GDPR and Data Protection Act 2018

DPA 2018 introduction

The Data Protection Act 2018 is a response to a developing digital age where the amount of data being processed is increasing. It provides a more comprehensive legal framework than that provided by the Data Protection Act 1998 which can be exercised and implemented with relative ease. The Data Protection Act 2018 looks to implement guidelines set out in the General Data Processing Regulations as well as being in accordance with the modernized Convention 108 adopted on 18 May 2018. Furthermore, the Data Protection Act of 2018 focuses on the following four principles:

  • General Data Processing
  • Law Enforcement Data Processing
  • Data Processing by the intelligence services
  • Regulatory oversight and enforcement

It is also important to understand that while DPA 2018 has been set out according to EU regulations, upon withdrawal from the European Union, this act will remain in place as it will be incorporated into the UK’s domestic law under the European Union Withdrawal Bill. This is significant as it would essentially allow the free flow of data that is vital for future trading relationships post-Brexit, outlined by the Government in ‘The exchange and protection of personal data – a future partnership paper’.

Data Protection Officer

GDPR and Data Protection Act 1998

The GDPR carries over eight data protection principles set out in the Data Protection Act 1998 as well as providing an additional principle of accountability. The laws are as follows:

  • Lawfulness – both the Data Protection Act 1998 and GDPR audit emphasize the personal data shall be processed fairly and lawfully, while the GDPR goes on to add an extra provision of personal data being processed transparently about the data subject.
  • Purpose – both the Data Protection Act 1998 and GDPR outline that personal data shall be obtained for specified, law purposes, anything beyond the specified purpose is a violation of both.
  • Minimisation – under the GDPR and DPA 1998 outlines that data collected should be adequate, relevant and not excessive. This would mean that when collecting data, it will be limited to the specified reason and only the detailed reason.
  • Accuracy – both the DPA 1998 and the GDPR emphasize that data collected should be accurate and kept up to date with the latter further clarifying that reasonable steps must be taken to erase or rectify inaccurate data.
  • Storage – the DPA 1998 states that personal data shall not be kept for longer than is necessary, whereas the GDPR adds a provision where personal data can be stored for longer periods provided its solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
  • Access – while the GDPR has no equivalent principle, the DPA 1998 states that the rights of data subjects shall process personal data.
  • Security – Both the DPA 1998 and the GDPR emphasis that appropriate measures, whether that may be technical or organisational, shall be taken against unauthorized or unlawful processing of personal data and accidental loss of personal data.
  • Overseas transfer – while the GDPR has no equivalent principle, the DPA 1998 states that data shall not be transferred outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects about the processing of personal data.
  • Accountability – Under the DPA 1998, there was no such principle of accountability and is only established by the GDPR, in which it states that controller shall be responsible for, and be able to show, compliance with the principles.

When paying close attention to the principles of Overseas transfer, and Accountability, the DPA 1998 arguably lags to ensure standards of data protection are close to universal as well as lacking the provisions for the latter. The DPA 2018 allows the adoption of increasing universal method of processing data under the modern convention 108 which is signed by 51 countries including non-EU countries and including provisions for accountability.

GDPR and Data Protection Act 2018 (Key differences)

While the Data Protection Act 2018 is essentially translating data processing standards set by the GDPR, the GDPR makes no mention to regulations surrounding data processing and law enforcement as well as intelligence services. Instead, DPA 2018 implements Law Enforcement Directive (EU) 2016/680 into UK law. The Law Enforcement Directive means that personal data can be processed by competent authorities which in the definition is any public authority that is competent for the prevention, investigation, Identification, prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Although the GDPR does not refer to data processing regarding law enforcement, it could be argued that it is extremely dangerous to allow law enforcement data processing to be based solely on the provisions set out by the Law Enforcement Directive. Thus, the Law Enforcement Directive as outlined in the DPA 2018 interacts with the principles set out in the GDPR for greater safeguarding of personal data, including other purposes within law enforcement agencies such as internal personnel management/ human resources management.

Processing of personal data in conjunction with national security by relevant security agencies (the Secret Intelligence Service and the Government Communications Headquarters) is not within the scope of the GDPR or the Law Enforcement Directive, however complying with the standards of the modernized Convention 108, leading to data processing by intelligence services being in line with future international standards. In addition to this, in the DPA 2018, intelligence services’ data processing is exempted from standards set by the GDPR, as was the case in the DPA 1998. Instead, it complies with standards established in domestic law such as the Investigatory Powers Act 2016, which provides for agency-specific warrants which are relevant to how the agencies hold and use personal data. The Investigatory powers Act 2016 also creates a series of offences of misused data within an agency.

Data processing with the purpose of serving public interests is where the Data Protection Act 2018 varies from the guidelines set by the GDPR. For example, processing of special categories of personal data such as data related to race, political opinions, and health is prohibited from processing unless explicit consent is obtained. Under special circumstances, the GDPR allows for domestic law to determine the processing of special categories of data. This would involve data regarding criminal convictions, pricing of risk in financial services and the operation of anti-doping programs in the sport. Thu, DPA 2018 can be seen as a continuation of former provisions in the DPA 1998 which allowed for the processing of special categories of data. This is aimed at allowing organisations to be able to continue to process data lawfully as it serves ‘substantial public interests’.

