Navigating UK Data Protection Law: Understanding General Data Protection Regulation, UK GDPR, and UK Data Protection Act 2018

Businesses operating in the UK face a complex, yet crucial, task: ensuring they comply with data protection regulations. This landscape involves a quartet of key players: the General Data Protection Regulation (GDPR), the UK GDPR (a post-Brexit adaptation), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communication Regulations (PECR). Understanding how these regulations work together is essential for businesses to navigate UK data protection law effectively.

This blog post will serve as your guide, demystifying each element and outlining practical steps for compliance.

GDPR vs. UK GDPR vs. UK DPA vs. PECR

The UK data protection landscape is a layered system with four key regulations working together.

The General Data Protection Regulation (GDPR) emerged in 2016 as a legislative cornerstone for data protection across the European Union (EU). It established a comprehensive framework outlining how personal data should be collected, used, and protected by organizations. The GDPR emphasizes transparency, accountability, and individual control over personal information.

Following the UK's exit from the European Union, the UK government incorporated the core principles of the GDPR into its domestic law. This adaptation, known as the UK GDPR, came into effect in 2020. While largely mirroring the EU GDPR, the UK GDPR allows for some potential future divergences. The UK government may introduce slight modifications to the framework over time, although significant changes are not anticipated in the immediate future.

Data Protection Act 2018 (DPA 2018) is a UK-specific law, enacted in 2018, complements the UK GDPR. It fills in gaps and addresses specific data protection concerns relevant to the UK context. For example, the DPA 2018 outlines specific lawful bases for processing data by law enforcement agencies, an aspect not explicitly covered by the GDPR. Additionally, the DPA 2018 clarifies the powers of the UK's data protection authority, the Information Commissioner's Office (ICO).

Privacy and Electronic Communications Regulations (PECR) is a regulation sits alongside the GDPR and UK GDPR, with a specific focus on electronic communication channels. The PECR governs how businesses can use electronic means, such as email, marketing messages, and cookies, to interact with individuals. It outlines requirements for obtaining consent for electronic marketing communications and sets limitations on unsolicited marketing messages.

These four regulations work together to create a comprehensive framework for data protection in the UK. The GDPR and UK GDPR form the foundation as they establish core principles and rights regarding data processing. The DPA 2018 complements the foundation by addressing specific UK data protection concerns and clarifies aspects of the UK GDPR. Finally, the PECR focuses on a specific area as it regulates electronic communication and ensures businesses use electronic channels responsibly and respectfully.

How does the UK DPA 2018 impact data privacy in the UK?

The UK DPA 2018 plays a significant role in shaping data privacy for individuals in the UK. 

While the GDPR establishes core rights for data subjects (individuals whose data is processed), the DPA 2018 adds further clarity and strengthens these rights in certain areas. For instance, it allows for specific exemptions to the right to erasure under certain circumstances, providing a more nuanced approach.

The DPA 2018 tackles data protection issues unique to the UK context. It defines lawful bases for processing data by law enforcement agencies, an aspect not explicitly covered by the GDPR. This ensures transparency and accountability in how public authorities handle personal information.

The UK DPA 2018 empowers the Information Commissioner's Office (ICO), the UK's data protection authority, with additional investigative and enforcement powers. This strengthens enforcement of data protection regulations and deters potential violations.

It also acts as a companion piece to the UK GDPR. It provides additional details and guidance on implementing the GDPR's principles within the UK. This fosters a more comprehensive and practical framework for businesses to navigate.

In essence, the DPA 2018 builds upon the foundation laid by the GDPR, tailoring it to the UK's specific needs and strengthening individual rights in the process. This creates a robust data protection environment that protects personal information and empowers individuals to control their data.

What is personal data under UK DPA?

The definition of personal data under the UK DPA 2018 mirrors the one used in the UK GDPR. It essentially refers to any information that relates to an identified or identifiable natural person ("data subject"). 

Directly Identifiable: Information that directly pinpoints a person, such as:

• Name
• National identification number (e.g., National Insurance number)
• Location data (including IP address in certain contexts)
• Online identifier (e.g., username, social media profile)
• Biometric data (fingerprints, facial recognition)
• Genetic data
• Information revealing physical, physiological, mental, economic, cultural, or social identity

Indirectly Identifiable: Information that, when combined with other pieces of data, could identify an individual. This could include:

• Date of birth
• Place of birth
• Phone number
• Email address
• Browsing history
• Purchase history
• Loyalty card information

The definition is broad, encompassing any information that could potentially be used to identify a specific person. Organizations must carefully consider what data they collect and store, ensuring a lawful basis for processing it under the regulations.

The DPA 2018 doesn't differentiate between different categories of personal data (like sensitive data) in its definition. However, the UK GDPR offers additional protections for special categories of personal data, such as racial or ethnic origin, political opinions, religious beliefs, and health data.

Who needs to comply with the UK Data Protection Act 2018?

