Data Protection Act 2018

Since its inception, the Data Protection Act (DPA) 2018 has empowered individuals to take control of their personal data and protect their rights, which is particularly important with evolving technological advances. 

Understanding the Data Protection Act 2018 & Principles

• What is the Data Protection Act (DPA) 2018?
• Why is the DPA 2018 important?
• What do you need to know about the DPA 2018?
• How does the DPA 2018 impact your company?
• What are data protection principles?
• What are the seven principles of the DPA?
• What does each principle mean in practice?
• How can you comply with the data protection principles?
• Why are the data protection principles important?

What is the Data Protection Act (DPA) 2018?

In 2018, the Data Protection Act 2018 (DPA 2018) became the main data protection law of the UK. It was passed to line up the UK's national legislation with the EU GDPR. The DPA 2018 details the main requirements for protecting the personal data of UK individuals processed by businesses in the UK or globally.

When the UK left the EU, the UK GDPR was passed and came into effect in February 2021. Before 2018, the UK passed the Privacy and Electronic Communication Regulations (PECR) 2003 to transpose the EU's ePrivacy Directive into national law.

These regulations set the rules for the security of electronic communication, cookies, and direct marketing. In short, the DPA 2018, the UK GDPR, and the PECR form the foundations of UK data protection law.

Why is the Data Protection Act 2018 important?

This act is essential as it compels individuals to take charge of their personal data, enabling businesses to process it lawfully. This means that individuals now have the right to:

• Be informed about where and how their data is being used
• Request incorrect data to be updated
• Ask for data to be erased
• End or restrict the processing of their data
• Enquire as to whether they can reuse the personal data you hold for other services
• Express dissatisfaction with how their data is processed, especially in automated decision-making and profiling situations.

The Information Commissioner's Office (ICO) provides additional guidance on these rights for companies. Businesses must also conduct training at least once a year to educate both permanent and temporary employees on implementing the DPA 2018 in their daily responsibilities.

The ICO offers further guidance on these rights for companies. Firms also need to provide training on at least an annual basis to educate their employees, permanent or temporary, on how to implement DPA 2018 in their day-to-day responsibilities.

For example, the Data Protection Act 2018 (DPA 2018) offers more robust legal protection for special category data like health, criminal offences, or ethnic background. However, this means that employees must follow special conditions when processing this data type rather than just relying on the traditional legal basis.

As well as updating UK data protection laws to account for digital technology, social media, and big data, the DPA 2018 also transposes the EU Law Enforcement Directive (LED) into UK law and develops a specific data protection regime for intelligence services. The LED regime rules are essential for relevant authorities processing data for law enforcement purposes.

On the other hand, the requirements for UK intelligence services are based on standards within modernised Convention 108 (The Council Of Europe Convention For The Protection Of Individuals Concerning Automatic Processing of Personal Data).

The DPA 2018 contains seven main sections known as 'Parts' to be used in conjunction with 20 schedules that provide additional explanations and guidance for these 'Parts’. This means that:

• Part 2 of the act is the most relevant for UK organisations that process personal data. It will also need to be read in conjunction with the UK GPDR. This is because they do not need to consider parts 3 or 4 of the DPA 2018 Act.
• UK Law enforcement agencies must also refer to part 3 of the act in addition to the above sections.
• UK intelligence services must also consider part 4 and every act section except part 3.
• The other 'Parts' and schedules include sections on the powers of the ICO, enforcement, special personal data categories, and exemptions from the GDPR.
  

What do you need to know about the Data Protection Act 2018?

1. UK Data Protection Law can have a wide remit

The DPA 2018 applies to your business, regardless of its size, if you hold and use (process) an individual's personal information. This includes details such as names, personal email addresses and phone numbers as part of your regular business activities. The ICO offers further guidance to determine if the UK data protection rules apply to you. The ICO offers further guidance to determine if the UK data protection rules apply to you.

