There is less than ten months until Brexit, and we still know little about the process other than the fact that it “means Brexit”. Questions remain over everything from trade deals to the rights of ex-pats, but one issue that has been sorted is the future of the UK’s data protection laws.
The relatively swift handling of this issue is mostly because of the EU General Data Protection Regulation (GDPR), a law that came into force two months before the Brexit vote and which the UK government knew would take effect on 25 May 2018, with the UK still in the EU.
Something needed to be done to prevent organisations complaining that they were being forced to spend huge amounts of money complying with a law that would only temporarily apply to them. The result was the Data Protection Act 2018 (DPA 2018), which is a UK-specific version of the GDPR.”
What is the Data Protection Act 2018?
While all the attention has been on the GDPR, the UK Parliament has got on with debating and agreeing the UK’s own implementation of it and that has now happened.
Fortunately, if you’re not aware of the ins and outs of the DPA 2018, you’re not missing out – provided, that is, you’re aware of the GDPR’s requirements. The DPA 2018 is more or less a facsimile of the Regulation, with only a handful of differences:
- The DPA 2018 specifies the UK’s position on the provisions provided by the GDPR. The most notable is the age at which someone is no longer considered a child. The Regulation allows EU member states to set the age threshold anywhere between 13 and 16; the UK opted for 13.
- It discusses processing that doesn’t fall within EU law, such as where it relates to immigration or national security.
- It covers the duties, functions and powers of the Information Commissioner’s Office (ICO), which oversees UK data protection and is the designated supervisory authority for GDPR compliance.
- It includes details related to the Freedom of Information Act 2000.
And for those unfamiliar with the GDPR
If you’re still unsure about what the GDPR means, you’re not alone. Many organisations are only beginning to come to terms with the Regulation and apply its requirements. Despite this, it’s important not to panic. As long as you can show signs that you are working towards compliance, the ICO will take this into consideration when considering penalties. Fines will typically be a last resort, and you are much more likely to receive enforcement actions, which are requests for ways to bring your organisation up to standard.
Besides, you aren’t starting completely from scratch. The GDPR has its origins in the Data Protection Directive (DPD), which was adopted in the UK as the Data Protection Act 1998 (DPA 1998). Many of the GDPR’s requirements are simply stricter versions of those stated in the DPD, meaning that if you were previously compliant, you have a strong basis to work from.
Learn more about the GDPR
You can find out more about the GDPR by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide. This in-depth handbook outlines the complexities of the Regulation in an easy-to-understand way, detailing everything you need to know, from data protection terminology to the steps you need to take to become compliant.