Let's be honest; it's been pretty hard to miss the General Data Protection Regulation (GDPR) in recent months.
But among the hundreds of updated privacy policies flying into our inboxes and the media hype around GDPR, there has been little mention of the new Data Protection Act 2018 (DPA 2018). The DPA 2018 came into force on the 25 May 2018 and is another important piece of data protection legislation that any business processing personal data should know about. So here are the five key things that we think you should be aware of about the DPA 2018:
- It ensures GDPR standards will continue to have effect in the UK after Brexit. It might not be the word on everyone's lips anymore, but Brexit is coming. Whilst the DPA 2018 does not directly transpose the GDPR into UK law post Brexit (this is the job of the European Union (Withdrawal) Bill), the DPA 2018 assists with that transposition.
- It provides for exemptions and derogations. The GDPR doesn't define what exemptions and derogations look like under the new rules; that discretion is left to Member States. The DPA 2018 introduces broadly similar exemptions and derogations to the previous regime. It has also introduced some new, helpful provisions, such as a new lawful basis allowing the processing of special categories of personal data in connection with providing insurance.
- It implements the Law Enforcement Directive in the UK. The Law Enforcement Directive is a separate EU law which applies to processing of personal data by law enforcement bodies. Part 3 of the DPA 2018 implements this into UK law by providing for a broadly similar regime to the GDPR to apply to law enforcement organisations. Part 4 also provides specifically for data processing by intelligence services.
- It adds some new offences. As well as the existing offences, such as unlawfully obtaining personal data without the data controller's consent, the DPA 2018 introduces some new offences. These include re-identifying de-identified personal data and altering or deleting personal data to prevent its disclosure to an individual in response to a request to access personal data.
- It defines further the Information Commissioner's role and provisions relating to enforcement. The Information Commissioner's role under the DPA 2018 closely reflects the old regime, with additional obligations, such as producing codes of practice. The DPA 2018 also sets out detailed provisions around enforcement, including the Information Commissioner's rights to audit and request information.