With the United Kingdom’s (UK) exit from the European Union (EU), many organizations across the UK and the world have been left with questions about GDPR compliance in the country. In this article, we will breakdown the UK data protection act (DPA) 2018 and what makes it different from the EU GDPR. We will also glimpse into the UK GDPR that is now read in conjunction with the DPA.
What is EU GDPR?
The General Data Protection Regulation (GDPR) is data protection and privacy regulation passed by the European Parliament for the EU and EEA regions. It came into effect on May 25, 2018.
The GDPR lays down legal requirements for an organization or body that collects and uses the personal data of people in the EU. All EU and EEA member states have since adopted and enforced the regulation in their region with domestic laws.
The scope of the EU law is not limited to the organizations in the European zone. It extends to organizations or bodies anywhere in the world if they handle (collect, use, share, or store) the personal data of individuals within the EU.
The GDPR’s wide reach and strict standards have attracted a lot of discussion since its introduction.
The key points discussed in the EU GDPR are:
Lawful, fair, and transparent processing
Your reason for data processing must have a genuine and legitimate reason, and you must inform the people of your processing activities.
In most cases, the data collection or processing activity requires the users’ prior consent which is given at free will and after you have shared adequate information about your purpose and other processing practices. The consent request must be in an easy-to-understand language and with granular options (in case of consent for more than one purpose). The users can withdraw consent at any time.
The GDPR principles for processing personal data discuss fair practices.
The collection, usage, storing, and sharing of personal data must be limited to what is necessary for the intended purpose. Anything exceeding that is considered an infringement.
You must be accountable for your actions and anything related to the data processing.
Data rights of users
There are certain rights that the GDPR hands over to the people. These rights ensure that the people have control over their personal data.
They have the right to access, delete, modify their data and object or restrict data processing. You are liable to respond on time to such requests and help them exercise their rights. If you have to refuse the request, it must have a genuine and legitimate reason behind it.
You must inform your local supervisory authority in the event of a data breach within 72 hours of being aware of it. In some severe cases, you will have to inform the affected individuals.
The data breach notification must provide information about the nature and severity of the breach, what actions you have taken to mitigate the damage, and what the affected users can do.
Privacy By Design
Privacy by design is a data protection approach that proposes integrating safety measures from the inception stage of your data processing activity.
Data Protection Impact Assessment (DPIA)
DPIA is sort of a ‘planning ahead’ part of your GDPR compliance. If your organization’s processing activity indicates high risks to the personal data of the users, it is advisable to conduct DPIA. DPIA is carried out after auditing your database and reviewing processing activities.
Appointment of DPO
If necessary, appoint a Data Protection Officer (DPO), who monitors and advises compliance strategies of your organization. They can act as the contact point between you and the supervisory authority or the users.
Failing to comply with GDPR will result in harsh fines or strict actions, depending on the severity of the violation. The GDPR fines could go up to 4% of annual global turnover or €20 million — whichever is higher.
What is the UK Data Protection Act (DPA) 2018?
Known as the UK’s ‘third generation’ of data protection legislation, the UK DPA 2018 replaces the 1998 version. It achieved Royal Assent (formal approval by the monarch) on May 23, 2018. It came into force on the same day as the EU GDPR — May 25, 2018.
The DPA was passed to address the privacy issues in the UK that are beyond the scope of the EU GDPR (before the Brexit) and to implement the GDPR in the country.
Read the full text of the UK Data Protection Act 2018 here (PDF).
The DPA 2018 varies from its 1998 version by:
- Introducing the right to erasure personal data
- Introducing exemptions in the law
- Implementing the GDPR in the UK
- Increasing the fines for violations
The Act has seven parts that apply in different situations:
- General Processing
- Law enforcement processing
- Intelligence services processing
- The Information Commissioner
- Supplementary and final provision
Is the DPA 2018 the same as GDPR?
This is a very common question among business owners ever since the GDPR came into force. For the most part, the DPA and the GDPR have common requirements. However, we will highlight some differences here.
The DPA 2018 was implemented to set a framework for enacting the EU GDPR in the UK. The GDPR has given each EU member states to implement their frameworks for enforcing the regulation. The difference is the domestic privacy issues that are beyond the scope of the GDPR.
The key differences of the DPA 2018 from the GDPR are:
- Clarifies terms, such as ‘data controllers,’ ‘data processors,’ public authority,’ and ‘public body’
- The age limit of consent for children at 13-years; whereas the GDPR sets it at between 13-16 years, leaving it on the member states to decide.
