In the run-up to the GDPR (General Data Protection Regulation), experts repeatedly described the law as the successor to the UK’s DPA (Data Protection Act) 1998.
But that was somewhat misleading, because the same day the GDPR came into force, the UK adopted the DPA 2018. Technically, this is the law that replaces the DPA 1998, and both it and the GDPR currently apply to all organisations in the UK that process personal data.
The DPA 2018 is essentially a UK-specific complement to the GDPR, and was created for three reasons. First, it states the UK’s position on areas of the Regulation that are left for each member state to decide.
Second, the DPA 2018 adds requirements that fall outside the GDPR’s scope, such as processing by law enforcement and intelligence services.
Third, it ensures that the UK will retain the GDPR’s requirements after it leaves the EU. The UK government decided that it makes sense to continue using the existing framework, given that it already applies in the UK.
An overview of the DPA
The DPA is divided into seven parts, but only three are relevant in terms of compliance.
- Part 2: General data processing
This section fills in gaps that the GDPR leaves for individual member states to interpret. It should be read alongside the GDPR by every UK organisation that processes personal data.
It also applies a broadly equivalent regime, known as “the applied GDPR”, to certain types of processing that are outside the Regulation’s scope, such as processing by public authorities.
Lastly, it modifies the GDPR in several ways. For example, Sections 6 and 7 of the DPA 2018 clarify the meaning of the terms ‘controller’, ‘public authority’ and ‘public body’.
Similarly, Section 8 clarifies what constitutes a task carried out in the public interest or the exercise of official authority, and Section 9 sets the threshold at which someone is no longer a child at 13 (the GDPR gave member states the freedom to define it anywhere between 13 and 16).
- Part 3: Law enforcement processing
This section implements the EU Law Enforcement Directive, and sets out the regime for processing personal data for law enforcement purposes.
Note that this section applies only to processing for law enforcement purposes. That is, the “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.
- Part 4: Intelligence services processing
The UK government decided that there must be specific data protection requirements for MI5, MI6 and GCHQ.
As a result, the DPA 2018 includes provisions based on Council of Europe Data Protection Convention 108 that apply to them.
The DPA after Brexit
The future relationship between the DPA 2018 and the GDPR depends, like so many things, on Brexit.
The DPA 2018 currently complements the GPDR, but that obviously isn’t viable after the UK leaves the EU because the Regulation will no longer apply.
As such, the UK has drafted an amendment to the DPA 2018 that replaces its references to EU laws, institutions, currency, etc. with British equivalents, and combines the applied GDPR (in Part 2 of the DPA 2018) with the provisions of the GDPR.
This new regime will be known as the UK GDPR.
If the UK leaves the EU without a deal, the UK GDPR will apply from the moment the deadline passes (currently 29 March 2019).
However, if a deal is reached, the UK will operate under the existing set-up – with the DPA 2018 supplementing the EU GDPR – until the end of the transition period (currently 31 December 2020).
Want to know more about the DPA 2018?
Learn everything you need to about the DPA 2018 with our Data Protection Act 2018 Training Course.
This one-day course gives you an overview of the differences and similarities between the GDPR and DPA 2018, helping you keep your organisation secure and navigate the UK’s data protection compliance requirements.