A new dawn broke today for the UK’s data protection regime. The Data Protection Act 1998 is no more. The Data Protection Act 2018came into force today, alongside the General Data Protection Regulation (GDPR). We have been hearing about GDPR but what does the new Act do?
The DPA 2018 does not, contrary what many commentators have been writing, incorporate or enshrine GDPR into UK law. GDPR is a Regulation and so directly applicable across the EU. It does not need to be “signed into British law” whilst the UK remains a member of the European Union. Post Brexit it will still be the law (until the Government decides to replace it) due to the provisions of the European Union (Withdrawal) Bill.
So what are the aims of the DPA 2018? The Information Commissioner says in her recent blog:
“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) which is also due to take effect in two days’ time. The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”
Chapter 2 of Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s’ consent.
But the new Act does more than this; hence it’s length (339 pages).
Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by the Freedom of Information Act 2000 (FOI)). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.
Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.
Part 4 of the Act makes provisions about the processing of personal data by the Intelligence Services. National security is also outside the scope of EU law. The Government has though decided that it is important the Intelligence Services are required to comply with internationally recognised data protection standards as set out in GDPR.
Parts 5 and 6 make provisions about the Information Commissioner and the enforcement of the data protection legislation. She consulted recently on her regulatory action policy (https://t.co/SOeM41D0UD).
Going back to Chapter 2 of Part 2 of the Act; remember this has to be read alongside the GDPR to make full sense of the latter. In most part this remains the same as the original draft bill. (Read a summary of the Bill here.)
The Information Commissioner says on her blog:
“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”
We have just launched our GDPR helpline.