The Data Protection Act 2018 (DPA 2018), designed to update existing data protection laws and regulations, came into force on 23 May 2018 as the third generation of the UK's data protection environment.
Based on the EU's General Data Protection Regulation (GDPR), the DPA 2018 is designed to consider advancements in data use in the modern age and how personal information is collected by online platforms for various legitimate and illegitimate purposes.
The DPA 2018 was introduced to replace the earlier Data Protection Act 1998. It outlines the legal extent to which data can be collected, processed, and used within the UK and sets out several penalties for those who breach these laws. More specifically, the framework laid out by the DPA 2018 governs the steps businesses and individuals must take when handling data. It also provides data owners, known as data subjects, with a clear guideline for their rights and protections concerning personal information.
The DPA 2018 was required in order for the UK to maintain a similar level of data protections to that of the EU - known as adequacy status. This allows the UK to process data owned by EU citizens. However, the DPA 2018 adds to and goes beyond the rules of GDPR. Instead of just copying GDPR into UK law, the DPA 2018 included the EU Law Enforcement Directive, which protects data used by the police and other law enforcement agencies.
Why do we need DPA 2018 when we have GDPR?
Although there are similarities between the two, the DPA 2018 and the EU's GDPR differ in several key areas:
When it came into force, GDPR automatically applied to all EU member states but allowed individual nations to create their own provisions to extend their reach depending on their particular needs. This flexibility enabled member states to implement data protection laws that complemented their existing regulations.
Most of the UK's data processing was governed by GDPR until Brexit, though a few regulatory issues were specific to the UK and handled only by domestic laws. Examples include immigration issues and processing freedom of information (FOI) data. The DPA 2018 also includes several national security exemptions. While GDPR sets a broad framework for data protection across the EU, it allows individual member states to tailor specific provisions to fit national contexts. The DPA 2018 addresses data protection needs and issues unique to the UK.
Also, the DPA 2018 integrates and updates the UK's previous data protection laws, ensuring they are compatible with GDPR while addressing purely domestic concerns. This includes exemptions and rules specific to the UK's regulatory environment. The DPA 2018 provides clear legal guidelines and enforcement mechanisms within the UK context. It defines the roles and responsibilities of the Information Commissioner's Office (ICO) and sets out penalties for non-compliance, thereby ensuring robust data protection enforcement within the UK.
For example, under the DPA 2018, the Home Office and other organisations processing immigration data can reject access requests to personal data if they believe it could harm "effective immigration control".
However, this exemption faced challenges from human and digital rights campaigners. The Open Rights Group and the3million launched a legal challenge in January 2019, arguing that the immigration data exemption was unlawful. The High Court ultimately rejected this challenge in October 2019.
The DPA 2018 also includes provisions not directly applied to GDPR in UK law. For instance, the legal age for consent to process personal data is 16 under GDPR, but in the UK, it is 13. Additionally, the DPA 2018 allows for automated decision-making or profiling on legitimate grounds with appropriate safeguards, while GDPR ensures individuals have the right to avoid such processes.
Brexit
Despite voting to leave the EU in 2016, the UK remained bound by EU legislation, including GDPR, until 31 January 2020. GDPR was incorporated into UK law via the European Union (Withdrawal) Act 2018. The DPA 2018 ensures the smooth flow of data from the EU to the UK post-Brexit. After leaving the EU on 31 January 2020, the UK entered a transition period, during which agreements on data adequacy were to be formalised. This agreement confirmed that UK laws provided adequate data protection.
Any organisation with customers in the EU must adhere to GDPR rules, regardless of the UK's EU membership status. Therefore, having domestic policies aligned with GDPR benefits companies by allowing them to comply with UK and EU data handling requirements without conflicting systems.
On 19 February 2021, the EU Commission published its draft adequacy decision, confirming that UK law was adequate for data transfers without additional safeguards. The EU Commission formally declared on 28 June 2021 that the UK ensures sufficient data protection for personal data transferred under GDPR from the EU to the UK.
This ruling is expected to last until June 2025, with a decision in 2024 on whether to extend it for another four years. However, it does not apply to data transferred to the UK for immigration-related issues, which have different requirements. At the moment, the House of Lords European Affairs Committee, chaired by Lord Ricketts, is considering the extension, with Lord Ricketts stating:
"The free flow of data between the UK and EU is vital for trade and economic relations, and for effective law enforcement cooperation. Currently, the transfer of commercial and criminal investigation data is based on an EU adequacy decision which expires next year. Without it, maintaining data flows between the UK and the EU could become less straightforward for businesses and, therefore, have an impact on the UK economy. It could also have an impact on UK-EU security cooperation as it could lead to restrictions on the flow of data for law enforcement purposes between the UK and the EU."
Ricketts concluded: "My Committee has therefore decided to examine the way the current arrangement works, the factors that will influence a future data adequacy decision, and the implications should that decision be negative. The Committee encourages anyone with expertise in or experience of the matters under consideration in this inquiry to submit written evidence. The wider the range of evidence we receive, the more firmly based will be our conclusions."
