25 May 2018 is the day that will be remembered for the commencement of sibling pieces of legislation¹, the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). In the months leading up to the birth of these siblings the whole of Europe (and beyond) appeared to descend into a frantic maelstrom of privacy policy updates, revamps of terms of business, “first version” breach response protocols, and much grappling with the concept and triggers for data protection impact assessments.

The GDPR was and just about remains the media darling of the legal world, much publicised, constantly tweeted, and heavily scrutinised. It is not often that an EU Regulation has its own entourage of practitioners and experts long before its first day of having binding legal effect. The second sibling has a very different profile. The DPA 2018 is less famous and less tweeted yet extremely learned, detailed, and entirely UK-centric. Like any related pieces of legislation, and indeed quite like familial siblings, the DPA 2018 and the GDPR are mutually dependent. They have been designed specifically to co-exist, and indeed will thrive even after the intended divorce between the UK and European Union takes place. (The DPA 2018 supplements the GDPR in many places, and incorporates it into UK law.)

The DPA 2018 (numbering 350+ pages, 215 operative sections plus 20 schedules) is a fulsome data protection system for the UK just as its predecessor was – the Data Protection Act 1998. It supplies essential domestic meaning in situations where the GDPR is silent or flexible. It contains a number of exceptions and nuances to the GDPR’s black letter (literal) provisions (such as the “journalistic exception” which largely protects the UK media’s interests in publishing certain personal data subject to certain safeguards and codes). From now on, the precise application of particular data protection rules within the UK will often be gleaned from a review of the GDPR and the DPA 2018 in tandem.

So many more posts, tweets, retweets and adverts have been made about the GDPR than the DPA 2018 that it is timely that we shine a light on 4 Practical Tips regarding the DPA 2018 which UK businesses need to know about.

*To ignore certain DPA 2018 nuances could create legal issues around GDPR compliance programmes, or leave unattended errors sitting in “GDPR-proofed” documents held by UK businesses.*

4 PRACTICAL TIPS IN RELATION TO THE DPA 2018

1. Be aware of the rising influence and power vested in the ICO

The DPA 2018 has extended the scope for the ICO to exercise its powers and its influence under the GDPR:

  • The ICO can now serve “assessment notices” which provide the right to enter business locations, observe data processing in action, formally speak with employees, and access networks, servers or document management systems.
  • The ICO is empowered to produce new codes of practice including an age-appropriate design code for online services accessible by children; a data sharing code; a direct marketing code; and a journalistic code.

2. Train your teams on the new UK specific data law offences

People need to learn that there are new UK law offences, which require training and other measures to be put in place so that there are no unwitting breaches by members of staff (who may seek to argue they were not trained by their employer). Note that it is not simply a case of disclosing or leaking data that can lead to trouble; recklessly obtaining data or retaining data without consent is equally as risky. Data processors in particular need to be careful to extract full and demonstrable consent from their data controller for the different kinds of data processing they are doing.

New offences are:

  • Knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent.
  • Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed.
  • Taking steps, knowingly or recklessly, to re-identify information that has been “de-identified”.

3. Appreciate and apply the different UK employment law dispensations in the pre-employment and post-employment contexts

Pre-employment (recruitment checks): if collecting data relating to criminal convictions for the purposes of checking suitability for employment, employers are required as a bare minimum to maintain an “appropriate policy document”. This should set the rationale for this part of recruitment practice and the collection and retention of such data, having regard to the GDPR’s data protection principles (Article 5).

Post-employment (references): it is now easier for employers to withhold employment references. A “Schedule 2 exemption” for confidential employment references has been expanded. This is one area which is a slight juxtaposition from the general trend toward stronger rights of data subjects.

4. Protecting children and parental consent

A key focus within the GDPR is the protection of children, particularly from online harm. The GDPR defines a “child” as anyone under the age of 16; yet the DPA 2018 adds some latitude into the UK regime. Respecting the autonomy of children to a greater degree than a number of EU counterparts, UK law specifies that a child can provide “consent” for GDPR purposes from the age of 13 (parental consent is still absolutely required for processing the personal data of children under 13).

And a final word on Brexit. With the DPA 2018 now in place, the UK has a total data protection system (which cross-refers and embraces the GDPR) even after the UK withdraws from the European Union.