2. Complying with data protection rules will improve your reputation

When you handle and store personal data correctly, it is easier to find and keep it accurate. Paying your fee on time shows customers that you can be trusted and also demonstrates to other organisations that you are worth doing business with. You can take this assessment on the ICO website to determine whether your business needs to pay a fee.

3. Not all types of data fall under the DPA 2018

This type of data includes business information such as generic email addresses or financial statements that do not contain a name. It could also include any information about a deceased person or paper records that are not meant to be part of a filing system. The ICO also offers further detailed guidance on what personal data is and is not.

4. Neither the ICO nor the DPA 2018 can state training specifications

As every firm is different and the ICO wants an organisation to take responsibility for staff training, it expects firms to create training plans based on UK data protection principles and guidelines. To simplify the process, ensure that data protection training is regularly updated and covers both the basics and instructions on handling incidents if something goes wrong.

5. Regularly review data protection feedback & complaints

Your business needs to review any complaints and negative feedback to avoid repeating the same mistakes and any enforcement action from the ICO. Some of the most common complaints include:

• The security of personal data
• An inadequate subject access request (SAR)
• Unlawful marketing tactics used to promote business
• Keeping data for longer than necessary
• Using personal data for something other than what was promised

6. Harsher penalties with the DPA 2018 rather than the 1998 Act

While the 1998 Act permitted the ICO to issue penalties of up to £500,000, the DPA 2018 goes further than this. It allows the enforcement of penalties of up to £17 million or 4% of a company's annual turnover.

This can be seen in practice with a £4.4 million fine against Interserve Group Limited, a construction company, for failing to secure the personal information of its staff.

Additionally, the ICO has fined Clearview AI Inc. more than £7.5 million as they used individuals' images from the web and social media to create a facial recognition database without their permission.

7. A Data Protection Impact Assessment (DPIA) can help you minimise risk

If your company is undertaking projects which will process a lot of personal or sensitive data, it is helpful to conduct a DPIA to reduce the risk. The ICO offers a guide as well as a template for this purpose.

8. Consider the best lawful basis for processing children's data

You need a more robust lawful basis for processing children's data as they will be less aware of the data protection risks. If you want to rely on consent as your lawful means to process, you must ensure that the child understands what they have agreed to.

On the other hand, if you rely on the basis that processing is 'necessary for the performance of a contract,' then you need to assess whether the child understood what they were getting into when they signed the contract.

9. Businesses are not allowed to charge a fee for a Subject Access Request (SAR)

Before the DPA 2018, companies could charge individuals a fee for responding to a SAR. Now, businesses can only charge an administrative fee if the request is unfounded or excessive. If this is the case, your company must inform the relevant individual as soon as possible.

10. A breach only needs to be reported if personal data is involved

When a breach occurs, you first need to establish if personal data is involved and what type of personal data breach has occurred. Then consider who now has access to this data in error and how many individuals may be affected.

Next, assess the risk of this personal breach, especially if you believe this action has caused them harm. Then, act to protect those affected by trying to contain the breach. Finally, document your investigation into this breach and complete a report to the ICO within 72 hours, if necessary.

How does the Data Protection Act 2018 impact your company?

To avoid any penalties under the DPA 2018 and allow customers to take back control of their data, a company must:

Understand the type of role they have in relation to data

The business requirements under the UK GDPR will depend on whether you are a controller, joint controller, or processor. Controllers are entities that decide what personal data to process and why, i.e. they have a purpose for the data.

A processor is a company that acts only on a client's (who could be a controller) instructions, meaning that it does not have its purpose for processing data.

Additionally, if two or more controllers decide to process the same personal data for the same purpose, they are considered joint controllers. However, controllers are not considered joint if they process the same data for different purposes. If you are unsure as to the type of role you have, the ICO offers further guidance.

Controllers must comply with all the requirements under the DPA 2018 and pay the data protection fee unless they are exempt. There are three different tiers of fees for controllers, which Parliament sets depending on the level of risk posed by data processing by a particular controller. This fee is paid to the ICO to enforce the provisions of GDPR.

