The EU GDPR (General Data Protection Regulation) and DPA 2018 (Data Protection Act)
The EU GDPR (General Data Protection Regulation) superseded the Data Protection Directive 1995 and all member state law based on it on 25 May 2018.
The UK DPA (Data Protection Act) 2018 came into force at the same time, modifying the EU GDPR by filling in sections that were left to individual member states to interpret and implement.
The DPA 2018 also applies “a broadly equivalent regime” – which it calls “the applied GDPR” – to certain types of personal data processing that fall outside the EU GDPR’s scope, including processing by public authorities. It also sets out data processing regimes for law enforcement and intelligence purposes.
Because the DPA 2018 supports the GDPR rather than enacting it, the two laws should be read together.
A brief history of data protection law in the UK
The Data Protection Directive 1995 and the DPA 1998
The DPA 1998 enacted the provisions of the EU’s Data Protection Directive 1995 (Directive 95/46/EC) in the UK.
Among other stipulations, it set out eight data protection principles to ensure that personal data was:
- Processed fairly and lawfully;
- Obtained and processed only for specific and specified purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not retained for longer than necessary;
- Processed in accordance with the individual’s rights;
- Held with appropriate levels of security; and
- Not transferred outside the EEA (European Economic Area) without adequate levels of legal protection.
Organisations found to be in breach of the DPA 1998 could be fined up to £500,000 by the ICO (Information Commissioner’s Office).
The Data Protection Directive 1995 and all local laws derived from it, including the DPA 1998, have now been superseded by the EU GDPR.
The EU GDPR and the DPA 2018
Originally proposed by the European Commission in January 2012, the EU GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016. Following a two-year transition period, it has been enforced in all EU member states since 25 May 2018.
In the UK, a new Data Protection Act was also enacted in May 2018 to supplement the EU GDPR by filling in sections of the Regulation that were left to individual member states to interpret and implement, and applying its provisions – or at least a “broadly equivalent regime” – to certain areas outside the EU GDPR’s scope.
Under the EU GDPR, data subjects also have the right to lodge a complaint with the supervisory authority (the ICO) if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that does not comply with the Regulation.
On top of this, the ICO has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2f) of the EU GDPR) – i.e. it can effectively shut organisations down altogether.
Both the EU GDPR and the DPA 2018 are backed by a regime of considerably higher penalties than the DPA 1998, with administrative fines of up to €20 million (about £17 million) or 4% of annual global turnover – whichever is greater.
The PECR and the ePR
The ePrivacy Regulation or ePR (Regulation on Privacy and Electronic Communications) is set to replace the 2002 ePrivacy Directive and all member state laws that enforce it, including the PECR. It was originally intended to come into effect alongside the EU GDPR on 25 May 2018, but is now tentatively scheduled to apply from 2019.
The ePR is broader in scope and aims to ensure stronger privacy in all electronic communications – including OTT (over-the-top) service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).
The difference between EU regulations and directives
The EU has two primary types of legal instrument that are used to regulate business: directives and regulations.
- Directives set minimum standards and parameters for the EU but leave the actual implementation down to the states themselves. When a directive is passed, the EU sets a deadline by which every member state must have put the directive into force, whether by law, regulation or other initiative.
- Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR and the EU GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.
The future: Brexit, cross-border data transfers and adequacy
When the UK leaves the EU, the EU GDPR will no longer directly apply, but its requirements will still be part of UK law.
After Brexit, the government plans to combine the provisions of the EU GDPR with the applied GDPR to form a data processing regime called the UK GDPR.
Find out what will happen to data protection law in the UK after Brexit >>
How IT Governance can help you to comply
IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organisations globally address the challenges of Data Protection.
Browse out best selling data protection products and service below.