The Data Protection Act (DPA) 2018 has empowered individuals to take control of their personal data and protect their rights since its commencement. This control and protection are particularly important with evolving technological advances. Furthermore, it places more legal restrictions on processing personal data, which businesses need to be aware of.
Understanding the Data Protection Act 2018
- What is the Data Protection Act (DPA) 2018?
- Why is the DPA 2018 important?
- What do you need to know about the DPA 2018?
- How does the DPA 2018 impact your company?
What is the Data Protection Act (DPA) 2018?
In 2018, the Data Protection Act 2018 (DPA 2018) became the main data protection law of the UK. It was passed to line up the UK's national legislation with the EU GDPR. The DPA 2018 details the main requirements for protecting the personal data of UK individuals processed by businesses in the UK or globally.
When the UK left the EU, the UK GDPR was passed and came into effect in February 2021. Before 2018, the UK passed the Privacy and Electronic Communication Regulations (PECR) 2003 to transpose the EU's ePrivacy Directive into national law.
These regulations set the rules for the security of electronic communication, cookies, and direct marketing. In short, the DPA 2018, the UK GDPR, and the PECR form the foundations of UK data protection law.
Why is the DPA 2018 important?
This act is essential as it compels individuals to take charge of their personal data, enabling businesses to process it lawfully. This means that individuals now have the right to:
- Be informed about where and how their data is being used
- Request incorrect data to be updated
- Ask for data to be erased
- End or restrict the processing of their data
- Enquire as to whether they can reuse the personal data you hold for other services
- Express dissatisfaction with how their data is processed, especially in automated decision-making and profiling situations.
The Information Commissioner (ICO) offers further guidance on these rights for companies. Firms also need to provide training on at least an annual basis to educate their employees, permanent or temporary, on how to implement DPA 2018 in their day-to-day responsibilities.
For example, the Data Protection Act 2018 (DPA 2018) offers more robust legal protection for special category data like health, criminal offences, or ethnic background. However, this means that employees must follow special conditions when processing this data type rather than just relying on the traditional legal basis.
As well as updating UK data protection laws to account for digital technology, social media, and big data, the DPA 2018 also transposes the EU Law Enforcement Directive (LED) into UK law and develops a specific data protection regime for intelligence services. The LED regime rules are essential for relevant authorities processing data for law enforcement purposes.
On the other hand, the requirements for UK intelligence services are based on standards within modernised Convention 108 (The Council Of Europe Convention For The Protection Of Individuals concerning Automatic Processing of Personal Data).
The DPA 2018 contains seven main sections known as 'Parts' to be used in conjunction with 20 schedules that offer further explanations/ guidance for the main 'Parts'. This means that:
- Part 2 of the act is the most relevant for UK organisations that process personal data. It will also need to be read in conjunction with the UK GPDR. This is because they do not need to consider parts 3 or 4 of the DPA 2018 Act.
- UK Law enforcement agencies must also refer to part 3 of the act in addition to the above sections.
- UK intelligence services must also consider part 4 and every act section except part 3.
- The other 'Parts' and schedules include sections on the powers of the ICO, enforcement, special personal data categories, and exemptions from the GDPR.
What do you need to know about the DPA 2018?
1. UK Data Protection Law can have a wide remit
The DPA 2018 will apply to your business, regardless of its size, if you hold and use (process) an individual's personal information. This type of information includes names, personal email addresses, or phone numbers as part of your ordinary course of business. The ICO offers further guidance to determine if the UK data protection rules apply to you.
2. Complying with data protection rules will improve your reputation
When you handle and store personal data correctly, it is easier to find and keep it accurate. Paying your fee on time shows customers that you can be trusted. It also demonstrates to other organisations that you are worth doing business with. You can take this assessment on the ICO website to determine whether your business needs to pay a fee.
3. Not all types of data fall under the DPA 2018
These types of data include business data like generic email addresses or financial statements if they do not include a name. It could also include any information about a deceased person or paper records that are not meant to be part of a filing system. The ICO also offers further detailed guidance on what personal data is and is not.
4. Neither the ICO nor the DPA 2018 can state training specifications
As every firm is different and the ICO wants an organisation to take responsibility for staff training, it expects firms to create training plans based on UK data protection principles and guidelines. To make it easier for yourself, ensure that data protection training is refreshed regularly and covers the basics and what to do if something goes wrong.
5. Regularly review data protection feedback & complaints
Your business needs to review any complaints and negative feedback to avoid repeating the same mistakes and any enforcement action from the ICO. Some of the most common complaints it receives are about:
- The security of personal data
- An inadequate subject access request (SAR)
- Unlawful marketing tactics used to promote business
- Keeping data for longer than necessary
- Using personal data for something other than what was promised
6. Harsher penalties with the DPA 2018 rather than the 1998 Act
While the 1998 Act permitted the ICO to issue penalties of up to £500,000, the DPA 2018 goes further than this. It allows the enforcement of penalties of up to £17 million or 4% of a company's annual turnover.
This can be seen in practice with a £4.4 million fine against Interserve Group Limited, a construction company, for failing to secure the personal information of its staff.
