When the United Kingdom (UK) left the European Union, there was some confusion about General Data Protection Regulation compliance in the UK. Starting from 01 January 2021, the Data Protection Act 2018 (DPA 2018) is the UK’s implementation of the GDPR. Find out more about the DPA and how it’s different from the EU GDPR.
What Is the UK Data Protection Act 2018?
The Data Protection Act 2018 is a comprehensive data protection law of the United Kingdom. The DPA 2018 is the UK’s implementation of the EU General Data Protection Regulation (GDPR), so it brings the GDPR into UK law. The DPA 2018 also adapts and extends the GDPR to areas of processing not covered by the GDPR.
The DPA 2018 covers every aspect of personal data processing, from marketing communications to staff administration.
The DPA 2018 came into effect on 25 May 2018 – the same day as the GDPR. It was amended on 01 January 2021, after Brexit.
Read more about the key definitions of the DPA 2018.
Personal data should be understood as information that relates to an individual. That individual could be identified or identifiable either directly or indirectly from one or more identifiers.
The UK GDPR defines personal data in the following way: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The UK GDPR also defines special categories of personal data, including:
- ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where this is used for identification purposes);
- health data;
- sex life;
- sexual orientation.
Personal data can also include information related to criminal convictions and offenses.
Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual. Pseudonymization may involve replacing real names with, for example, a reference number. Pseudonymising personal data can help you meet your data protection requirements. However, pseudonymisation is effectively only a secondary measure. It does not change the status of the data as personal data.
The UK GDPR states that pseudonymised personal data is still personal data: “…Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…”
Processing of personal data
Processing of personal data covers a wide range of operations performed on personal data, including data collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
Processing of personal data could be done in two ways:
- personal data processing wholly or partly by automated means (that is – in electronic form);
- non-automated processing (that is – manual information filing in a filing system).
Examples of personal data processing include:
- collection and storage of IP addresses;
- collection of user's interests, biometric, genetic, or health data;
- posting a photo of a person on a website;
- video recording;
- staff management or payroll administration;
- access to a contacts database containing personal data;
- sending promotional emails.
What Is the UK GDPR?
The UK GDPR took effect on 1 January 2021, after Brexit.
After Brexit, the EU GDPR was incorporated into British privacy law – the Data Protection Act 2018 to become the UK GDPR. Currently, UK businesses and organizations must comply with two major data privacy laws:
- The UK GDPR;
- The UK Data Protection Act 2018.
The UK GDPR and DPA 2018 should be taken into account together. Currently, the Data Protection Act 2018 is the primary data protection law in the UK.
The UK GDPR is the UK version of the EU GDPR that sets out the key principles, rights, and obligations for the processing of personal data.
Who Must Comply With the Data Protection Act 2018?
The DPA 2018 applies to the following businesses and organizations:
- Material Scope
Both the DPA 2018 and the UK GDPR apply to all forms of personal data processing based in the United Kingdom, regarding the location of data subjects. Data processing by an individual during a purely personal or household activity is excluded from the scope.
- Territorial Scope
The DPA 2018 applies to all businesses and organizations based in the UK, that are the personal data controllers or processors, regardless of whether the data processing takes place in the UK or not.
The DPA 2018 applies to all businesses and organizations that process the personal data of data subjects who are UK residents.
This means that even if a business or an organization is based outside the UK, but provides goods or services to data subjects within the UK, it must comply with the DPA 2018. The DPA 2018 also applies to a business or an organization based outside the UK, that monitors the digital behavior or collects the personal data of UK residents.
The 7 Principles of the Data Protection Act 2018
There are seven principles of the Data Protection Act 2018 regarding personal data processing:
- Lawfulness, fairness, and transparency. Businesses should be transparent, should process users' personal data in accordance with the law, and respect their data rights.
- Purpose limitation. Businesses should only collect and process personal data for a specified and limited purpose. State the purpose before asking for consent from the data subject.
- Data minimization. Businesses should keep personal data to the minimum necessary for carrying out an intended purpose.
- Accuracy. Keep personal data accurate and up to date. When it is inaccurate or incomplete- take reasonable steps to erase or rectify data.
- Storage limitation. Businesses should store collected personal data for no longer than necessary. When data is no longer necessary, it should be deleted.
