BitRaser >
Article >
UK Data Protection Act 2018 and UK GDPR

BITRASER^®

UK Data Protection Act 2018 and UK GDPR

Written By

Namrata Sengupta linkdin

Published On

May 15, 2024

Min Reading

3 Min

Summary: Post Brexit, public and private bodies in the UK are obligated to comply with two data protection laws: Data Protection Act (DPA) 2018 and UK GDPR. While DPA includes both additions and exemptions to EU-GDPR, UK GDPR is the retention of EU-GDPR in domestic law. Read on to learn about data protection principles and the rights of data subjects w.r.t to UK DPA 2018. Also, learn about solutions to avoid non-compliance with the DPA and UK GDPR.

The UK Data Protection Act was passed on May 24, 2018. EU-GDPR was applicable to the UK before its withdrawal (Brexit) from the EU on December 31, 2020. Post Brexit, EU-GDPR became a part of UK domestic law known as UK GDPR. January 1, 2021 onwards, the personal data of individuals in the UK is protected by the regulations of UK GDPR and UK DPA 2018.

The UK Data Protection Act is a provision governed by the Information Commissioner’s Office (ICO) to protect the personal data of individuals in the UK. It enforces compliance requirements on organisations, competent authorities, and intelligence services that process individuals’ personal data by either providing goods and services or monitoring their behaviour. Violations of this law can result in the imposition of penalties and bans.

Before delving deeper, we need to be mindful of the fact that the UK DPA has included the data protection principles and rights of the data subjects (under general processing purposes) in their original form, as stated in the EU-GDPR. For data processing related to law enforcement and intelligence services, updates have been made, which will be covered in the following sections.

What are the Principles of Data Protection Act?

The UK DPA 2018 introduces six data protection principles that serve as a guide to the processing of data collected for law enforcement purposes and intelligence service processing. The major crux of data protection principles explained in Section 35-40 of Chapter 2 of Part 3, Law Enforcement Processing, and Section 86-91 of Chapter 2 of Part 4, Intelligence Services Processing, closely align with each other.

The First Data Protection Principle talks about lawfulness, fairness and transparency. Further, the first principle provides a description of “sensitive processing,” which means processing of personal, genetic, biometric, health, sexual orientation or criminal data. All these are factors that can directly or indirectly help in identifying an individual and hence qualify under the sensitive processing category.
[Section 35 of Chapter 2, Part 3 (Law Enforcement Processing) and Section 86 of Chapter 2, Part 4 (Intelligence Services Processing)]

The Second Data Protection Principle states that the purpose of personal data collected should be explicitly specified, and its legitimacy must be proven before the processing stage begins. Three clauses of Section 87(4) (a) specify certain conditions under which data processing is considered compatible; the purpose has to be statistical, archival in the public interest, historical, or scientific research. Processing has to be carried out within parameters that protect the freedoms and rights of the data subject.
[Section 36 of Chapter 2, Part 3 (Law Enforcement Processing) and Section 87 of Chapter 2, Part 4 (Intelligence Services Processing)]

The Third Data Protection Principle mentions that if the purpose of data processing is irrelevant, inadequate, and excessive, then the processing cannot be carried out.
[Section 37 of Chapter 2, Part 3 (Law Enforcement Processing) and Section 88 of Chapter 2, Part 4 (Intelligence Services Processing)]

The Fourth Data Protection Principle pertains to the accuracy of the personal data that must be properly recorded and updated. The inaccurate data should be erased or, without any delay, rectified.
[Section 38 of Chapter 2, Part 3 (Law Enforcement Processing) and Section 89 of Chapter 2, Part 4 (Intelligence Services Processing)]

The Fifth Data Protection Principle states that the personal data should not be stored longer than it is necessary by law.
[Section 39 of Chapter 2 (Law Enforcement Processing) recommends reviewing data periodically to assess the need for continued storage for legal purposes.]

The Sixth Data Protection Principle mandate that the personal data must be processed by data controller and processor in a secure manner. Adequate measures must be taken to prevent unauthorised or unlawful processing and against accidental loss, destruction or damage.
[Section 40 of Chapter 2, Part 3 (Law Enforcement Processing) and Section 91 of Chapter 2, Part 4 (Intelligence Services Processing)]

Note: To learn about data protection principles for the purpose of general processing, refer to Article 5 (Principles relating to processing of personal data) of Chapter 2, EU-GDPR.

What are the Principles of UK GDPR?

UK GDPR refers to the principles of EU-GDPR as mentioned in Article 5 of Chapter 2. The Principles relating to the processing of personal data are summarized below:

The processing of personal data should be conducted in a lawful, fair, and transparent manner.
The purpose of data collection should be specific, explicit, and legitimate. The purposes for collection and processing are deemed incompatible unless they are in the public interest or for statistical, historical, or scientific research. [Article 89(1)]
Corresponding to the necessity of purpose, personal data should be limited, adequate, and relevant.
Personal data should be kept updated, and its accuracy should be maintained. Inaccurate data must either be erased or, without delay, rectified.
Personal data should not be stored beyond the period necessary for processing unless the purpose is archiving and the purposes are in alignment with Article 89(1).
Integrity and confidentiality of personal data should be maintained with the help of appropriate organisational or technical measures.
The accountability principle holds the data controller responsible for demonstrating compliance.

What are the Rights of the Data Subjects as per DPA 2018?

