Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. The GDPR and the DPA
- 1.1. What is the GDPR?
- 1.2. Why Is the DPA Necessary if the GDPR Already Exists?
- 2. Overview of the DPA
- 2.1. Definitions of Key Terms
- 3. Requirements of the DPA
- 3.1. Apply the Principles of Data Processing
- 3.2. Respect Data Subject Rights
- 3.3. Determine Your Lawful Bases
- 4. The Information Commissioner's Office
- 4.1. What Does the ICO Do?
- 4.2. Do You Need to Pay an ICO Data Protection Fee?
- 4.3. How Much Is the ICO Data Protection Fee?
- 5. History of the DPA (1998)
- 5.1. The 8 Principles
- 6. Summary
The Data Protection Act 2018 (DPA) is the main data protection law of the United Kingdom (UK). It brings the EU General Data Protection Regulation (GDPR) into UK law. Any business operating in the UK, whether it is from the UK, the EU, or any other country, should be familiar with the DPA and how the law impacts its day-to-day activities.
The DPA covers every aspect of the processing of personal data, from marketing communications to staff administration. It brings new powers and responsibilities to the UK's Data Protection Authority, the Information Commissioner's Office (ICO).
We're going to help you understand the DPA, consider its relevance to your business, and look at some practical ways you can abide by UK data protection law.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
The GDPR and the DPA
Many people in the UK are familiar with the DPA. Its predecessor legislation, the Data Protection Act 1998, was the primary source of data protection law in the UK for two decades.
However, perhaps even better known than the DPA is the EU law from which it derives - the GDPR. When it took effect in May 2018, the GDPR had such a transformative effect across the EU that many British people don't even realize that it has a UK equivalent.
What is the GDPR?
The GDPR is the EU's main data protection law. The GDPR firmly establishes the EU as the strictest jurisdiction in the world when it comes to data protection and consumer privacy.
The DPA is the UK's version of the GDPR, and so it brings all its rules into the UK.
Under the GDPR, any business operating in the EU must:
- Apply six principles of data processing whenever handling personal data
- Facilitate the eight rights that individuals in the EU may exercise over their personal data
- Comply with strict rules around the international transfer of personal data
The GDPR also requires certain actions from the governments and parliaments of EU countries. For example, EU countries must:
- Introduce national legislation that implements the GDPR and reconcile it with other national law
- Create or empower an independent Data Protection Authority to monitor, promote and regulate data protection at a national level
- Ensure that the GDPR's heavy administrative fines (up to €20 million) can be enforced under the country's laws
Why Is the DPA Necessary if the GDPR Already Exists?
The GDPR is an EU regulation. Regulations are powerful legal instruments that, although created by the EU, take direct effect in each EU country.
Much of the GDPR is addressed directly to people living and working in the EU. Individual EU citizens can oblige national governments to enforce EU regulations even if they have not been entered into national law. To this extent, the DPA is not necessary.
However, the GDPR left some scope for EU countries to amend and adapt certain parts of the law via "implementing legislation." The DPA is one such piece of implementing legislation. Every EU country has one.
So, the DPA serves three main purposes:
- It formally brings the GDPR into UK law via the UK's national legislating process
- It amends and exempts certain parts of the GDPR as they apply to the UK
- It extends UK data protection law to certain areas that are not covered by the GDPR
Overview of the DPA
The DPA is split into seven parts. Not all of these are likely to be relevant to your company.
- Overview of the DPA
- Supplement to the GDPR and extension of the GDPR into new areas
- Law enforcement
- Intelligence services
- The Information Commissioner's Office (ICO)
- Enforcement of the DPA
- Other provisions
The DPA also contains twenty schedules which provide further detail about how the law should be applied.
A lot of the most useful information for businesses is contained in Parts 1 and 2 of the DPA.
The DPA does not contain the entire text of the GDPR, so reading the text directly requires some cross-referencing with the GDPR.
Definitions of Key Terms
The definitions of key terms in the DPA can mostly be assumed to be identical to the GDPR. However, some definitions are expressed slightly differently.
For example, the DPA defines "personal data" in Part 1:
Personal data is any information relating to an identified or identifiable living individual.
This definition of personal data is somewhat more clear than that in the GDPR. The definition is equally broad, and so you should be aware that your company probably holds a lot of personal data.
Here's the DPA's definition of "processing", which sets out an organized list of examples:
Processing means an operation or operations performed on information or information sets. Examples of operations are given, including collecting, storing, disclosing, using, altering and destroying.
Again, you can see how it's very likely that your business is processing information in the eyes of the DPA.
Requirements of the DPA
The DPA's main purpose is to make the GDPR officially binding on people and businesses in the UK. So the most important requirement under the DPA is to obey the GDPR.
Here are some of the most important requirements of the GDPR that must be met by businesses operating in the UK.
