Data Protection Act 2018 Summary
In all the noise surrounding the General Data Protection Regulation (GDPR), it may have been easy to miss the UK passing the Data Protection Act 2018 at the same time.
The Act largely replicates the GDPR into UK law in the long term. However, GDPR allows individual states some flexibility to add their own detail in relation to specific areas to fit with the national context. The Act fills in these gaps.
As a result, it creates new conditions that allow the processing of special category data. That is information relating to health, disability, ethnicity and religion (among others). It sets out exemptions for use when answering data subject requests, where relevant. For example, where you can withhold information in response to a subject access request. Or you may have to tell someone you are holding their information.
It puts the EU Law Enforcement Directive into UK law. So, any handling of criminal offence information will fall under the Act. The Act also requires the Information Commissioner to publish codes of practice on certain topics. These include direct marketing and data sharing, shaping how organisations are expected to act in those areas.
It provides information about the powers the Commissioner has to require organisations to pay a fee to allow their use of personal data. The Data Protection Act 2018 Regulations have already come into force and set out the various fee levels for data controllers.
So, although GDPR has dominated headlines, you must be aware of the content of the Act. While GDPR does underpin much of the Act, it adds detail in a number of key areas. You have to read them together so that decisions taken in relation to personal data are legally sound.
What this means for you
If you've already gone through the process to be ready for the GDPR then it's unlikely (although not impossible) that the DPA 2018 will mean more changes to your organisation. If you haven't looked at what you need for the GDPR, then you are likely to have to undertake a journey.
The GDPR and DPA 2018 combine to oblige organisations to respect the rights of data subjects. At the very highest level this means that both you and the data subjects should understand where you collect personal data from, how you process it (and on what legal basis) and where it goes to. Additionally some activities are restricted and there are some procedures that you may need to adopt. The scope of these will very much depend on the nature, scope and context of the data that you process.
How we can help
If next steps allude you, or would like some guidance please speak to us. We will happily walk you through the process that we would follow. If you would like us to assist beyond that initial free guidance, we would be happy to help. If you would like to take it forward on your own, that would be fine as well.
Useful External Links
The Data Protection Act 2018: Regulations