Additionally, the ICO has fined Clearview AI Inc more than £7.5 million as they used individuals' images from the web and social media to create a facial recognition database without their permission.
7. A Data Protection Impact Assessment (DPIA) can help you minimise risk
If your company is undertaking projects which will process a lot of personal or sensitive data, it is helpful to conduct a DPIA to reduce the risk. The ICO offers a guide as well as a template for this purpose.
8. Consider the best lawful basis for processing children's data
You need a more robust lawful basis for processing children's data as they will be less aware of the data protection risks. If you want to rely on consent as your lawful means to process, you must ensure that the child understands what they have agreed to.
On the other hand, if you rely on the basis that processing is 'necessary for the performance of a contract,' then you need to assess whether the child understood what they were getting into when they signed the contract.
9. Businesses are not allowed to charge a fee for a Subject Access Request (SAR)
Before the DPA 2018, companies could charge individuals a fee for responding to a SAR. Now, businesses can only charge an administrative fee if the request is unfounded or excessive. If this is the case, your company must inform the relevant individual as soon as possible.
10. A breach only needs to be reported if personal data is involved
When a breach occurs, you first need to establish if personal data is involved and what type of personal data breach has occurred. Then consider who now has access to this data in error and how many individuals may be affected.
Next, assess the risk of this personal breach, especially if you believe this action has caused them harm. Then, act to protect those affected by trying to contain the breach. Finally, document your investigation into this breach and complete a report to the ICO within 72 hours, if necessary.
How does the DPA 2018 impact your company?
To avoid any penalties under the DPA 2018 and allow customers to take back control of their data, a company must:
Understand the type of role they have in relation to data
The business requirements under the UK GDPR will depend on whether you are a controller, joint controller, or processor. Controllers are entities that decide what personal data to process and why i.e. they have a purpose for the data.
A processor is a company who acts only on a client's (who could be a controller) instructions, meaning that it does not have its purpose for processing data.
Additionally, if two or more controllers decide to process the same personal data for the same purpose, they are considered joint controllers. However, controllers are not considered joint if they process the same data for different purposes. If you are unsure as to the type of role you have, the ICO offers further guidance.
Controllers must comply with all the requirements under the DPA 2018 and pay the data protection fee unless they are exempt. There are three different tiers of fees for controllers, which Parliament sets depending on the level of risk posed by data processing by a particular controller. This fee is paid to the ICO to enforce the provisions of GDPR.
If you need to pay the fee and do not, you could be fined up to £4,000. Processors do not have to pay a fee, but they have a number of processing obligations. Joint controllers can agree on who is responsible for complying with the DPA 2018.
Both the ICO and individuals can take enforcement action against a processor, controller, or joint controller.
Keep the 7 data protection principles in mind
In addition to the individual's rights under this act, the UK GDPR, within the DPA 2018, outlines the data protection principles that companies need to follow:
- Process personal data lawfully, fairly, and in a transparent manner
- Use data for a specific, explicit, and legitimate purpose
- Collect relevant and adequate data for a particular purpose means that businesses do not need to keep more data than they need to
- Take reasonable steps to keep any data you hold accurate and up-to-date
- Review the data you hold periodically to consider erasing or anonymising it. Your company could also keep a data retention policy so that it can monitor how long each type of data needs to be kept for
- Ensure that every individual's data is subject to measures that keep it confidential and secure
- Become accountable for what you do with an individual's personal data and demonstrate how you adhere to the other data protection principles.
Acknowledge the differences between DPA 2018 & the EU GDPR
Employees will also need to be trained on UK data protection law updates as the DPA 2018 goes further than the EU GDPR in many instances. These include:
- Allows individuals to be subject to automated decision-making and profiling if there are legitimate grounds to do so. On the other hand, the EU GDPR did not allow for this at all
- Provides an exemption from UK data protection law when personal data is publicised in the public interest. Conversely, the EU GDPR did not give this right but stated that member states could balance the right to privacy with the right to freedom of expression and information
- Permits the ICO to regulate and enforce UK data protection law. In contrast, the European Court of Justice (ECJ) possesses this power in the EU
Companies must also explain how and why they use personal data and how individuals can exercise their rights under DPA 2018. These rights include:
- A right to be informed about what you do with their personal data.
- A right to access and receive a copy of their own personal data (data subject access requests).
- A right to have data corrected if inaccurate or completed, if incomplete.
- A right to have personal data erased or 'forgotten'.
- A right to restrict or suppress personal data.
- A right to object to the processing of personal data in certain situations like those which involve direct marketing.
This is because DPA 2018 requires companies to be more transparent about why they are collecting data, whereas the 1998 Act did not.
Want to learn more about Information Security?
To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.
Our best-selling Compliance Essentials Library and award-winning LMS provide a one-stop compliance training solution, including information security e-learning.
And our searchable compliance glossaries explain key terms and regularly report on learnings from the largest compliance fines resulting from regulatory breaches.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
If you'd like to stay up to date with information security best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.
If you've any questions or concerns about compliance or e-learning, please get in touch.
We're happy to help!