27 January 2020
The Data Protection Act 2018 (DPA) is the main data protection law of the United Kingdom (UK). It brings the EU General Data Protection Regulation (GDPR) into UK law. Any business operating in the UK, whether it is from the UK, the EU, or any other country, should be familiar with the DPA and how the law impacts its day-to-day activities.
The DPA covers every aspect of the processing of personal data, from marketing communications to staff administration. It brings new powers and responsibilities to the UK's Data Protection Authority, the Information Commissioner's Office (ICO).
We're going to help you understand the DPA, consider its relevance to your business, and look at some practical ways you can abide by UK data protection law.
Many people in the UK are familiar with the DPA. Its predecessor legislation, the Data Protection Act 1998, was the primary source of data protection law in the UK for two decades.
However, perhaps even better known than the DPA is the EU law from which it derives - the GDPR. When it took effect in May 2018, the GDPR had such a transformative effect across the EU that many British people don't even realize that it has a UK equivalent.
The GDPR is the EU's main data protection law. The GDPR firmly establishes the EU as the strictest jurisdiction in the world when it comes to data protection and consumer privacy.
The DPA is the UK's version of the GDPR, and so it brings all its rules into the UK.
Under the GDPR, any business operating in the EU must:
The GDPR also requires certain actions from the governments and parliaments of EU countries. For example, EU countries must:
The GDPR is an EU regulation. Regulations are powerful legal instruments that, although created by the EU, take direct effect in each EU country.
Much of the GDPR is addressed directly to people living and working in the EU. Individual EU citizens can oblige national governments to enforce EU regulations even if they have not been entered into national law. To this extent, the DPA is not necessary.
However, the GDPR left some scope for EU countries to amend and adapt certain parts of the law via "implementing legislation." The DPA is one such piece of implementing legislation. Every EU country has one.
So, the DPA serves three main purposes:
At the time of writing, the UK has not left the EU. There is little clarity on what post-Brexit arrangements with the EU will look like - if indeed Brexit goes ahead (which currently appears very likely).
There are no plans to repeal or amend the DPA after Brexit. And the GDPR itself will also be brought directly into UK law, along with other EU legislation, if and when the UK's withdrawal is finalized.
It's impossible to predict with certainty what will happen in any sector after Brexit, and data protection is no exception to this. The UK may need to prove that it is a safe country for the transfer of personal data from the EU. In this case, the DPA will come under very close scrutiny from the European Commission.
The DPA is split into seven parts. Not all of these are likely to be relevant to your company.
The DPA also contains twenty schedules which provide further detail about how the law should be applied.
A lot of the most useful information for businesses is contained in Parts 1 and 2 of the DPA.
The DPA does not contain the entire text of the GDPR, so reading the text directly requires some cross-referencing with the GDPR.
The definitions of key terms in the DPA can mostly be assumed to be identical to the GDPR. However, some definitions are expressed slightly differently.
For example, the DPA defines "personal data" in Part 1:
Personal data is any information relating to an identified or identifiable living individual.
This definition of personal data is somewhat more clear than that in the GDPR. The definition is equally broad, and so you should be aware that your company probably holds a lot of personal data.
Here's the DPA's definition of "processing", which sets out an organized list of examples:
Processing means an operation or operations performed on information or information sets. Examples of operations are given, including collecting, storing, disclosing, using, altering and destroying.
Again, you can see how it's very likely that your business is processing information in the eyes of the DPA.
The DPA's main purpose is to make the GDPR officially binding on people and businesses in the UK. So the most important requirement under the DPA is to obey the GDPR.
Here are some of the most important requirements of the GDPR that must be met by businesses operating in the UK.
The principles of data processing form the backbone of data protection in the EU. These principles are set out in Article 5 of the GDPR.
The DPA applies these principles slightly differently when it comes to UK intelligence and immigration services. But these differences won't apply to most businesses in the UK.
The six principles state that personal data must be:
Here are three practical ways to implement these principles:
The GDPR provides individuals ("data subjects") with a strong set of rights over their personal data. Anyone who controls an individual's personal data (for example, an ecommerce store that stores customers' addresses, or the developer of an app which logs user activity) is required to facilitate these rights.
The DPA brings the GDPR's data subject rights directly into UK law. Again, there are exemptions (some of which are quite controversial) to these rights for intelligence and immigration services. These are on top of the exceptions and restrictions on the data subject rights already present in the GDPR at Article 23.
Most businesses will not be affected by the DPA's exemptions. You should be prepared to respond appropriately if a person approaches your business about their data subject rights.
Where you are processing an individual's personal data, that individual has the right to:
If you receive a valid request then you must normally respond within one calendar month. Unless requests are "manifestly unfounded or excessive," you may not charge a fee.
Here are three practical ways to make it easier for you to facilitate these rights:
The DPA and the GDPR only allow for the processing of personal data on one of six lawful bases. The lawful bases can be considered a set of legal justifications for processing a person's personal data.
The lawful bases are below. You may only process an individual's personal data if:
Every time you process an individual's personal data, you need to know and have a record of your lawful basis for doing so.
This isn't as hard as it might sound. After all, you need to record someone's email address to fulfill an order (contract). If you want to send someone marketing communications, it shouldn't be a problem to ask them first (consent). And if you need to email a customer to let them know there's an issue with their account, this is a minor intrusion with a clear benefit (legitimate interests).
Here are three practical ways you can help ensure you always have a lawful basis for processing:
A big part of the DPA gives new powers to the Information Commissioner's Office (ICO). This is the UK's Data Protection Authority.
The ICO plays several important roles:
Your business might encounter the ICO if:
The ICO is keen to promote itself as an approachable and supportive organization, and a large part of its work is about helping businesses comply with the law.
But remember that the ICO is also capable of imposing huge fines of up to €20 million (around 17.7 million GBP or 22.4 million USD) or 4 percent of annual turnover.
Most businesses who process personal data in the UK must register and pay a fee to the ICO.
Regardless of size, your business will probably need to pay a data protection fee if:
The ICO provides a self-assessment checklist to help companies determine whether they need to pay a data protection fee.
There are exemptions for elected representatives and data processors (who process personal data on behalf of a data controller).
The amount you'll have to pay will vary depending on the size of your company. Don't worry - it's unlikely to break the bank.
Here's a table that shows how the data protection fee varies depending on company size. Note that a company only needs to fulfill either the staff or turnover criteria to fall within a tier.
|Annual turnover||Number of staff||Annual fee|
|Tier 1||£632,000 or less||10 or fewer||£40|
|Tier 2||Between £632,000 and £36 million||Between 10 and 250||£60|
|Tier 3||Over £36 million||More than 250||£2,000|
Charities are Tier 1 regardless of their size.
You can pay your fee via the ICO's website.
The DPA is the third generation of UK data protection law. The DPA brings the GDPR into UK law. It also adapts and extends the GDPR in certain areas.
Compliance with the DPA will be an ongoing process. But some good early steps include:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.