- More granularity in the protection special category of personal data
- Includes processing of personal data in the area of law enforcement, national security, and immigration
- Allows automated decision-making on legitimate grounds
- Fee limits for data controllers
- Protection for using data for research and archiving
- Data transfer to third countries extended if it is for public interest
- Allows exemptions in GDPR articles
To further understand what sets the DPA 2018 different from the GDPR, we will briefly look at the three data protection regimes in the Act:
Part 2: the general Processing regime
This part is an extension of the GDPR requirements and adds additional conditions and requirements for the UK, which has already been discussed.
Chapter 3 deals with the processing of personal data that falls outside the scope of EU law.
This part, also called ‘the Applied GDPR,’ refers to the EU GDPR.
Part 3: the law enforcement processing regime
This regime deals with handling personal data for law enforcement purposes.
As per the Act, the law enforcement purposes are “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security” (together “law enforcement purposes”).”
Unlike the GDPR, the Act does not require transparent processing of personal data of individuals or organizations for law enforcement purposes.
Part 4: the intelligence services processing regime
The UK intelligence services and national security lie outside the scope of EU law. Therefore, part 4 applies to the intelligence services and the processing of personal data by the intelligence services. It also deals with the rights of people,
Instead of ‘technical and organizational measures’ in the GDPR, the DPA 2018 uses ‘security measures’ for the regime.
What happens to the DPA 2018 post Brexit?
Then, the Brexit happened. And changed the landscape of the data protection laws in the UK.
Owing to legal changes in the data protection laws post Brexit, the DPA 2018 was amended on January 1, 2021, after the UK’s transition period. The EU GDPR provisions were removed (from Part 2 Chapter 3) and some regimes in the new Data Protection Act are now part of the ‘UK GDPR.’
Following this, the UK and the EU have decided to allow the free flow of data from the EU and the EEA to the UK for a maximum of six months (until June 2021). After that, it depends on the adequacy decision (that the Uk has an adequate level of data protection) agreement from the EU.
The significant amendments in the DPA 2018 after the Brexit are:
- Part 1 and part 2 of the Act — the Applied GDPR — that used to refer to the EU GDPR, now refers to the UK GDPR.
- Any reference to the EU legislation changed to the UK versions.
- The Information Commissioner’s Office (ICO), which used to be the supervisory authority for the EU GDPR, is now the lead enforcer of the DPA 2018 and UK GDPR.
- The UK has declared all EU/EEA member states as ‘adequate,’ i.e. data flow from the UK to the EU and the EEA will remain unaffected.
What is UK GDPR?
The UK General Data Protection Regulation is the UK equivalent of the EU General Data Protection Regulation. Since it is based on the EU GDPR, for the most part, it has common requirements. However, it applies to all organizations that supply goods and services to people (processes their personal data) in the UK. Whereas the EU law applies to organizations that deal with people in the whole of EU/EEA member states.
It is read in conjunction with the Data Protection Act, and therefore, expands the areas covered (as discussed) under it when compared with the EU GDPR.
How to comply with the UK Data Protection Act 2018?
Complying with the UK data protection laws will not be much different from the EU GDPR compliance.
Apart from the expanded areas and the limited territorial scope, you might find similar grounds for compliance with the DPA and the UK GDPR. Some steps for compliance are:
Personal data processing practices
Make sure your handling of the personal data is on lawful grounds and adheres to the principles of the Act. You must have a system to review the data processing frequently to avoid risks.
Limit any data processing practices that may not have legal grounds or relevancy.
Review if any third-party apps collect personal data and their purpose for it.
Like the EU GDPR, the DPA requires websites to obtain explicit consent from the users in the UK to collect their personal data. Be it forms, cookies, emails, or third-party plugins, user consent is crucial to proceed with the data processing.
CookieYes GDPR cookie consent solution will also support the DPA 2018 requirement. It will help you install a cookie consent banner on your website and you can customize the banner as per your requirement. Or you can select the color scheme for the banner auto-recommended by the application as per your website’s color scheme.
It automatically scans the website for cookies and blocks third-party cookies before obtaining user consent. You can record the cookie consent obtained as proof of consent.
Rights of the users
Follow privacy by design
Privacy By Design is a concept of integrating data protection and privacy from the inception of a process — collection to disposal of personal data. That is, implement safe and secure practices and measures in every step of the data flow and the website design.
Data breach notification
You must have an effective system in place to deal with data breaches and to immediately inform the ICO. Some cases may require you to also inform the affected users.
Plan ahead to be prepared for such an event so that the damage is minimal. You must have an action plan to mitigate any damage that occurred due to the breach.
These requirements are the same as the EU GDPR’s. Therefore, if you have already fine-tuned your website for GDPR compliance, you might not have to make significant changes to accommodate the UK laws.