Over the last couple of years, compliance has become a bane of our business lives. Like a spectre hanging over our heads, the General Data Protection Regulation (GDPR) pulled at our time and resources. The regulation was finally enacted on May 25, 2018. But in the UK, we also have the Data Protection Act (DPA) hanging around our necks.
The DPA originally entered our working lives back in 1995. It was updated in 1998 to reflect the GDPR predecessor the EU’s Data Protection Directive (DPD) 1995 (Directive 95/46/EC). The DPA, like the EU’s DPD, are laws that determine how we, as a business, protect personal data.
Jump forward to 2018 and all hell breaks loose with the update to the EU’s DPD – the GDPR. And, along with it, the UK’s DPA becomes the DPA 2018.
In this article, I’ll take a look at the two acts and where they coincide or diverge. Hopefully, this will shine a light on them, so you don’t replicate work or miss vital requirement differences.
What the DPA 2018 and GDPR Have in Common
In general, the DPA 2018 and the GDPR are laws that are there to protect personal data. For the most part, the two regulations are common. They both defend the data subject rights as outlined in the GDPR – these data subjects rights ensure the owners of the personal data, aka your customers, employees, etc. have rights to control the data they share with you.
One thing worth noting, the DPA, previously, had lower fine thresholds. This is demonstrated in fines in the region of £385,000 for Uber when they failed to protect personal data during the 2016 breach. Now, the DPA has embraced the much larger fine levels of the GDPR. These fines being up to 4% of gross global revenue or 20 million euros whichever is higher.
Where the DPA 2018 and GDPR Diverge
The DPA 2018, moves away from the GDPR in certain areas. The DPA 2018 is split into seven individual parts; according to the Information Commissioner’s Office (ICO) the areas of divergence are in parts 2,3, and 4:
Part 2- Chapter 2: This deals in detail with the GDPR provisions.
This part adds detail to the GDPR requirements and extends them to meet UK needs.
- This section sets out in clear terms the meaning of ‘controller’, ‘public authority’ and ‘public body’.
- Consent for children is set at 16-years in the GDPR, the DPA 2018 sets the age limit at 13-years.
- Special categories of data have more stringent protection under the GDPR. The DPA 2018 is updated to apply more granularity and extend the circumstances they can be processed. For more details see section 11 of part 2 of the act.
- Fee limits are placed on those applied to data controllers
- Safeguards for automated decision making are extended, the act explaining what a “significant decision” entails.
- Credit file agencies are offered a limit to the extent to which the EU GDPR’s right of access applies
- Accreditation of certification is limited to the Commissioner or the national accreditation body, which, in the UK, is UKAS.
- This section is particularly interesting – “Power to make further exemptions etc by regulations” it builds in a provision to make exemptions to various articles of the GDPR, including several data subject rights such as the right to erasure and right to access.
- Safeguards for using data for research and archiving
- Transferring data to third countries is also extended, especially if it is deemed to be in the public interest.
Part 2- Chapter 3: Offer General Processing, also termed “The Applied GDPR”
This extends the GDPR to cover certain unusual or rare circumstances. Schedule 6 of the DPA 2018 goes into further details.
The main extensions are in the areas:
- automated or structured processing of personal data for circumstances where the data:
- Is outside of EU law
- falls within the scope of Article 2(2)(b) of the GDPR (common foreign and security policy activities)
- Data that is personal and unstructured and held by an FOI public authority
Part 3 – Law enforcement data processing
This chapter applies specifically to law enforcement agencies. If you are wondering what this means, specifically, here is the section pulled out which defines law enforcement in this context:
““the law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
The major difference between this section and the GDPR is that the requirement to process personal data transparently has been removed (to prevent any prejudice in a criminal investigation).
Part 4 – The “Intelligence Services” section
This section applies to three identified intelligence agencies, namely the Security Service (MI5), the Secret Intelligence Service (MI6) and GCHQ.
This section reflects the GDPR data subject rights. These include, right to erasure, access, rectification, etc. The regime for the three covered entities is slightly modified from the GDPR in wording around ‘security measures’ as opposed to ‘technical and organisational measures’.
And Finally, the Dreaded B Word
I have to bring it up, sorry. I don’t want to, but I must. Brexit. How does leaving the EU impact the UK’s data protection laws?
The DPA 2018 is a UK law and so should not be affected by leaving the EU unless parliament determines it will be. And let’s face it, who knows the answer to that one.
Ultimately, however, the GDPR is a very wide-reaching directive that impinges on state laws. If we leave the EU, your organisation may still be held to account by the GDPR if you process the data of a citizen in an EU state.