The Data Protection Act 2018 explained: What UK CISOs need to know

The UK’s implementation of EU's GDPR shares the same core requirements but has key differences for certain kinds of data and processing.

Brexit / GDPR  >  Cutting connections / United Kingdom / European Union / global security shield
EGAL / Your Photo / Getty Images

Data Protection Act 2018 definition

The Data Protection Act (DPA) 2018 is the UK’s data protection law. It brings the EU’s General Data Protection Regulation (GDPR) into the UK’s legal system and defines how personal data should be processed and protected. DPA 2018 is the third generation of UK data protection law and replaces DPA 1998.

While it retains the same core requirements as the GDPR, the DPA 2018 features extra requirements and exemptions, especially around specific types of data and processing purposes such as crime data and national security purposes.

As the UK prepares to leave the European Union, it faces the prospect of being subject to the DPA 2018 and a second UK-GDPR, and preparing for potential changes post-Brexit.

What are the core Data Protection Act 2018 requirements?

The DPA 2018 governs how organisations should approach the processing of subjects’ personal data by:

  • Defining personal data and saying that organisations should not obtain or disclose personal data without the consent of the data subject
  • Outlining the principles organisations should adhere to around protecting personal data it handles
  • Requiring organisations to collect only data needed for a given purpose, retain it for only as long as needed for that purpose, and document decisions made around data collection and risk mitigation
  • Stipulating organisations must disclose data incidents within 72 hours of the breach being discovered
  • Requiring organisations to appoint a data protection officer (DPO)
  • Giving data subjects the right to access data held about them and the right to be forgotten
  • Outlining the penalties for failing to adhere to the law: fines of up to £17 million or 4% of global turnover, whichever is larger.

“The broad tenants are that when you're dealing with personal data it isn't really yours,” says Andrew Hartshorn, partner at law firm Shakespeare Martineau Birmingham. “You can only collect the data that you need on the basis of the engagement that you have with the individual, you should only keep it while you need it, you should tell the individual what you're doing with it so they have a full understanding of what's happening to it, get rid of it when you no longer need it, you have to keep it up to date, and you have to keep it secure.”

How the DPA 2018 is related to GDPR

The DPA 2018 brings and GDPR into are linked closely. “The 2018 Act doesn't override GDPR. What it does is provide some additional nuances,” says Hartshorn. “The GDPR effectively is the underpinning legislation, and the 2018 sits on top of it.”

There are some in subtle differences between the two laws, including these additional lawful bases for processing sensitive personal data under the DPA 2018:

  • Employment, social security and social protection purposes
  • Health and social care purposes
  • Archiving, research and statistics purposes
  • Public interest purposes
  • Criminal convictions data

The act requires that organisations keep “appropriate policy documents” in place when processing special category data to show how the controllers are complying with the data protection principles and outlining retention and erasure policies.

Processing data for national security or defence purposes are excluded from the DPA. There are exemptions around processing data subject access requests (DSARS) for purposes such as taxation, crime, taxes or health services.

The updated DPA also transposes the EU’s Law Enforcement Directive into UK law at the same time as the GDPR. It also requires the ICO to produce codes of practices outlining how companies can stay compliant in specific scenarios or industries.

How DPA 2018 differs from DPA 1998

The 1998 and 2018 versions of the DPA share the same broad tenets around requiring consent to collect and process data as well as the need to protect the personal data organisations hold, but the 2018 update has important new provisions. One of the biggest differences is the potential fine that can be issued by the regulator. Under the DPA 1998 the largest fine that could be issued was £500,000. Under the 2018 iteration that figure increase to potentially £17 million or 4% of global turnover, whichever is larger.

“There are some additional rights for individuals and additional detailed obligations for businesses, but fundamentally the principles remain the same,” says Hartshorn. He adds that organiszations that were comfortably compliant with the 1998 act should have found it easy to comply with the new regulations as there was little new to do aside from proper documentation and updating privacy notices.

“The first [change] is the obligation to evidence how you comply,” Hartshorn says. “Under the previous act you just had to be compliant; now you have to evidence your compliance. You also now have to notify both the ICO and individuals if there is a data loss which may have an impact on all individuals.”

“One other slight nuance is the obligation of the privacy impact assessment. If you're doing new processing, which might impact on individuals' personal data, then you have to do a data protection impact assessment or privacy impact assessment to make sure that what you're doing is appropriate and isn't going to pose inappropriate threats or risks to individuals,” Hartshorn adds. “if there are risks that are challenging, then you have to notify the ICO of that and let them know how you're planning to mitigate them.”

Will Brexit mean the DPA is replaced?

While legislation has been slow to keep with technology, and especially cybersecurity, due to Brexit, the current Data Protection Act is unlikely to exist for another 20 years without significant change.

The UK withdrew from the European Union on 31 January 2020 and until 31 December 2020 remains in a transition period. During this time, the UK remains subject to EU law, including GDPR. Once the UK leaves the bloc proper on 31 December, the UK DPA 2018 will remain in place.

The  European Union (Withdrawal) Act 2018 also transposes existing EU law into local law. This includes the GDPR, which will be known as the UK GDPR and underpin the current DPA, but will include certain amendments under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 to remove references to EU-specific bodies and members.

UK organisations should bear in mind that if they have operations in the EU or process EU citizen data post-Brexit, they will be subject to the EU version of the GDPR in addition to the UK GDPR/DPA2018. It is possible that the UK Government will combine the DPA 2018 and UK GDPR into one piece of legislation in the near future. The UK has said protecting personal data “is and will continue to be a priority” in its own policy papers post-Brexit, but Prime Minister Boris Johnson has said that the UK will “develop separate and independent policies in areas such as ….data protection, maintaining high standards as we do so,” meaning the law could be updated with new requirements.

Hartshorn says that most data protection regimes generally fall into the EU-style regime focused on the individual’s primacy, a US-style corporate primacy regime, or a Chinese-style state-primacy regime. The UK currently sits within the EU-style regime, and a move toward more of a free-market US model could harm digital trade and data flows with the EU.

“The challenge for the UK is that if we want to continue data flows to and from Europe -- who are still our biggest trading partner -- it becomes more difficult for us to maintain or to achieve an adequacy basis of data export if we want to if we move more towards a corporate model, or towards a state model,” says Hartshorn. “If we want to maintain data flows to and from Europe we are going to have to maintain a data protection regime that is not dissimilar to the one that we have now. The risk is that if we do free up things it costs us in terms of doing business with more than we gain from opening up the market.”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)