Apply the Principles of Data Processing
The principles of data processing form the backbone of data protection in the EU. These principles are set out in Article 5 of the GDPR.
The DPA applies these principles slightly differently when it comes to UK intelligence and immigration services. But these differences won't apply to most businesses in the UK.
The six principles state that personal data must be:
- Processed in accordance with the law and in the spirit of transparency (lawfulness, fairness, and transparency)
- Only processed for a specified and limited purpose (purpose limitation)
- Kept to the minimum necessary for carrying out a specific purpose (data minimization)
- Kept accurate and up-to-date (accuracy)
- Stored for no longer than necessary (storage limitation)
- Processed in a safe and secure way (integrity and confidentiality)
Here are three practical ways to implement these principles:
- Conduct a data audit. This will ensure you know how personal data flows around your company.
- Create a Data Protection Policy. This will help people working in your company to understand the law and respond to data breaches.
Respect Data Subject Rights
The GDPR provides individuals ("data subjects") with a strong set of rights over their personal data. Anyone who controls an individual's personal data (for example, an ecommerce store that stores customers' addresses, or the developer of an app which logs user activity) is required to facilitate these rights.
The DPA brings the GDPR's data subject rights directly into UK law. Again, there are exemptions (some of which are quite controversial) to these rights for intelligence and immigration services. These are on top of the exceptions and restrictions on the data subject rights already present in the GDPR at Article 23.
Most businesses will not be affected by the DPA's exemptions. You should be prepared to respond appropriately if a person approaches your business about their data subject rights.
Where you are processing an individual's personal data, that individual has the right to:
- Receive transparent information about your company's data processing practices
- Access a copy of their personal data
- Rectify their personal data if it is inaccurate
- Erase their personal data where appropriate
- Request that you restrict your processing of their personal data
- Request a portable copy of their personal data in an accessible format
- Object to your processing of their personal data
- Request human intervention if you make certain highly significant automated decisions about them using their personal data
If you receive a valid request then you must normally respond within one calendar month. Unless requests are "manifestly unfounded or excessive," you may not charge a fee.
Here are three practical ways to make it easier for you to facilitate these rights:
- Make sure you erase old or unnecessary personal data that might be inaccurate or out-of-date. This might reduce the likelihood that you receive a request.
- Consider ways you can make it easy for your customers to exercise their rights, for example via a form on your website.
- Ensure that any personal data you store is well-organized and that you can access an individual's information on request.
Determine Your Lawful Bases
The DPA and the GDPR only allow for the processing of personal data on one of six lawful bases. The lawful bases can be considered a set of legal justifications for processing a person's personal data.
The lawful bases are below. You may only process an individual's personal data if:
- You have the individual's freely given, specific, informed, unambiguous and affirmative consent
- You need to process the individual's personal data to fulfill your obligations under a contract with them, or in order to enter into a contract with them
- You are under a legal obligation to process the individual's personal data
- A person's life or health (vital interests) would be in danger if you failed to process the individual's personal data
- You are exercising official authority to carry out a public task
- You have determined that your business has a legitimate interest in processing the individual's personal data, and you've weighed the benefits of doing so against the risk to the individual's privacy
Every time you process an individual's personal data, you need to know and have a record of your lawful basis for doing so.
This isn't as hard as it might sound. After all, you need to record someone's email address to fulfill an order (contract). If you want to send someone marketing communications, it shouldn't be a problem to ask them first (consent). And if you need to email a customer to let them know there's an issue with their account, this is a minor intrusion with a clear benefit (legitimate interests).
Here are three practical ways you can help ensure you always have a lawful basis for processing:
- Review your methods of direct marketing and using cookies to ensure you're getting valid consent for these activities
- Carry out a Legitimate Interests Assessment whenever you think you might be able to rely on legitimate interests
- Insert clauses about your requirements for personal data into your contracts, and make sure you let people know what will happen if they don't want to provide you with this
The Information Commissioner's Office
A big part of the DPA gives new powers to the Information Commissioner's Office (ICO). This is the UK's Data Protection Authority.
What Does the ICO Do?
The ICO plays several important roles:
- Receiving and investigating complaints about breaches of the DPA
- Promoting data protection best practices and providing guidance to the public
- Advising businesses and public bodies on how to comply with the DPA
Your business might encounter the ICO if:
- You need to report a data breach
- You need advice on carrying out a Data Protection Impact Assessment
- Someone has alleged that your company has violated data protection or privacy law
The ICO is keen to promote itself as an approachable and supportive organization, and a large part of its work is about helping businesses comply with the law.
But remember that the ICO is also capable of imposing huge fines of up to €20 million (around 17.7 million GBP or 22.4 million USD) or 4 percent of annual turnover.
Do You Need to Pay an ICO Data Protection Fee?
Most businesses who process personal data in the UK must register and pay a fee to the ICO.