Data Protection Officer

Further provisions have been carried over from the 1998 Data Protection Act which falls short of the standards set in the GDPR, such as limiting individual rights where there are on-going investigations into their conduct where it could be of benefit to limit individual rights. For example, section 29(1) of the 1998 Act enabled Her Majesty’s Revenue and Customs (“HMRC”) to withhold certain personal data on a case by case basis from an individual customer who submitted a subject access request if providing that personal data would be likely to prejudice specified crime and taxation purposes. It also meant that HMRC was not obliged to send a privacy notice to an individual when obtaining personal data from a third party if it would tip them off about an ongoing investigation into their tax affairs. The Act makes equivalent provision. Another way in which DPA 2018 differs from the GDPR is that it further elaborates and adds extra provisions on principles outlined in the GDPR. For example, the policy of storage, the GDPR states that personal data can be processed for the purpose of archiving which is in the public’s interest, or it could store data for historical research and/or statistical research purposes. DPA 2018 adds the provision that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes, thus being exempted from complying with the standards of individual rights as set out in the GDPR. The Data Protection Act 2018 further allocates power to the Secretary of State to make further exemptions in the future which may seem appropriate in dealing with unforeseeable circumstances. This may involve restricting individual rights as outlined in the GDPR to protect public interests.

Data Protection Act 1998 and the Data Protection Act 2018

There is continuity between the Data Protection Act 1998 and the Data Protection Act 2018 as essentially the Data Protection Act 2018 is a revision of the Data Protection Act 1998 to ensure it complies with the standards set by the GDPR. However, important revisions have been made such as the GDPR specifies that persons giving consent to the processing of personal data need to have a certain level of understanding of what they are being asked, so parents or guardians must permit personal data on behalf of young children using information society services. While DPA 1998 did not set a minimum age at which a child can consent to such data processing, the GDPR allows the UK to set a minimum age of 13 the DPA 2018 to allow such data processing. Continuity between the Data Protection Act 1998 and Data Protection Act 2018 can be seen when it comes to automated data processing. This is a type of processing where there is no human intervention as is the case for data being collected about an individual’s finances, which is then processed using an algorithm to decide creditworthiness. The GDPR requires additional safeguards to ensure individuals the right not to be subject to a decision based solely on automated processing. Section 12(2) of DPA 1998 provides that the requirement of safeguards as stated by the GDPR is adhered to.

ICO and Data Protection Act 2018

The Information Commissioner oversees the enforcement of the Data Protection Act of 2018. Powers given to the Commissioner involve the ability to investigate and sanction data protection breaches and over recent years (post-2008) issue a civil monetary penalty notice of up to £500,000 over the occurrence of more serious breaches. The GDPR adopts a zero-tolerance policy regarding more serious breaches as it has given the Commissioner to impose fines of £17 million or 4% of turnover is the most serious cases. However, the Commissioner does not have free reign as a notice of intent must first be issued before a fine to allow for the opportunity to appeal the proposed fine or the amount specified in the notice. The DPA 2018 also reintroduces many of the criminal offences in the DPA 1998, altered to comply with the standards set in the GDPR. It also introduces a small number of new offences to deal with emerging threats. For example, section 171 criminalizes the deliberate re-identification of individuals whose personal data is contained in anonymized data.

ePrivacy and Data Protection 2018

Due to the introduction of the Data Protection Act 2018, ePrivacy is only strengthened due to giving the increased individual control over their data. This is done through the principles of data processing as mentioned above with principles such as Accountability being evident through the Senate hearing of Mark Zuckerberg of Facebook where a controller is held accountable for selling of data which led to influencing elections, violating the nearly all the principles of Data collections. Also, the individual will be able to exercise control over ePrivacy through individual rights. The individual has the right to informed, right of access, right of rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights in relation to automated decision making and profiling. While individual rights have been strengthened which strengthens ePrivacy, the Data Protection Act 2018 falls short. The failure of the GDPR to include provisions regarding law enforcement and intelligence services means that ultimately government agencies are exempt from the standards set out in the GDPR, ultimately suggesting that ePrivacy remains weak in that the government can impede upon it in the ‘public interests’.

Data Protection Act 2018 summary

The Data Protection Act, 2018 is the result of a series of events (Facebook selling off data, Yahoo data breach) leading to the European Union rethinking its Data processing laws in the form of the GDPR, resulting in the introduction of the Data Protection Act which modernised UK data processing laws. Ultimately, the Data Protection Act 2018 is a revised version of the Data Protection Act 1998, adding additional provisions to give the individual greater control over personal data (Individual’s rights) but also ensuring the Commissioner has greater powers to hold the controller accountable by increasing his/her power to impose fines for more serious breaches. The Data Protection Act also goes on to modernize the legal framework for data processing in the form of modern convention 108, which ensures that data processing standards are in line with international standards which would be vital for trade post-Brexit.