DPA 2018 introduction
The Data Protection Act 2018 is a response to a developing digital age where the amount of data being processed is increasing. It provides a more comprehensive legal framework than that provided by the Data Protection Act 1998 which can be exercised and implemented with relative ease. The Data Protection Act 2018 looks to implement guidelines set out in the General Data Processing Regulations as well as being in accordance with the modernized Convention 108 adopted on 18 May 2018. Furthermore, the Data Protection Act of 2018 focuses on the following four principles:
- General Data Processing
- Law Enforcement Data Processing
- Data Processing by the intelligence services
- Regulatory oversight and enforcement
It is also important to understand that while DPA 2018 has been set out according to EU regulations, upon withdrawal from the European Union, this act will remain in place as it will be incorporated into the UK’s domestic law under the European Union Withdrawal Bill. This is significant as it would essentially allow the free flow of data that is vital for future trading relationships post-Brexit, outlined by the Government in ‘The exchange and protection of personal data – a future partnership paper’.
GDPR and Data Protection Act 1998
The GDPR carries over eight data protection principles set out in the Data Protection Act 1998 as well as providing an additional principle of accountability. The laws are as follows:
- Lawfulness – both the Data Protection Act 1998 and GDPR audit emphasize the personal data shall be processed fairly and lawfully, while the GDPR goes on to add an extra provision of personal data being processed transparently about the data subject.
- Purpose – both the Data Protection Act 1998 and GDPR outline that personal data shall be obtained for specified, law purposes, anything beyond the specified purpose is a violation of both.
- Minimisation – under the GDPR and DPA 1998 outlines that data collected should be adequate, relevant and not excessive. This would mean that when collecting data, it will be limited to the specified reason and only the detailed reason.
- Accuracy – both the DPA 1998 and the GDPR emphasize that data collected should be accurate and kept up to date with the latter further clarifying that reasonable steps must be taken to erase or rectify inaccurate data.
- Storage – the DPA 1998 states that personal data shall not be kept for longer than is necessary, whereas the GDPR adds a provision where personal data can be stored for longer periods provided its solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- Access – while the GDPR has no equivalent principle, the DPA 1998 states that the rights of data subjects shall process personal data.
- Security – Both the DPA 1998 and the GDPR emphasis that appropriate measures, whether that may be technical or organisational, shall be taken against unauthorized or unlawful processing of personal data and accidental loss of personal data.
- Overseas transfer – while the GDPR has no equivalent principle, the DPA 1998 states that data shall not be transferred outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects about the processing of personal data.
- Accountability – Under the DPA 1998, there was no such principle of accountability and is only established by the GDPR, in which it states that controller shall be responsible for, and be able to show, compliance with the principles.
When paying close attention to the principles of Overseas transfer, and Accountability, the DPA 1998 arguably lags to ensure standards of data protection are close to universal as well as lacking the provisions for the latter. The DPA 2018 allows the adoption of increasing universal method of processing data under the modern convention 108 which is signed by 51 countries including non-EU countries and including provisions for accountability.