data Protection Act 2018 for any organisation or business that processes personal data:
- Lawfulness, fairness, and transparency
Businesses should be transparent and accurate about their data processing. They should fairly use personal data that is not detrimental to the individuals and respect their data rights.
- Purpose limitation
Personal data should be collected for a specific purpose, state the purpose before asking for consent from the data subject, and process the data only for that specific purpose. Businesses should not use the data for any other applications.
- Data minimization
Businesses should ensure that the data collected is adequate, relevant and limited to the intended purpose. This principle curtails organisations from hoarding personal data without a clear purpose.
The personal data businesses collect must be accurate, up to date and they should take reasonable steps to erase or rectify data that is inaccurate or incomplete.
- Storage limitation
This principle restricts businesses from keeping data for an indefinite time, or beyond that of its intended purpose. Organisations should delete personal data when it’s no longer necessary.
- Integrity and confidentiality
Data should be processed with appropriate technical or organisational measures and security measures to protect it from unauthorised or unlawful processing, accidental loss, destruction or damage. Businesses should implement both physical and technological controls to ensure security.
Businesses should take responsibility for the personal data they process and their compliance with the other principles of data protection. Organizations should be able to prove that their data protection measures are secure and sufficient.
What is the difference between the Data Protection Act and EU GDPR?
The core definitions from the EU GDPR, such as personal data, controller, processor and the rights of data subjects, legal bases for processing are the same in UK GDPR. But, GDPR in the UK differs in the following ways.
How do I make my website compliant with the Data Protection Act?
Complying with the UK data protection laws will not be too different from the GDPR compliance in the EU. If you have already taken the necessary steps for your website’s GDPR compliance, you might not have to make significant changes to accommodate the UK laws.
Review the data you collect data
Make sure all the data you collect on your website is on lawful grounds and adheres to the principles of the Act. Map out how data is collected on your website, where it is stored and/or transferred and deleted.
Assess the categories of data (including sensitive categories) you collect and catalogue them. The UK GDPR includes a non-exhaustive list of identifiers as personal data including:
- Names, emails, phone numbers, location data, including current or previous employee data
- Display pictures, social media IDs and profile URLs
- Online identifiers like cookies and IP addresses, Payment details like bank account number and credit card information
Limit any data processing practices that may not have legal grounds or relevancy. Also, review if any third-party apps collect personal data and their purpose for it.
If you process sensitive categories of personal data, you have to put additional provisions in place. Sensitive categories of data include:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade union membership
- Genetic data, biometric data
For processing such data, you should maintain documentation of the processing activities, implement data protection policies, have written contracts in place with data processors, conduct Data Protection Impact Assessment (DPIA) and appoint a Data Protection Officer (DPO).
Obtain consent for collecting data
Like the EU GDPR, the DPA requires websites to obtain explicit consent from the users in the UK to collect their personal data. Be it forms, cookies, emails, or third-party plugins, user consent is crucial to data processing. Use active opt-in methods to obtain consent, such as:
- Ticking an opt-in box on website forms
- Clicking on a ‘accept’ button on a cookie banner
- Double opt-in for emails
You cannot rely on lack of response, inactivity, pre-ticked boxes, default settings or blanket acceptance as signs of consent. You should also provide easy ways for the individual to opt-out or withdraw consent such as unsubscribe links.
CookieYes cookie consent solution is feature-packed to support compliance with DPA 2018 and the UK GDPR. User’s consent is key to websites that deploy cookies. As per GDPR, consent should be freely given, specific and unambiguous.
- Cookie scanner will detect all cookies and trackers on your website and block third-party scripts until consent is given.
- Customizable cookie consent banners allow users to give opt-in consent, manage cookie preferences or withdraw their consent easily
- The consent log will record all user consents to ensure you have a centralized, retrievable record, for proof of consent.
- Multi-language support will help you display auto-translated banners in 30+ languages as per the target user’s language preference.
- Comply with multiple privacy laws like the EU GDPR, California’s CCPA, Brazil’s LGPD, CNIL guidelines and other global data privacy regulations.
- Inform users about the personal data you collect, your purpose for collecting and how you are ensuring that their personal data is protected
- Describe the users’ rights under GDPR
- Be available in a concise, transparent, and accessible form
- Be written in clear and plain language
- Direct users how to access and rectify their data
FAQ on Data Protection Act 2018
Who enforces the UK Data Protection Act?
The Information Commissioner’s Office (ICO) is the UK’s national supervisory authority that enforces and regulates the Data Protection Act (DPA), as well as the UK GDPR.
What does Brexit mean for GDPR?
With the UK exiting the EU, it is now formally a ‘third country’. After Brexit on 1 January 2019, there was a transition period, during which EU GDPR applied in the UK. The transition period ended on 31 December 2020 and the UK GDPR came into effect on 01 January 2021. Data protection in the UK now falls under the scope of the UK GDPR and Data Protection Act 2018.
Who does UK GDPR apply to?
The UK GDPR applies to all organizations that process the personal data of residents of the UK. It also applies to organisations outside the UK that offer goods or services to residents in the UK.
Does the EU GDPR still apply in the UK?
Yes. If your business operates in Europe, offers goods or services to consumers in the EU, or monitors EU residents’ behaviour, you should comply with both the EU GDPR and UK GDPR and Data Protection Act 2018.
Does UK GDPR affect data sharing?
EU has adopted ‘adequacy’ decisions in June 2021, allowing the sharing of personal data to the UK. This means UK businesses and organisations can continue to receive personal data from the EU and EEA without additional arrangements in place. The UK had already recognised the EU and EEA member states as ‘adequate’ for data transfers.