Efforts to reform GDPR
The previous Conservative government had indicated that the GDPR may be partially or entirely replaced with new data protection legislation. On 8 March 2023, the government presented the latest version of the UK Data Protection and Digital Information Bill No.2, designed to alleviate the cost and administrative burden businesses in the UK feel complying with GDPR as it stands today in UK law.
Also, the Bill has components to govern and regulate artificial intelligence (AI), which was not a distinct part of GDPR when it came into force. The UK's new version of GDPR also connects to the Artificial Intelligence (Regulation) Bill, which was designed to define the secure application of these burgeoning systems that will impact every business process, including how workforces use tools like Generative AI.
Speaking at the time, then Conservative Secretary of State for Digital, culture, media and Sport (DCMS) Michelle Donelan, said: "Our plan will protect consumer privacy and keep their data safe whilst retaining our data adequacy, so that businesses can trade freely. Our new data protection plan will focus on growth, on common sense, on helping to prevent losses from cyberattacks and data breaches, while also protecting data privacy."
Julian David, TechUK CEO, also commented: "TechUK welcomes the new, targeted package of reforms to the UK's data protection laws, which builds on ambitions to bring organisations clarity and flexibility when using personal data. The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU."
The current Information Commissioner has also stated: "I welcome the reintroduction of the Data Protection and Digital Information Bill and support its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights. Data protection law needs to give people the confidence to share information to use the products and services that power our economy and society. The Bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the government to monitor how these reforms are expressed in the Bill as it continues its journey through Parliament."
There is little doubt that a new form of GDPR will be enacted into UK law to reflect how businesses collect and manipulate data. The final draft of the Bill is expected in 2025. The new Act will give organisations more control over the data they collect and move the regulations away from the top-down, prescriptive approach that GDPR currently takes and reflects what can be unique ways data is collected, manipulated and shared today.
For more information on the various ways in which leaving the EU effects GDPR, head to our GDPR and Brexit in-depth guide.
Definition of personal data under DPA 2018
The ICO defines personal data as: "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Personal data comprises anything that may be used to identify an individual and has even extended to include details such as a person's IP address in modern times.
What has changed since the DPA 1998
The latest legislation is designed to bring data protection to modern standards in light of the growth of massive internet companies and how data is collected, processed, and monetised in gigantic quantities. The DPA 2018 introduced far more protections for citizens and improved the protections and rights initially outlined in the legislations previous iteration.
Under the new regime, organisations are required to be more transparent about how and why they handle, collect, and process the data – much of this about their customers’ behavior. Data collection can only happen if an entity has an explicit and legitimate reason to do so.
Businesses must also consider several conditions when processing data, including:
- the data subject's consent
- legal obligation
- contractual obligations
- public interest
- vital interest
- and legitimate interests
One of the most significant changes has been in the way consent is viewed in the eyes of the law, with the threshold for consent raised significantly. Under the DPA 2018, user consent must be explicit for data processing about specifically outlined purposes, as opposed to blanket consent, as was sought previously.
More significant requirements have also been put on organisations to keep data accurate and up-to-date and immediately remove anything from inaccurate systems on request when such issues are flagged.
Processing data, meanwhile, is now limited entirely to the specific purposes for which it was collected, which differs from how organizations interpreted provisions in the 1998 DPA. Previously, companies could process data in any way provided it wasn't "excessive" to the original purpose.
How the Data Protection Act structured?
The DPA 2018 enforces four distinct data protection frameworks, each relating to a specific category of data processing.
- Within the scope of GDPR
- Outside the scope of GDPR
- By competent authorities for law enforcement purposes
- By the intelligence services
The Act is also split into seven parts, each containing multiple schedules. Following an introductory section and critical terms, Part 2 covers various aspects of the general processing of personal data, Part 3 covers law enforcement, Part 4 relates to intelligence service processing, Part 5 covers the powers of the Information Commissioner's Office (ICO), Part 6 outlines the scope of enforcement powers, and Part 7 covers additional provisions that do not fall under the previous categories.
Special provisions are set out for law enforcement processing, including the processing of personal data by the police, prosecutors, and similar criminal justice bodies. Similar provisions exist for processing by intelligence services, which aim to bring UK standards in line with international standards. The frameworks also ensure the smooth flow of data internationally to tackle crime while ensuring data protection is upheld.
Fines for breaching the Data Protection Act 2018
Like GDPR fines, the DPA 2018 gives the ICO the power to levy far tougher fines than anything seen in the past. Under the 1998 Act, the maximum possible fine was £500,000.
Under the DPA 2018, serious breaches of the data protection principles, or failing to report a data breach within 72 hours, can result in a fine of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.
It remains to be seen how the UK Data Protection and Digital Information Bill No.2 will continue to evolve. What is clear is that the UK government is set on a trajectory to change the current implementation of GDPR and how this relates to DPA 2018.