- Integrity and confidentiality. Personal data should be processed in a safely and securely. Businesses should implement physical and technological security controls to protect data from unauthorized or unlawful processing, data loss, destruction, or damage.
- Accountability. Businesses should take responsibility for the collected personal data. Use data protection measures that are secure and sufficient.
What Is the Difference Between the EU GDPR and the Data Protection Act 2018?
The UK GDPR and the Data Protection Act 2018 function in the UK, while the EU GDPR covers the countries of the European Economic Area.
Both the EU GDPR and the UK GDPR share core definitions, such as personal data, controller, processor, the data subject, and data processing. The rights of data subjects and legal bases for personal data processing in the EU GDPR and the UK GDPR are also the same.
However, there are some important differences between the Data Protection Act 2018 / UK GDPR and the EU GDPR:
- The rights of data subjects. The EU GDPR protects data subjects to personal data processing. Under the DPA 2018 / UK GDPR, the rights of data subjects can be waived if obstruct a legitimate need to process data for scientific, historical, statistical, or archiving purposes.
- Age of consent for minors. Under the EU GDPR, children can consent to data processing at age 16, while under the DPA 2018 / UK GDPR, children can consent to data processing at age 13.
- Automated decision-making. Under the EU GDPR, data subjects have the right to refuse automated decision-making or profiling. Under the DPA 2018 / UK GDPR, automated decision-making is allowed if the rights and freedoms of data subjects are protected.
- Privacy vs freedom of expression. The EU GDPR allows member states to decide themselves between the right to privacy and the right to freedom of expression and information. The DPA 2018 / UK GDPR gives an exception when personal data is processed for public interests.
- Compliance reports. The DPA 2018 requires organizations to keep "appropriate policy documents" related to special categories of data processing. This is the proof about how the controller complies with the law and how these categories of data are kept and erased.
- Lead data protection regulator. Under the EU GDPR, the law in different countries is enforced by individual regulatory agencies of each member state of the EU. Under the DPA 2018 / UK GDPR, the lead regulator is the Information Commissioner's Office (ICO).
- Data subject access request. The DPA 2018 proivdes exceptions to data subject rights in specific scenarios in which organizations can refuse data subject access requests.
- ICO codes of practice. The DPA 2018 requires the ICO to produce codes of practice to guide organizations on being compliant with the law when processing data in specific scenarios and/or industries.
The UK Data Protection Authority
The UK Data Protection Authority is the Information Commissioner's Office (ICO). It rather promotes itself as an approachable and supportive organization, whose one of the principal tasks is helping businesses comply with the law.
However, the ICO could set a maximum fine of £17.5 million or 4% of annual global turnover, whichever is greater for the UK GDPR or DPA 2018 infringements.
What does the ICO do?
The ICO performs the following functions:
- monitors compliance with data privacy laws including the DPA 2018 and the UK GDPR;
- conducts audits and advisory visits;
- receives and investigates complaints about breaches of the DPA 2018 or the UK GDPR;
- offers advice and guidance on protecting and managing information;
- enforces data privacy regulations, including issuing fines.
The ICO also cooperates with data protection authorities in other countries, including the European Data Protection Board, which has representatives from data protection authorities in each EU member state.
Frequently Asked Questions
What is the UK Data Protection Act 2018?
How does Data Protection Act 2018 define the processing of personal data?
Processing of personal data covers a wide range of operations performed on personal data, including data collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. Find out more at CookieScript privacy laws.
Is pseudonymized data still personal data under the DPA 2018?
Pseudonymising personal data can help you meet your data protection requirements. However, pseudonymisation does not change the status of the data as personal data, which still remains personal data. Read more about the key definitions of privacy laws at CookieScript.
What Is the Difference Between the EU GDPR and the Data Protection Act 2018?
While both the EU GDPR and the UK GDPR share the core definitions, there are some differences between the DPA 2018 and the EU GDPR, including the rights of data subjects, age of consent for minors, rights regarding automated decision-making, privacy vs freedom of expression, etc. Find out more at CookieScript privacy laws.
What are the 7 Principles of the Data Protection Act 2018?
These are seven principles of the DPA 2018 regarding personal data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Find out more at CookieScript privacy laws.