18 June 2018
The UK's new Data Protection Act 2018 (DPA), came into force on time on 25 May alongside the GDPR.
The GDPR came into effect on 25 May 2018. Initially intended to be the last word in EU data protection law, agreement could not be reached on all provisions and it was eventually accepted that Member States would have scope to depart from the GDPR and introduce their own provisions in some areas.
Member States were also required to produce implementing legislation for the Law Enforcement Directive (which deals with the use of personal data by law enforcement agencies).
The UK has passed the Data Protection Act 2018.
The majority of provisions were brought into force under commencement regulations with other sections to come in on 23 July (including requirements for the ICO to publish codes of practice). There has been a knock on effect on the Digital Economy Act regarding notification requirements on data controllers.
Guidance from the DCMS on the ICO's role and enforcement, intelligence services processing and law enforcement processing, has been published together with an overview of the DPA, and general guidance on processing.
The DPA covers the use of personal data within the scope of the GDPR and beyond it, as well as for law enforcement and the intelligence services. It:
While the GDPR does harmonise the majority of data protection law in the EU, organisations need to be aware that laws will vary in certain areas between Member States. For example, the age of digital consent for children, can vary from 13-16 and there are exemptions around employment and journalism which may be relevant.
The DPA is a somewhat unapproachable piece of legislation – it's not exactly user friendly, but it is likely that only limited parts will be relevant for most organisations and we expect updated guidance from the ICO shortly.
Those operating in the UK need to familiarise themselves with the relevant GDPR derogations and those operating across EU borders may also need to look at local legislation.
We highlight some of the more widely applicable commercial aspects of the DPA, including derogations from the GDPR.
While definitions are those used by the GDPR where the GDPR applies, some modifications have been made to DPA definitions where the GDPR is not applicable.
Part 2 deals with the derogations providing exceptions to the GDPR.
Set at 13.
This non-exhaustive list includes processing necessary for:
Derogations allow such processing where there is a justification, for example, to allow:
Special categories of data may also be processed for the following purposes:
Processing of criminal convictions data not carried out by an official authority must meet one of the conditions in Parts 1, 2 or 3 of Schedule 1.
Anyone processing special category or criminal convictions data must establish and maintain an "appropriate policy document". This is in addition to maintaining a record of data processing under Article 30 GDPR. the appropriate policy document must:
Similar to the DPA98 provisions, section 13 contains provisions regulating access to personal data held by credit reference agencies.
Where a significant decision is based on automated processing which is required or authorised by UK law, the following minimum additional safeguards must be put in place (there is scope for the Secretary of State to create additional ones):
Schedules 2, 3 and 4 contain permitted exemptions from some GDPR provisions for specified public interest reasons. The most relevant to businesses are contained in Schedule 2. There is some controversy around the immigration exemption under which there is no need to respond to a Subject Access Request where the data is being processed for the purposes of immigration control. There are concerns that this may lead the EU to withhold an adequacy decision from the UK. Similarly, the DPA does not include all the information required by Article 23(2) GDPR in relation to the exemptions. Broadly, there are exemptions for:
The Secretary of State has the power to make further exemptions under certain conditions.
Proposed arrangements for accrediting certification bodies are outlined in section 17.
Section 18 allows the Secretary of State to stipulate when transfers may be considered to be necessary in the public interest and, conversely, to place limitations on third country transfers in the public interest.
This deals with processing which is outside the scope of the GDPR and other EU law, notably unstructured manual files by FOI public authorities (for example, hand written unfiled notes) although there are specific exemptions relating to this kind of processing.
Part 5 covers the duties and powers of the ICO. The ICO is required to advise Parliament, the government and other institutions, issue opinions, cooperate with international regulators, develop international cooperation mechanisms, and prepare a number of codes of practice, including on data sharing, direct marketing, age-appropriate design, and data protection and journalism.
The Secretary of State is empowered to make regulations requiring notification fees.
This covers enforcement including the powers to issue information, assessment and enforcement notices, powers of entry and inspection, the power to impose penalties, procedures around complaints, appeals and remedies, and the introduction of two new criminal offences: