The Queens Speech in June 2017 set out plans for the U.K. to have a new Data Protection Bill which would be “world-class” replacing the Data Protection Act 1998 with the Data Protection Act 2018, as the UK’s data protection law. With so many changes going on in 2017 and 2018 around data protection, businesses sometimes are left wondering what do all these changes mean.
1.What is the Data Protection Act 2018?
The U.K. does have the Data Protection Act 2018, which came into force on the 25th May 2018, at the same time as the General Data Protection Regulation. This new data protection law in the UK replaces the Data Protection Act of 1998.
2. What are some of the differences between GDPR and DPA 2018?
There are some changes between the two legislation such as the age of consent for minors and automated decision making along with some of the definitions. There is need to have EU representative for those operating outside this EU and similar approach is mirrored for the U.K following Brexit.
At the start of this Act, in Part 1 it is quite clear that “most of the processing of Personal Data is subject to GDPR” – in a nut-shell this means that businesses will have not completely moved away GDPR and it continues to be applied including any amendments into UK law after UK leaves the EU.
The DPA 2018, in terms refers to the GDPR in the following way:-
“The GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). “The applied GDPR” means the GDPR as applied by Chapter 3 of Part 2.
The rest of the parts relating to personal data are split in the following way: –
- Part 2- supplements the GDPR;
- Part 3 – processing by competent authorities for law enforcement;
- Part 4 – processing by intelligence services.
- Part 5 – provisions for the Information Commissioner.
- Part 6 – enforcement of the data protection legislation.
3. Part 2- Supplements the GDPR of the Data Protection Act 2018
The supplements pieces in Part 2 of the Data Protection Act 2018 (“DPA 2018”), are additional parts which are not covered in the GDPR. Let us focus on Part 2.
2.1 Considering the changes in the Data Protection Act 2018 in Part 2
The first thing you notice about Part 2 of the DPA 2018, is that it deals with public bodies and authorities. There is a meaning given to authorities and public bodies in the U.K. and it also incorporates the definition under the Freedom of Information Act 2002. It is further descriptive in that those who carry out public tasks in the interest of the public and who exercise public authority but excludes parish council in England and community council in Wales and Scotland.
Secondly, in relation to the purpose processing personal data for public interest this has been expanded from Article 6 of GDPR with new categories, it now includes:- (a) administration of justice, (b) the exercise of a function of either House of Parliament, (c) the exercise of a function conferred on a person by an enactment or rule of law, (d) the exercise of a function of the Crown, a Minister of the Crown or a government department, or (e) an activity that supports or promotes democratic engagement. With these new categories ensure public bodies need to ensure that correct lawful purposes are aligned
The next big change is the children’s consent in relation to information society services (e.g. offer of online services) whereas the GDPR Article 8(1) had age of 16 this has now been reduced to age of 13 under the DPA 2018.
2.2 What are the supplementary parts for special categories of personal data in Part 2?
Special categories of personal data must have a category under Article 6 and Article 9 of the GDPR. On top of this, let’s say you are dealing with employment-related personal data there are additional safeguards under DPA 2018, Part 2 (10) to meet under Schedule 1. These additional safeguards apply to employment, social security, social protection, substantial interest, health and social care, public health for sensitive personal data and archiving purposes.
In Article 10 of the GDPR, reference is made to personal data relating to criminal convictions and offences. On top of this, any processing of personal data is to meet the additional requirements for example of policy, under the Data Protection Act 2018.
Those businesses that are operating as credit reference agencies processing personal data around individual’s finances there are further obligations under the DPA 2018 under Article 15 (1) as to confirmation of processing, access along with adopting safeguards and deal with transfers outside the EU.
3. The changes in Chapter 3
In chapter 3 of the DPA 2018, the scope is applied to activities outside of the EU law and public freedom of information manual processing. What’s remained the same is the household activities and the use of personal data along with paper-based and automated processing which is outside the scope of the legislation.
4. What About Scheduled Changes?
At the end of the DPA 2018, there are a few schedules which provide derogation to the GDPR. For example, in Schedule 3 the exemptions relate to the health, education and social care personal data. If there is any personal data processed in this particular schedule the court is exempt where it processes health personal data.
5. Demonstrating Compliance
There is a responsibility to demonstrate compliance with DPA 2018 legislation as mentioned above with any other supporting data protection legislation subject to the UK, such as the UK GDPR, applying any agreed exemptions.Get Your Free Consultation