Regardless of size, your business will probably need to pay a data protection fee if:
- It is established in the UK
- It processes personal data
- It processes personal data for purposes other than its core services, which include:
- Advertising (unless it's on behalf of others)
- It is a data controller. A data controller decides how and why to process personal data.
The ICO provides a self-assessment checklist to help companies determine whether they need to pay a data protection fee.
There are exemptions for elected representatives and data processors (who process personal data on behalf of a data controller).
How Much Is the ICO Data Protection Fee?
The amount you'll have to pay will vary depending on the size of your company. Don't worry - it's unlikely to break the bank.
Here's a table that shows how the data protection fee varies depending on company size. Note that a company only needs to fulfill either the staff or turnover criteria to fall within a tier.
|Annual turnover||Number of staff||Annual fee|
|Tier 1||£632,000 or less||10 or fewer||£40|
|Tier 2||Between £632,000 and £36 million||Between 10 and 250||£60|
|Tier 3||Over £36 million||More than 250||£2,000|
Charities are Tier 1 regardless of their size.
You can pay your fee via the ICO's website.
History of the DPA (1998)
The Data Protection Act or DPA was drafted and released to public use in 1984 and then superseded in 1998 by the version of the DPA discussed in the earlier part of this article. The older DPA covered individuals' safety since it protected them against misuse or abuse of their personal information.
It had 8 principles that you can still see in action today in global privacy laws, and maintained in the updated DPA.
The 8 Principles
The DPA had 8 principles that defined how you, as a business, could collect and use personal data from users. It also included what rights the users had on the collected personal data you had on them.
Principle #1: Process personal data fairly and lawfully
The Data Protection Act required you to process any kind of personal data fairly and lawfully.
This means that you needed to:
- Have legitimate reasons for collecting and using data from users
- You shouldn't use the collected data in ways that can have an adverse effect on your users
- Don't do anything illegal with the collected data.
Principle #2: Process personal data only for the specified purposes
This means that you needed to:
- Be very clear in your agreement why you're collecting the data from your users
- Inform users through the legal agreement what you're going to do with the collected data
Principle #3: Collect only personal data you need and ensure that it's sufficient
Principle #3 of the DPA act said:
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
"Adequate, relevant and not excessive" is not defined by the act, but consider the Principle #3 in the context of the entire act:
- Don't hold personal data more than you need
- Don't process (collect, use and store) personal data that is not relevant, i.e. sufficient for your purposes
Principle #4: Keep collected personal data accurate and up-to-date
The Principle #4 of the DPA act was clear:
Personal data shall be accurate and, where necessary, kept up to date.
You needed to make sure you took all steps to ensure that whatever collected data you had on users was accurate.
This may have include prompting users to update the information they had with you.
Principle #5: Don't retain collected personal data longer than it is necessary
The retention requirement of the Data Protection Act didn't state a specific period for how long or how little you could store user data.
However, you may have needed to review how long you kept the user data and if it was necessary to keep it for that long in the context of your stated purposes.
If the collected data didn't need to be stored for a very long period, it should have been deleted. Considerations should have been given on whether to update or archive the data if it was out of date.
Principle #6: Individuals have rights
The DPA gave individuals rights in regards to the what personal data you had collected from on/from them:
- The right to access a copy of their collected personal data
- The right to object if your way of processing data might cause them damage or distress
- The right to prevent you from processing their data for direct marketing purposes
- The right to object to decisions being taken by automated means
- The right to - in certain cases - have their collected personal data either updated or deleted
- The right to claim compensation for damages if caused by a breach of the Act
Principle #7: Manage the security of the collected personal data
The main points of Principle #7 of DPA meant that you were responsible for safely keeping user data.
For example, if you were an ecommerce store it was recommended to use SSL certificates as it could increase the level of security when you process user data.
Principle #8: Don't transfer collected personal data outside the European Economic Area unless...
Here's what the DPA said on where you could transfer collected personal data, usually referenced to as "International Data Transfer":
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
You could transfer the collected data, either you or through the third-parties that you used, as long as the country you were transferring data to had an adequate level of protection of protecting the privacy of individuals data.
Safe Harbor, a program between the EU and U.S., is an example of this.
The DPA is the third generation of UK data protection law. The DPA brings the GDPR into UK law. It also adapts and extends the GDPR in certain areas.
Compliance with the DPA will be an ongoing process. But some good early steps include:
- Consider how the principles of data processing apply to your business
- Conduct a data audit
- Create a Data Protection Policy
- Be ready to facilitate your customers' data subject rights
- Keep personal data up-to-date and to a minimum in order to reduce the number of requests
- Consider creating a form or other method to help your customers exercise their rights
- Keep personal data well-organized so you can retrieve it on request
- Determine your lawful basis for processing
- Ensure you're getting consent in the right way for the right things
- Conduct a Legitimate Interests Assessment if necessary
- Consider amending any contracts that are contingent on the processing of personal data
- Check whether you need to pay a data protection fee to the ICO