The UK DPA 2018 applies to any organization that processes personal data about individuals located in the UK, regardless of the organization's physical location. This means the following need to comply with the DPA 2018:

• Businesses operating in the UK: This includes companies of all sizes, from small startups to large corporations, as long as they collect, store, or use personal data of UK residents.
• Public authorities: Government agencies, local councils, and other public bodies that process personal data in the course of their duties must also comply with the DPA 2018.
• Non-UK businesses: Even companies based outside the UK need to comply with the DPA 2018 if they offer goods or services to individuals in the UK or monitor the behavior of UK residents online (e.g., using cookies to track website visitors).

The DPA 2018 focuses on organizations that "process" personal data. Processing refers to any activity performed on personal data, such as collecting, storing, using, disclosing, or erasing it. The DPA 2018 applies when the data subject (the individual whose data is processed) is in the UK.

There are a few limited exceptions to the DPA 2018. For instance, the Act generally doesn't apply to personal data processed solely for personal, non-commercial purposes. However, these exceptions are narrow, and most organizations that handle personal data will need to comply with the DPA 2018.

What are the 7 principles of the UK DPA 2018?

The UK Data Protection Act 2018 incorporates the seven core principles established by the General Data Protection Regulation (GDPR). These principles are designed to ensure the lawful and ethical treatment of personal data. Here are the seven principles:

1. Lawfulness, fairness and transparency: This principle requires organizations to have a legitimate reason for collecting and using personal data. Individuals must be informed about how their data is being collected and used in a clear and understandable way.
2. Purpose limitation: Personal data can only be collected for specific, clearly defined purposes and cannot be processed in a manner incompatible with those purposes.
3. Data minimization: Organizations should only collect and use the minimum amount of personal data necessary for the intended purpose.
4. Accuracy: Personal data should be accurate and, where necessary, kept up to date.
5. Storage limitation: Personal data should not be kept for longer than is necessary for the purpose for which it was collected.
6. Integrity and confidentiality (security): Organizations must implement appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
7. Accountability: The organization processing the data is ultimately responsible for ensuring compliance with all these principles.

What are the rights of the data subjects?

The UK GDPR, which is incorporated into the Data Protection Act 2018, grants several rights to data subjects (individuals whose personal data is being processed). These rights empower individuals and give them control over their personal information. 

• Right to be informed: You have the right to understand how your data is being collected and used. This includes knowing the identity of the organization processing the data, the purpose of the processing, and any third parties your data might be shared with.
• Right of access: You can request a copy of your personal data from the organization holding it. This allows you to verify what data is being processed and ensure its accuracy.
• Right to rectification: If your personal data is inaccurate or incomplete, you have the right to request it be corrected or updated.
• Right to erasure (right to be forgotten): In certain situations, you can request your data to be deleted. This right applies when the data is no longer necessary, you withdraw consent, or the processing is unlawful.
• Right to restrict processing: You can restrict how your data is used even if the organization can still store it. This applies in situations like contesting the accuracy of your data or objecting to its processing.
• Right to data portability: You have the right to receive your personal data in a commonly used and machine-readable format. This allows you to transfer your data to another organization if needed.
• Right to object: You can object to your data being processed for marketing purposes or where it relies on legitimate interests as the legal basis.
• Rights in relation to automated decision-making and profiling: You have the right to be informed about and potentially object to automated decisions made about you (e.g., using algorithms) that significantly affect you.

What are the requirements for businesses under UK DPA?

Businesses operating in the UK are subject to the requirements outlined in the Data Protection Act 2018 (DPA 2018), which reflects the General Data Protection Regulation (GDPR). 

Businesses must have a lawful reason for collecting and using personal data. This could be consent, contract fulfillment, compliance with a legal obligation, or protecting vital interests of the individual. You must be transparent about how they collect and use personal data. This includes providing individuals with a clear privacy policy outlining what data is collected, why it's used, and who it might be shared with. In most cases, businesses will need to obtain clear and specific consent from individuals before processing their data.

Businesses should only collect and use the minimum amount of personal data necessary for the specific purpose. Data should not be kept for longer than is necessary for the intended purpose. Businesses should have clear data retention policies in place.

Businesses are obligated to implement appropriate technical and organizational measures to protect personal data from unauthorized access, accidental loss, or destruction. This includes data encryption, access controls, and staff training. Businesses must have procedures in place to respond to requests from individuals exercising their data subject rights (e.g., access, rectification, erasure). These requests must be handled within a specific timeframe (usually one month).

Businesses are required to maintain records of their processing activities, demonstrating compliance with the DPA 2018 principles.

Who enforces UK DPA?

The Information Commissioner's Office (ICO) enforces the UK Data Protection Act 2018 (DPA 2018). It acts as the independent supervisory authority for data protection in the UK.

The ICO has a range of responsibilities including investigating complaints about potential breaches of the DPA 2018, issuing fines to organizations found to be non-compliant, providing guidance and resources to businesses and individuals on data protection rights and obligations, and promoting awareness of data protection issues.

How can Secure Privacy help you comply with the UK Data Protection Act 2018?

Secure Privacy provides you with a comprehensive SaaS to comply with the UK Data Protection Act. It includes a cookie banner (see the ICO Cookie Guidelines) obtaining lawful consent, records of consent, a privacy policy and a cookie policy generator, data subject requests form, and other features.