Data Protection Act

Since the introduction of the General Data Protection Regulation (GDPR) in 2018, virtually all businesses and organisations across Europe have had to transform the way they handle and manage personal data in order to remain compliant. GDPR placed a spotlight on matters of data protection like never before, but the concept of legally regulating how domestic entities should handle personal data had been in place long before that in the form of the UK Data Protection Act.

Today, the UK Data Protection Act sits alongside UK GDPR as a supplemental framework for managing the general processing of personal data, as well as outlining data standards for law enforcement and intelligence services. In this guide, we’ll look at what the Data Protection Act is, the principles that define it and why it matters in relation to business.

What is the Data Protection Act?

The Data Protection Act (DPA) is an Act of Parliament that dictates data protection laws in the UK. DPA law regulates how organisations and government bodies manage personal and customer information based on a strict set of rules known as ‘data protection principles’.

The UK DPA works in conjunction with European GDPR – indeed both legislate how organisations handle personal information. However, GDPR applies to all organisations and companies registered within the EU, while the UK DPA is the UK’s implementation of GDPR (UK GDPR), which outlines many of the same obligations but from a domestic perspective.

When was the Data Protection Act introduced?

The latest Data Protection Act was introduced on May 25^th 2018 to run parallel with new European GDPR framework that came into effect the same day. It replaced the Data Protection Act of 1998, which was the original UK legislature brought in to protect personal data stored on computers and organised paper filing systems.

The Data Protection Act 2018 was amended on 1^st January 2021 in accordance with the UK’s departure from the EU. The amends removed ‘applied GDPR’ provisions that were enacted in 2018 as they are no longer relevant. These provisions, which include the processing of manual unstructured data and processing data for national security purposes, now fall under UK GDPR legislation.

What are the Data Protection Act principles? Comparing the DPA 2018 and DPA 1998

The DPA 2018 offers two fundamental improvements over the DPA 1998. The first is that it adopted a set of principles that would run parallel with the newly introduced EU GDPR. The second is that it introduced stricter personal data rules fit for a more digitised world.

There were eight principles of the first Data Protection Act of 1998. As per the Information Commissioner’s Officer (ICO), the UK GDPR sets out seven key principles that are presented at the very start of the legislation:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

While these principles are not absolute rules, they are designed to embody the spirit of the new general data protection regime, thus there are very limited exceptions. As such, compliance with these key principles is essential for businesses looking to implement good data protection practices, achieve full compliance and avoid the substantial fines that can come with failure to do so.

What is the purpose of the Data Protection Act?

In its overview of the Data Protection Act 2018, the ICO defines the purpose of the DPA as ‘seeking to empower individuals to take control of their personal data and to support organisations with their lawful processing of personal data’. Upon its introduction, the DPA did three key things to update data protection laws in the UK:

• It supplemented EU GDPR in the UK
• It implemented EU Law Enforcement Directive (LED) in the UK
• It extended data protection laws to areas not covered by the GDPR or the LED

As the ICO puts it, the DPA 2018 provides a ‘comprehensive package to protect personal data’ by clearly establishing the rights of the individual with regards to their data and placing clearly defined responsibilities upon the organisations handling it. There was also a distinct need to update data protection laws for the modern digital world. Elizabeth Denham, who was the British Information Commissioner at the time, said:

“The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media and big data. The new Act updates data protection laws in the UK…[and]… provides tools and strengthens rights to allow people to take back control of their personal data.”

Who does the Data Protection Act apply to?

The Data Protection Act applies to any organisation that makes use of personal data. As per UK GDPR, personal data is defined as being information that relates to an identified or identifiable individual.

If you run a business, it’s critical to understand whether you are processing personal data and therefore whether UK GDPR applies to you. The ICO’s guide to ‘What is personal data?’ is a good place to start if you’re unsure.

Why is the Data Protection Act important for businesses?

If your business stores or uses personal information, you must follow rules on data protection. These regulations apply to information kept on staff, customers and account holders. You must ensure any information you keep is stored securely, accurately and kept up to date, and communicate clearly with both the individuals concerned and the ICO on how you’re handling the data.

You can find further details on data protection and your responsibilities as a business via the government website.

In terms of why the above is important for businesses, failure to comply with the DPA 2018 and UK GDPR could land you a substantial fine. As per the ICO, infringements of the basic principles for processing personal data are subject to the highest level of administrative fines. This can mean a fine of up to £17.5m, or 4% of your business’s total global turnover – whichever is higher.

Data Protection Act exemptions

Exemptions from the rights and obligations of the Data Protection Act 2018 are extremely limited, but there are some instances where you may not have to comply with particular UK GDPR provisions. These often depend on why you process personal data and follow a case-by-case basis.

There are some ‘unlisted’ exemptions, which are exemptions by virtue of not actually being covered by the UK GDPR. These include domestic data processing (data processed for exclusively personal or household use), law enforcement and intelligence services processing. There are also various exemption types in a number of key sectors, including:

• Crime, law and public protection
• Regulation, parliament and the judiciary
• Journalism, research and archiving
• Health, social work, education and child abuse
• Finance, management and negotiations
• References and exams
• Subject access requests – information about other people
• National security and defence

You can find a full explanation of Data Protection Act exemptions from the ICO.

Find out more about the Data Protection Act 2018

Understanding the DPA 2018, the UK GDPR and your responsibilities to both as a business is critical to your survival. If you’d like to know more about the DPA and how it impacts you, we’d recommend visiting both the gov.uk and ICO sites, where you can find detailed explanations of the various key elements of the DPA 2018 and how they apply to you. You can view the legislation in full to access the document chapter by chapter. You can also head to our Finance Glossary for more explainers and useful guides. Meanwhile, if you have any questions about any of our products, please feel free to contact us today.