The Queens Speech in June 2017 set out plans for the U.K. to have a new Data Protection Bill which would be “world- class” replacing the Data Protection Act 1998 with the Data Protection Act 2018. With so many changes going on in 2017 and 2018 around data protection businesses sometimes are left wondering what do all these changes mean.
- GDPR and the Data Protection Act 2018.
Yes, U.K. does have a new Data Protection Act 2018, which came into force on the 25th May 2018. At the start of this Act, in Part 1 it is quite clear that “most of the processing of Personal Data is subject to GDPR” – in a nutshell this means that we have not completely moved away GDPR and it continues to be applied.
The rest of the parts relating to Personal Data are split in the following way: –
- Part 2- supplements the GDPR;
- Part 3 – processing by competent authorities for law enforcement;
- Part 4 – processing by the intelligence services.
- Part 5 – provisions for the Information Commissioner.
- Part 6 – enforcement of the data protection legislation.
- Part 2- Supplements the GDPR of the Data Protection Act 2018.
The supplements pieces in Part 2 of the Data Protection Act 2018 (“DPA 2018”), are additional parts which are not covered in the GDPR. Let us focus on Part 2.
- Let us consider some of the changes in the DPA 2018 in Part 2
The first thing you notice is that about Part 2 of the DPA 2018, is that it deals with public bodies and authorities. There is a meaning given to authorities and public bodies in the U.K. and also incorporates the definition under the Freedom of Information Act 2002. It is further descriptive in that those who carry out public tasks in the interest of the public and who exercise public authority but excludes parish council in England and community council in Wales and Scotland.
Secondly, in relation to the purpose processing Personal Data for public interest this has been expanded from Article 6 of GDPR with new categories, it now includes:- (a) administration of justice, (b) the exercise of a function of either House of Parliament, (c) the exercise of a function conferred on a person by an enactment or rule of law, (d) the exercise of a function of the Crown, a Minister of the Crown or a government department, or (e) an activity that supports or promotes democratic engagement. With these new categories ensure public bodies need to ensure that correct lawful purposes are aligned
The next big change is the children’s consent in relation to information society services (e.g. offer of online services) whereas the GDPR Article 8(1) had age of 16 this has now been reduced to age of 13 under the DPA 2018.
- What are the supplementary parts for special categories of Personal data in Part 2?
Special categories of Personal Data must have a category under Article 6 and Article 9 of the GDPR. On top of this let say if you are dealing with as an example employment related Personal Data there is additional safeguards under DPA 2018, Part 2 (10) to meet under Schedule 1. These additional safeguards apply to employment, social security, social protection, substantial interest, health and social care, public health and archiving.
In Article 10 of the GPDR reference is made to Personal Data relating to criminal convictions and offences. On top of this any processing of Personal Data is to meet the additional requirements for example of policy, under the Data Protection Act 2018.
Those businesses that are operating as credit reference agencies processing Personal Data around individual’s finances there are further obligations under the DPA 2018 under Article 15 (1) as to confirmation of processing, access along with adopting safeguards and deal with transfers outside the EU.
If you need help with getting your business ready for the GDPR or DPA 2018, we’re happy to discuss the changes with you -email us at firstname.lastname@example.org.