The Data Protection Act 2018 (DPA) is the main data protection law of the United Kingdom (UK). It brings the EU General Data Protection Regulation (GDPR) into UK law. Any business operating in the UK, whether it is from the UK, the EU, or any other country, should be familiar with the DPA and how the law impacts its day-to-day activities.
The DPA covers every aspect of the processing of personal data, from marketing communications to staff administration. It brings new powers and responsibilities to the UK's Data Protection Authority, the Information Commissioner's Office (ICO).
We're going to help you understand the DPA, consider its relevance to your business, and look at some practical ways you can abide by UK data protection law.
The GDPR and the DPA
Many people in the UK are familiar with the DPA. Its predecessor legislation, the Data Protection Act 1998, was the primary source of data protection law in the UK for two decades.
However, perhaps even better known than the DPA is the EU law from which it derives - the GDPR. When it took effect in May 2018, the GDPR had such a transformative effect across the EU that many British people don't even realize that it has a UK equivalent.
What is the GDPR?
The GDPR is the EU's main data protection law. The GDPR firmly establishes the EU as the strictest jurisdiction in the world when it comes to data protection and consumer privacy.
The DPA is the UK's version of the GDPR, and so it brings all its rules into the UK.
Under the GDPR, any business operating in the EU must:
- Apply six principles of data processing whenever handling personal data
- Facilitate the eight rights that individuals in the EU may exercise over their personal data
- Comply with strict rules around the international transfer of personal data
The GDPR also requires certain actions from the governments and parliaments of EU countries. For example, EU countries must:
- Introduce national legislation that implements the GDPR and reconcile it with other national law
- Create or empower an independent Data Protection Authority to monitor, promote and regulate data protection at a national level
- Ensure that the GDPR's heavy administrative fines (up to €20 million) can be enforced under the country's laws
Why Is the DPA Necessary if the GDPR Already Exists?
The GDPR is an EU regulation. Regulations are powerful legal instruments that, although created by the EU, take direct effect in each EU country.
Much of the GDPR is addressed directly to people living and working in the EU. Individual EU citizens can oblige national governments to enforce EU regulations even if they have not been entered into national law. To this extent, the DPA is not necessary.
However, the GDPR left some scope for EU countries to amend and adapt certain parts of the law via "implementing legislation." The DPA is one such piece of implementing legislation. Every EU country has one.
So, the DPA serves three main purposes:
- It formally brings the GDPR into UK law via the UK's national legislating process
- It amends and exempts certain parts of the GDPR as they apply to the UK
- It extends UK data protection law to certain areas that are not covered by the GDPR
What Impact Will Brexit Have on the DPA?
At the time of writing, the UK has not left the EU. There is little clarity on what post-Brexit arrangements with the EU will look like - if indeed Brexit goes ahead (which currently appears very likely).
There are no plans to repeal or amend the DPA after Brexit. And the GDPR itself will also be brought directly into UK law, along with other EU legislation, if and when the UK's withdrawal is finalized.
It's impossible to predict with certainty what will happen in any sector after Brexit, and data protection is no exception to this. The UK may need to prove that it is a safe country for the transfer of personal data from the EU. In this case, the DPA will come under very close scrutiny from the European Commission.
Overview of the DPA
The DPA is split into seven parts. Not all of these are likely to be relevant to your company.
- Overview of the DPA
- Supplement to the GDPR and extension of the GDPR into new areas
- Law enforcement
- Intelligence services
- The Information Commissioner's Office (ICO)
- Enforcement of the DPA
- Other provisions
The DPA also contains twenty schedules which provide further detail about how the law should be applied.
A lot of the most useful information for businesses is contained in Parts 1 and 2 of the DPA.
The DPA does not contain the entire text of the GDPR, so reading the text directly requires some cross-referencing with the GDPR.
Definitions of Key Terms
The definitions of key terms in the DPA can mostly be assumed to be identical to the GDPR. However, some definitions are expressed slightly differently.
For example, the DPA defines "personal data" in Part 1:
Personal data is any information relating to an identified or identifiable living individual.
This definition of personal data is somewhat more clear than that in the GDPR. The definition is equally broad, and so you should be aware that your company probably holds a lot of personal data.
Here's the DPA's definition of "processing", which sets out an organized list of examples:
Processing means an operation or operations performed on information or information sets. Examples of operations are given, including collecting, storing, disclosing, using, altering and destroying.
Again, you can see how it's very likely that your business is processing information in the eyes of the DPA.
Requirements of the DPA
The DPA's main purpose is to make the GDPR officially binding on people and businesses in the UK. So the most important requirement under the DPA is to obey the GDPR.
Here are some of the most important requirements of the GDPR that must be met by businesses operating in the UK.
Apply the Principles of Data Processing
The principles of data processing form the backbone of data protection in the EU. These principles are set out in Article 5 of the GDPR.
The DPA applies these principles slightly differently when it comes to UK intelligence and immigration services. But these differences won't apply to most businesses in the UK.
The six principles state that personal data must be:
- Processed in accordance with the law and in the spirit of transparency (lawfulness, fairness, and transparency)
- Only processed for a specified and limited purpose (purpose limitation)
- Kept to the minimum necessary for carrying out a specific purpose (data minimization)
- Kept accurate and up-to-date (accuracy)
- Stored for no longer than necessary (storage limitation)
- Processed in a safe and secure way (integrity and confidentiality)
Here are three practical ways to implement these principles:
- Conduct a data audit. This will ensure you know how personal data flows around your company.
- Create a Data Protection Policy. This will help people working in your company to understand the law and respond to data breaches.