If you are required to pay a fee and fail to do so, you could be fined up to £4,000. Processors are exempt from paying the fee but must follow several processing obligations. Joint controllers can mutually decide who will be responsible for complying with the DPA 2018.

Both the ICO and individuals can take enforcement action against a processor, controller, or joint controller.

Acknowledge the differences between DPA 2018 & the EU GDPR

Employees will also need to be trained on UK data protection law updates as the DPA 2018 goes further than the EU GDPR in many instances. These include:

• Allows individuals to be subject to automated decision-making and profiling if there are legitimate grounds to do so. On the other hand, the EU GDPR did not allow for this at all
• Provides an exemption from UK data protection law when personal data is published in the public interest. Conversely, the EU GDPR did not give this right but stated that member states could balance the right to privacy with the right to freedom of expression and information
• Permits the ICO to regulate and enforce UK data protection law. In contrast, the European Court of Justice (ECJ) possesses this power in the EU

Require publication of a privacy policy that promotes transparency

Companies must also explain how and why they use personal data and how individuals can exercise their rights under DPA 2018. These rights include:

• A right to be informed about what you do with their personal data.
• A right to access and receive a copy of their own personal data (data subject access requests).
• A right to have data corrected if inaccurate or completed, if incomplete.
• A right to have personal data erased or 'forgotten'.
• A right to restrict or suppress personal data.
• A right to object to the processing of personal data in certain situations like those which involve direct marketing.

This is because DPA 2018 requires companies to be more transparent about why they are collecting data, whereas the 1998 Act did not.

Data Protection Act Principles

The UK GDPR establishes seven data protection principles. We will explore these principles and explain how businesses can incorporate them into their compliance programs.

Stats suggest that only 59% of companies believe they currently meet all GDPR requirements, highlighting a worrying gap in the safety of our personal information.

The seven principles of the Data Protection Act

The UK GDPR (General Data Protection Regulations) and the Data Protection Act (DPA) work together to regulate data protection and privacy. GDPR sets out the core rules, while the DPA adds UK-specific details, exemptions, and provisions.

Breaching General Data Protection Regulations (GDPR) can be costly. The social media sharing company, TikTok, is the latest big business to be named and shamed, with a colossal £12.7m fine for misusing data.

But organisations of all sizes risk proportionate fines, other penalties and reputational damage if they fail to get to grips with GDPR’s requirements and the Data Protection Act 2018 principles.

So, what are the seven principles of the Data Protection Act? They’re globally accepted guidelines designed to help you make sure personal data remains private and secure. According to the UK's Information Commissioner's Office (ICO), they lie at the heart of UK GDPR.

Set out at the very beginning of the legislation, they inform everything that follows. The seven are:

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

What does each Data Protection Act principle mean in practice?

So, what do these principles mean for you and your day-to-day operations?

1. Lawfulness, fairness, and transparency
ICO further explains that: “Personal data must be collected and processed lawfully, fairly, and transparently, and individuals must be told about its collection and use.”

This means you can only collect personal data legally and use it for reasons that people might reasonably expect while being open and honest about why and how you collect it. It also means you can’t discriminate against people based on their data.

2. Purpose limitation
“Personal data must be collected only for specified, explicit, and legitimate purposes, and not further processed or used in a way that’s incompatible with those purposes.”

Essentially, this means letting people know your reasons for collecting data and ensuring you only use it for those purposes. If you decide to use the data for another reason later on, you need the person’s explicit consent first.

3. Data minimisation
“Personal data must be adequate, relevant, and limited only to what’s necessary for the processing purpose.” In other words, only collect the data you need to carry out your goals and don’t ask for info you don’t need.

4. Accuracy
“Personal data must be accurate and, where necessary, kept up to date. Inaccurate or incomplete data must be corrected or deleted.”

You’re responsible for making sure the data you collect and store is accurate and current, and have procedures in place to check it is. The person also has the right to ask you to correct or delete wrong information.

