gdpr privacy policy

GDPR | Seers Article

DPA 2018 introduction

The Data Protection Act 2018 is a response to a developing digital age where the amount of data being processed is increasing. It provides a more comprehensive legal framework than that provided by the Data Protection Act 1998 which can be exercised and implemented with relative ease. The Data Protection Act 2018 looks to implement guidelines set out in the General Data Processing Regulations as well as being in accordance with the modernized Convention 108 adopted on 18 May 2018. Furthermore, the Data Protection Act of 2018 focuses on the following four principles:

  • General Data Processing
  • Law Enforcement Data Processing
  • Data Processing by the intelligence services
  • Regulatory oversight and enforcement

It is also important to understand that while DPA 2018 has been set out according to EU regulations, upon withdrawal from the European Union, this act will remain in place as it will be incorporated into the UK’s domestic law under the European Union Withdrawal Bill. This is significant as it would essentially allow the free flow of data that is vital for future trading relationships post-Brexit, outlined by the Government in ‘The exchange and protection of personal data – a future partnership paper’.

Contact us

GDPR and Data Protection Act 1998

The GDPR carries over eight data protection principles set out in the Data Protection Act 1998 as well as providing an additional principle of accountability. The laws are as follows:

  • Lawfulness – both the Data Protection Act 1998 and GDPR audit emphasize the personal data shall be processed fairly and lawfully, while the GDPR goes on to add an extra provision of personal data being processed transparently about the data subject.
  • Purpose – both the Data Protection Act 1998 and GDPR outline that personal data shall be obtained for specified, law purposes, anything beyond the specified purpose is a violation of both.
  • Minimisation – under the GDPR and DPA 1998 outlines that data collected should be adequate, relevant and not excessive. This would mean that when collecting data, it will be limited to the specified reason and only the detailed reason.
  • Accuracy – both the DPA 1998 and the GDPR emphasize that data collected should be accurate and kept up to date with the latter further clarifying that reasonable steps must be taken to erase or rectify inaccurate data.
  • Storage – the DPA 1998 states that personal data shall not be kept for longer than is necessary, whereas the GDPR adds a provision where personal data can be stored for longer periods provided its solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
  • Access – while the GDPR has no equivalent principle, the DPA 1998 states that the rights of data subjects shall process personal data.
  • Security – Both the DPA 1998 and the GDPR emphasis that appropriate measures, whether that may be technical or organisational, shall be taken against unauthorized or unlawful processing of personal data and accidental loss of personal data.
  • Overseas transfer – while the GDPR has no equivalent principle, the DPA 1998 states that data shall not be transferred outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects about the processing of personal data.
  • Accountability – Under the DPA 1998, there was no such principle of accountability and is only established by the GDPR, in which it states that controller shall be responsible for, and be able to show, compliance with the principles.

When paying close attention to the principles of Overseas transfer, and Accountability, the DPA 1998 arguably lags to ensure standards of data protection are close to universal as well as lacking the provisions for the latter. The DPA 2018 allows the adoption of increasing universal method of processing data under the modern convention 108 which is signed by 51 countries including non-EU countries and including provisions for accountability.

GDPR and Data Protection Act 2018 (Key differences)

While the Data Protection Act 2018 is essentially translating data processing standards set by the GDPR, the GDPR makes no mention to regulations surrounding data processing and law enforcement as well as intelligence services. Instead, DPA 2018 implements Law Enforcement Directive (EU) 2016/680 into UK law. The Law Enforcement Directive means that personal data can be processed by competent authorities which in the definition is any public authority that is competent for the prevention, investigation, Identification, prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Although the GDPR does not refer to data processing regarding law enforcement, it could be argued that it is extremely dangerous to allow law enforcement data processing to be based solely on the provisions set out by the Law Enforcement Directive. Thus, the Law Enforcement Directive as outlined in the DPA 2018 interacts with the principles set out in the GDPR for greater safeguarding of personal data, including other purposes within law enforcement agencies such as internal personnel management/ human resources management.

Processing of personal data in conjunction with national security by relevant security agencies (the Secret Intelligence Service and the Government Communications Headquarters) is not within the scope of the GDPR or the Law Enforcement Directive, however complying with the standards of the modernized Convention 108, leading to data processing by intelligence services being in line with future international standards. In addition to this, in the DPA 2018, intelligence services’ data processing is exempted from standards set by the GDPR, as was the case in the DPA 1998. Instead, it complies with standards established in domestic law such as the Investigatory Powers Act 2016, which provides for agency-specific warrants which are relevant to how the agencies hold and use personal data. The Investigatory powers Act 2016 also creates a series of offenses of misused data within an agency.

Data processing with the purpose of serving public interests is where the Data Protection Act 2018 varies from the guidelines set by the GDPR. For example, processing of special categories of personal data such as data related to race, political opinions, and health is prohibited from processing unless explicit consent is obtained. Under special circumstances, the GDPR allows for domestic law to determine the processing of special categories of data. This would involve data regarding criminal convictions, pricing of risk in financial services and the operation of anti-doping programs in the sport. Thu, DPA 2018 can be seen as a continuation of former provisions in the DPA 1998 which allowed for the processing of special categories of data. This is aimed at allowing organisations to be able to continue to process data lawfully as it serves ‘substantial public interests’.

Further provisions have been carried over from the 1998 Data Protection Act which falls short of the standards set in the GDPR, such as limiting individual rights where there are on-going investigations into their conduct where it could be of benefit to limit individual rights. For example, section 29(1) of the 1998 Act enabled Her Majesty’s Revenue and Customs (“HMRC”) to withhold certain personal data on a case by case basis from an individual customer who submitted a subject access request if providing that personal data would be likely to prejudice specified crime and taxation purposes. It also meant that HMRC was not obliged to send a privacy notice to an individual when obtaining personal data from a third party if it would tip them off about an ongoing investigation into their tax affairs. The Act makes equivalent provision. Another way in which DPA 2018 differs from the GDPR is that it further elaborates and adds extra provisions on principles outlined in the GDPR. For example, the policy of storage, the GDPR states that personal data can be processed for the purpose of archiving which is in the public’s interest, or it could store data for historical research and/or statistical research purposes. DPA 2018 adds the provision that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes, thus being exempted from complying with the standards of individual rights as set out in the GDPR.

The Data Protection Act 2018 further allocates power to the Secretary of State to make further exemptions in the future which may seem appropriate in dealing with unforeseeable circumstances. This may involve restricting individual rights as outlined