Respect Data Subject Rights
The GDPR provides individuals ("data subjects") with a strong set of rights over their personal data. Anyone who controls an individual's personal data (for example, an ecommerce store that stores customers' addresses, or the developer of an app which logs user activity) is required to facilitate these rights.
The DPA brings the GDPR's data subject rights directly into UK law. Again, there are exemptions (some of which are quite controversial) to these rights for intelligence and immigration services. These are on top of the exceptions and restrictions on the data subject rights already present in the GDPR at Article 23.
Most businesses will not be affected by the DPA's exemptions. You should be prepared to respond appropriately if a person approaches your business about their data subject rights.
Where you are processing an individual's personal data, that individual has the right to:
- Receive transparent information about your company's data processing practices
- Access a copy of their personal data
- Rectify their personal data if it is inaccurate
- Erase their personal data where appropriate
- Request that you restrict your processing of their personal data
- Request a portable copy of their personal data in an accessible format
- Object to your processing of their personal data
- Request human intervention if you make certain highly significant automated decisions about them using their personal data
If you receive a valid request then you must normally respond within one calendar month. Unless requests are "manifestly unfounded or excessive," you may not charge a fee.
Here are three practical ways to make it easier for you to facilitate these rights:
- Make sure you erase old or unnecessary personal data that might be inaccurate or out-of-date. This might reduce the likelihood that you receive a request.
- Consider ways you can make it easy for your customers to exercise their rights, for example via a form on your website.
- Ensure that any personal data you store is well-organized and that you can access an individual's information on request.
Determine Your Lawful Bases
The DPA and the GDPR only allow for the processing of personal data on one of six lawful bases. The lawful bases can be considered a set of legal justifications for processing a person's personal data.
The lawful bases are below. You may only process an individual's personal data if:
- You have the individual's freely given, specific, informed, unambiguous and affirmative consent
- You need to process the individual's personal data to fulfill your obligations under a contract with them, or in order to enter into a contract with them
- You are under a legal obligation to process the individual's personal data
- A person's life or health (vital interests) would be in danger if you failed to process the individual's personal data
- You are exercising official authority to carry out a public task
- You have determined that your business has a legitimate interest in processing the individual's personal data, and you've weighed the benefits of doing so against the risk to the individual's privacy
Every time you process an individual's personal data, you need to know and have a record of your lawful basis for doing so.
This isn't as hard as it might sound. After all, you need to record someone's email address to fulfill an order (contract). If you want to send someone marketing communications, it shouldn't be a problem to ask them first (consent). And if you need to email a customer to let them know there's an issue with their account, this is a minor intrusion with a clear benefit (legitimate interests).
Here are three practical ways you can help ensure you always have a lawful basis for processing:
- Review your methods of direct marketing and using cookies to ensure you're getting valid consent for these activities
- Carry out a Legitimate Interests Assessment whenever you think you might be able to rely on legitimate interests
- Insert clauses about your requirements for personal data into your contracts, and make sure you let people know what will happen if they don't want to provide you with this
The Information Commissioner's Office
A big part of the DPA gives new powers to the Information Commissioner's Office (ICO). This is the UK's Data Protection Authority.
What Does the ICO Do?
The ICO plays several important roles:
- Receiving and investigating complaints about breaches of the DPA
- Promoting data protection best practices and providing guidance to the public
- Advising businesses and public bodies on how to comply with the DPA
Your business might encounter the ICO if:
The ICO is keen to promote itself as an approachable and supportive organization, and a large part of its work is about helping businesses comply with the law.
But remember that the ICO is also capable of imposing huge fines of up to €20 million (around 17.7 million GBP or 22.4 million USD) or 4 percent of annual turnover.
Do You Need to Pay an ICO Data Protection Fee?
Most businesses who process personal data in the UK must register and pay a fee to the ICO.
Regardless of size, your business will probably need to pay a data protection fee if:
- It is established in the UK
- It processes personal data
- It processes personal data for purposes other than its core services, which include:
- Advertising (unless it's on behalf of others)
- It is a data controller. A data controller decides how and why to process personal data.
The ICO provides a self-assessment checklist to help companies determine whether they need to pay a data protection fee.
There are exemptions for elected representatives and data processors (who process personal data on behalf of a data controller).
How Much Is the ICO Data Protection Fee?
The amount you'll have to pay will vary depending on the size of your company. Don't worry - it's unlikely to break the bank.
Here's a table that shows how the data protection fee varies depending on company size. Note that a company only needs to fulfill either the staff or turnover criteria to fall within a tier.
||Number of staff
||£632,000 or less
||10 or fewer
||Between £632,000 and £36 million
||Between 10 and 250
||Over £36 million
||More than 250
Charities are Tier 1 regardless of their size.
You can pay your fee via the ICO's website.
The DPA is the third generation of UK data protection law. The DPA brings the GDPR into UK law. It also adapts and extends the GDPR in certain areas.
Compliance with the DPA will be an ongoing process. But some good early steps include:
- Consider how the principles of data processing apply to your business
- Conduct a data audit
- Create a Data Protection Policy
- Be ready to facilitate your customers' data subject rights
- Keep personal data up-to-date and to a minimum in order to reduce the number of requests
- Consider creating a form or other method to help your customers exercise their rights
- Keep personal data well-organized so you can retrieve it on request
- Determine your lawful basis for processing
- Ensure you're getting consent in the right way for the right things
- Conduct a Legitimate Interests Assessment if necessary
- Consider amending any contracts that are contingent on the processing of personal data
- Check whether you need to pay a data protection fee to the ICO