The UK Data Protection Act 2018 and UK General Data Protection Regulation

Now the Brexit transition period has ended, the DPA 2018 and UK GDPR are the primary data protection legislation for organisations that process UK residents’ personal data.

Speak to an expert

Please contact our expert team, who will be able to give advice and guidance about the compliance options.

What is the Data Protection Act (DPA) 2018?

The Data Protection Act 2018 is a UK law that sets out how personal data must be collected, handled and stored to protect people’s privacy. It also gives individuals the right to know what personal data is held about them and to have that data erased in certain circumstances.

The Act came into force on 25 May 2018 and replaced the Data Protection Act 1998.

Read the full text of the DPA 2018

Book a DPA 2018 training course

UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information Bill through parliament and will keep you updated on how it might affect your data processing obligations.

What is the UK General Data Protection Regulation (UK GDPR)?

The UK GDPR is the UK’s post-Brexit version of the EU GDPR.

EU regulations apply in member states with all the force of domestic law. After the UK left the EU on 1 January 2019, there was a transition period, during which EU law applied in the UK.

The transition period ended on 31 December 2020 and EU law ceased to apply directly.

The DPPEC (Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit)) Regulations 2019 – secondary legislation passed under the EU Withdrawal Act – then amended the EU GDPR to create a domestic data protection law: the UK GDPR.

The UK GDPR is very similar to the EU GDPR, so organisations that comply with the latter are likely to be in compliance with the former.

Learn more about GDPR compliance

Remember that if you process EU residents’ personal data, you will still have to comply with the EU GDPR.

Read more about the EU GDPR

New data protection rules

IT Governance can help you easily amend your current policies and procedures to ensure they remain compliant with the law now the Brexit transition period has ended.

Learn more

UK GDPR overview

The UK GDPR is substantially similar to the EU GDPR.

For instance, data subjects still have the same rights:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision-making and profiling.

There are still six data processing principles and six lawful bases for lawful processing, and data controllers and processors are still obliged to ensure the security of the personal data they process.

Learn more about GDPR compliance

However, there are some areas of divergence.

Important differences between the DPA 2018/UK GDPR and the EU GDPR

Child consent age

  • EU GDPR: A child can consent to data processing at age 16.
  • DPA 2018/UK GDPR: A child can consent at age 13.

Processing of criminal data

  • EU GDPR: Processors of criminal data must have official authority to do so.
  • DPA 2018/UK GDPR: Processors of criminal data do not require official authority.

Automated decision making/processing

  • EU GDPR: Data subjects have rights to refuse automated decision making or profiling.
  • DPA 2018/UK GDPR: Permits automated profiling subject to legitimate grounds for doing so.

Data subject rights

  • EU GDPR: Enhances data subjects' rights relating to how their personal data is processed.
  • DPA 2018/UK GDPR: Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.

Privacy vs Freedom of Expression

  • DPA 2018/UK GDPR: An exemption exists in relation to the processing of personal data if it is in the public interest.

Representatives

  • EU GDPR: Many non-EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
  • DPA 2018/UK GDPR: Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.

Administrative fines

  • EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
  • DPA 2018/UK GDPR: The maximum fine for non-compliance is £17.5 million.

Free green paper: The Data Protection Act 2018 – Understanding the basics

Free green paper: The Data Protection Act 2018 – Understanding the basics

Download this free paper for a complete introduction to the DPA 2018. It covers how the DPA 2018 differs from the GDPR, how the Act applies to law enforcement and intelligence services processing, and the DPA 2018 after Brexit.

Download now

Brexit and the UK GDPR

Since the end of the Brexit transition period on 31 December 2020, the EU GDPR no longer applies to the processing of UK residents’ personal information.
However, it does still apply to UK organisations that process EU residents’ personal data.
If you are in the UK and offer goods and services to, or monitor the behaviour of, EU residents, you may need to:

  • Appoint an EU representative.
  • Identify a lead supervisory authority in the EU.
  • Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
  • Update your policies, procedures, and other documentation in light of the changes you make.

Find out more about data protection law in the UK after Brexit

UK DPA 2018 overview

As revised by the DPPEC Regulations, the UK DPA 2018’s main provisions are as follows.

  • Part 2, Chapter 2 supplements the UK GDPR and should be read alongside the Regulation by every UK organisation that processes personal data.
  • Part 2, Chapter 3 sets out exemptions for manual unstructured processing and for national security and defence purposes.
  • Part 3 sets out the regime for processing personal data for law enforcement purposes. Learn more about Part 3 processing ​
  • Part 4 sets out the regime for processing personal data by the UK’s intelligence services. Learn more about Part 4 processing ​

(Part 1 contains preliminary information, Part 5 deals with the powers of the Information Commissioner, Part 6 covers enforcement and Part 7 provides supplementary information.)

Identifying which data processing regime applies to the processing you carry out is essential.

How IT Governance can help you comply with the UK GDPR and DPA 2018

IT Governance has been at the forefront of GDPR compliance solutions since before the Regulation came into effect.

We can help you identify your data protection requirements and provide a wide range of GDPR and data protection books, training and staff awareness courses, tools, policy templates, software and consultancy services to help you comply.

These include:

This website uses cookies. View our cookie policy
SAVE 25% ON
FOUNDATION TRAINING