Section 44-54 of Chapter 3, Part 3 (Law Enforcement Processing) and Section 93-100 of Chapter 3, Part 4 (Intelligence Services Processing) of DPA elaborate on the rights of the data subjects that they can exercise to protect their personal data. Read on to know more about them.

Right to information obligates the data controller to provide information such as the identity of the data subject and the legal basis for processing personal data. In certain cases, it is also a requirement to give information about the retention period of personal data and the criteria that determined this period. [Section 44 (2(b))]
Right of access grants the data subject right to obtain confirmation from the data controller about whether their personal data is being processed or not. In the case of the former, data subjects can request to get their personal data rectified, erased, or restrict its processing.
Right to rectification allows the data subject to request the data controller to complete or rectify inaccurate personal data without delay. However, for Intelligence Services processing, the data subject’s application needs a court approval.
Right to erasure or restriction of processing states that the data controller is legally obligated to erase the personal data of the data subject without undue delay. Processing of personal data must be restricted:
- if it is supposed to be maintained for purposes of evidence or
- if its inaccuracy (after getting contested) cannot be ascertained.

Again, for Intelligence Services processing, the data subject’s application needs court approval.

Right not to be subject to automated decision-making deliberates that no significant decision may be taken by the data controller solely based on automated processing unless authorised by law.
Right to intervene in automated decision-making applies to automated decisions of data controllers, significantly affecting a data subject or authorised by law. Data controllers are obligated to respond within one month’s time via a written notice.
Right to object to processing grants the data subject the right to object to the processing of their personal data by the controller entirely or for a specific purpose, manner or reasons if they believe that it interferes with their interests of rights. The controller must respond within 21 days in all circumstances. If they refuse, the data subject can seek a court order Section 99.

Under Sections 51–54 of Law Enforcement Processing, a few more rights have been extended to the data subjects. They cover a range of provisions, namely exercise of rights through the Commissioner, form of provision of information, etc., manifestly unfounded or excessive requests by the data subject, meaning of “applicable time period.”

Note: Articles 12-23, Sections 1-5 of Chapter 3 of EU-GDPR informs about the rights provided to data subjects with regard to general processing.

How is UK DPA Different from EU-GDPR?

Some of the major changes between the UK DPA and EU-GDPR are:

Parameter	UK DPA	EU-GDPR
Purpose	For general processing, law enforcement processing, and intelligence services processing of personal data, UK DPA is applied.	For the purpose of general processing of personal data.
Jurisdiction	Applicable to all establishments that process personal data of, offer goods and services to, or monitor the behaviour of UK individuals.	Applicable to all establishments that process personal data, offer goods and services, or monitor EU and EEA citizens’ behaviour.
Data Protection Officer	Except for courts and judicial authorities, DPO appointment is required.	The appointment of the DPO is the responsibility of the controller and processor.
Supervisory Authorities	The Information Commissioner’s Office is the only independent supervising body that regulates the compliance of DPA 2018 in the UK.	The European Data Protection Board (EDPB), which includes representatives from the data protection authorities of each member state, the National Supervisory Authority (SA), and the European Data Protection Supervisory (EDPS), supervises the regulation of EU-GDPR.
Age of Consent	In relation to information society services, the minimum age of consent is 13 years old.	Processing of personal data is lawful only if the child is at least 16 years old and restricts the member states from lowering that age only to 13 years.
Penalties for Non-Compliance	The maximum penalty amount is 4% of the annual global turnover, or £17.5 million.	The maximum penalty amount is 4% of the annual global turnover, or €20 million.

How can Public and Private Bodies Comply with UK DPA 2018 and UK GDPR?

When organizations, competent authorities, and intelligence services collect the personal data of individuals, they also become accountable for keeping that data safe and secure. To avoid violating UK DPA 2018 and UK GDPR; staying compliant with these, it is necessary for data controllers and processors to:

Have consent of the data subjects and/or legal purpose to begin and continue the processing of personal data of the data subjects.
Conduct lawful, fair, and transparent processing of personal data of data subjects.
Maintain complete and accurate records of the personal data of the data subjects.
Either rectify or erase data upon receiving a request from the data subject.
Erase data securely after the retention period is over.

For erasing data either on request or when the retention period is over, organisations must employ a secure data wiping utility like BitRaser that supports globally recognised data erasure standards and algorithms to wipe data beyond recovery across diverse drives and devices. Further, the tool is tested by ADISA, an independent testing body in the UK that certifies software after rigorous testing on data security and product efficacy.
With the automated generation of detailed reports and a tamper-proof certificate of destruction, BitRaser helps achieve compliance with DPA and UK GDPR.

Was this article helpful?

FAQs

What is the objective of UK Data Protection Act?

It aims to regulate the processing of personal data of individuals in the UK.

Does EU-GDPR apply to the people of UK, post-brexit?

No, organizations, competent authorities, and intelligence services (See Schedule 7) functioning inside or outside the UK but processing personal data of individuals of the UK externally or indulging in user behaviour monitoring practices, then they need to comply with the UK DPA 2018.

What are the penalties under the UK DPA 2018 in case of non-compliance?

Infringement of a provision of the GDPR, Part 3 (Law Enforcement Processing) and Part 4 (Intelligence Services Processing) of UK-DPA or in case of failing to comply with the notice (information, assessment, or enforcement) can result in a penalty of higher maximum amount or standard maximum amount applies: (i) The standard amount is 2% of the annual global turnover, or £8.7 million. (ii) The maximum amount is 4% of the annual global turnover, or £17.5 million.