5. Storage limitation
“Personal data must not be kept for longer than is necessary for the purposes for which it is processed.”

While GDPR has no set time limits for keeping data, you should delete it – using a secure process – as soon as it’s served its purpose.

6. Integrity and Confidentiality
“Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.”

You need to ensure that you have due diligence, as well as operational and technical processes in place, to keep data secure both internally and externally. In the event of a breach, you must let people know immediately.

7. Accountability
“The controller or processor is responsible for complying with these principles and must be able to demonstrate compliance.” Lip service isn’t enough.

GDPR sets out that whoever's responsible for deciding how and why personal data is collected – whether a person or a company – must ensure it meets these principles. You must also be able to show this to individuals or regulators if asked.

How do you comply with data protection principles?

There are a number of things you can do to help ensure you comply with the principles of data protection.

Stay on the right side of lawfulness, fairness, and transparency by developing a privacy policy that clearly explains how personal data will be collected, processed and used and ensures your data subjects can access the same information. And make sure you always get explicit consent from people before you process sensitive data.

Consider using a data protection impact assessment (DPIA) tool. The DPIA tool helps to identify and minimise the data protection risks of a particular project. Complying with each of the data protection principles:

• For purpose limitation, your reasons for collecting and processing personal data should be crystal clear. You should also regularly review your data processing activities to ensure they're still necessary and relevant.
• To help you, data mapping tools can identify the personal data you collect and reinforce why you're doing it. They can also support data minimisation by enabling you to spot unnecessary data so you can delete it, helping you ensure you only collect the data you need.
• Creating a data minimisation policy that states how you collect relevant data only and sets out who has access can ensure you stay on track. Some organisations may collect data in bulk, hoping to use it later – without realising it goes against GDPR’s principles.
• Data validation and verification tools can support accuracy by checking a wide range of personal data, including email and postal addresses and phone numbers. There are also several data cleaning tools available that can scan for and remove duplicated or inaccurate info.
• Using a data management system can also help you monitor and manage your data effectively and efficiently. It’s also a good idea to allow people to update their info wherever possible, as long as access to their data is completely secure.
• A privacy policy, as mentioned above, should also drive storage limitations by outlining how long you keep data before deleting it. A data mapping tool – also referred to above – can help identify data that’s no longer required.
• Storing data in the cloud can let you take advantage of ready-made security while giving you access from anywhere worldwide for quick and easy management. Though check it’s right for you. Here are some pros and cons of cloud-based solutions.
• Always use up-to-date encryption to ensure integrity and confidentiality. Cybercriminals are increasingly sophisticated, so be sure to regularly check for the latest upgrades or patches to plug any security gaps. And restrict access to authorised people.

Hackers aside, unforeseen events can also disrupt your operations. Therefore, it's essential to regularly back up your files to ensure you can recover your data if the worst occurs.

Following the steps above, such as using DPIA tools and policies, will show your commitment to accountability. Keeping accurate records of your processing activities is also a good way of demonstrating your commitment to the principles.

If you don't have one already, think about appointing a dedicated Data Protection Officer to oversee everything. And, of course, providing your people with data protection training that covers the seven data protection principles can support best practices.

Why are the data protection principles important?

As a framework, the principles help you set clear parameters for collecting, processing and storing personal data. They ensure transparency and show your commitment to protecting people's data and privacy rights – building trust.

People also have the option to sue you for damages. Awards vary depending on the distress caused but can range from hundreds for a minor breach to tens of thousands of pounds for one that causes physical or emotional distress.

In addition to, or instead of, fines, regulators can order you to take remedial action or revoke or suspend your ability to process data. Regardless of the action taken, you can guarantee it'll instantly destroy any hard-won reputation, impacting both your clients and your financial performance.

In today's data-driven world, protecting personal data is critical. By implementing the proper procedures, policies and resources to help you embed the seven data protection principles, you can be confident your business is best placed to fulfil GDPR’s requirements.

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.