A Guide to the Data Protection Act 2018

Last updated on 04 November 2019
A Guide to the Data Protection Act 2018

Big changes are sweeping across the United Kingdom's political stage as the country prepares to withdraw from the EU. This leaves online companies who do business in or with the UK asking, "So does the General Data Protection Regulation (GDPR) apply to UK citizens or not?"

The Data Protection Act of 2018 is the UK's final answer to that question.

By adopting the statutes of the GDPR, the DPA passes EU privacy regulations into UK law. In this way, the UK ensures that its citizens will be protected by the same privacy regulations as EU citizens.

In fact, DPA 2018 is even more specific than the GDPR in some areas, expanding on state-specific provisions.


Data Protection Act 2018 Basics

DPA 2018 replaces the previous UK regulation, DPA 1998. It was passed with three main intentions:

  • To pass the tenants of the GDPR into UK law so that the same stipulations that protect citizens of the EU will also protect citizens of the UK, even after they officially withdraw from the EU
  • To specify the UK's position on sections of the GDPR that are left up to each member state to decide
  • To elaborate on local privacy issues that are beyond the scope of the GDPR, such as law enforcement and intelligence affairs

DPA 2018 applies to any business that collects personal information from UK residents and, first and foremost, it adopts the major tenants of the GDPR, such as:

  1. Full Transparency - Any business that collects personal information from UK residents must be open and honest about how and why they collect the data, as well as how the information is used and shared. Risks to personal information and data breaches must be communicated to authorities and data subjects in a timely manner.
  2. Legal Basis and Consent - In order to collect, process, or store consumer data, businesses must identify and publish their legal basis for processing the data. If the legal basis is consumer consent, that consent must be obtained in a legal and valid manner.
  3. Consumer Rights - All UK residents are granted rights in regard to privacy and personal data, such as the right for users to access their own data, or the right to withdraw consent. These rights must be posted in the Privacy Policy of every company website and upheld within a timely manner upon request.
  4. Data Limitation - Businesses may only collect the data necessary to fulfill specific processing purposes and may only use personal data to fulfill those purposes that the consumer agreed to. Furthermore, once the purposes for data processing have been fulfilled, personal data that is no longer used or needed must be erased.
  5. Privacy by Design - All data processing activities, tools, and infrastructure must be designed with consumer privacy and data security as a priority. Data security should be integrated into every process by default and by design.
  6. Data Protection Measures - Additional protection measures must be taken in situations that present a high risk to data security. Data Protect Impact Assessments will be required before high-risk projects may be carried out, and international data transfers may not be performed without the approved safeguards.
  7. Personnel - All employees who handle consumer data must be trained in DPA requirements. Data Protection Officers and/or UK representatives may also need to be employed by some companies.

Key Differences Between the GDPR and DPA 2018

Key Differences Between the GDPR and DPA 2018

Even though the DPA performs the function of passing GDPR requirements into UK law, there are some differences between the two. The DPA elaborates on some areas that the GDPR leaves up to local interpretation, for one thing, and it also clarifies privacy matters that are not covered by the GDPR.

These are some of the key differences between DPA 2018 and the GDPR.

  • The DPA further specifies fines and criminal repercussions for privacy law infringements, such as unlimited fines for individuals who illegally re-identify consumer data that was previously anonymized for data protection purposes.
  • The UK designates the age of consent at 13, whereas the GDPR leaves the option open for member states to define the age of consent anywhere between 13 and 16 years old.
  • Areas that are not covered by the GDPR, such as data processing for law enforcement, national security, and immigration, are covered by the DPA.
  • The DPA clarifies some terms and definitions, elaborating on GDPR definitions of personal identifiers, public bodies, controllers, processors, and so on.
  • The GDPR states that data subjects may object to any automated processing or profiling of personal data while the DPA allows for automated processing and profiling if there are legitimate grounds for doing so.
  • The DPA allows for some consumer privacy rights to be waived when data processing is necessary for approved scientific, historical, or statistical purposes. The GDPR does not.
  • In the UK, some exemptions exist for data processing that is carried out for the greater public interest.

It is evident that there are a few rare cases in which DPA statutes may contradict those of the GDPR. The natural question is, which will be applied to your business activities? The short answer is that, at the moment, the GDPR takes precedence over the DPA for businesses collecting personal information from UK citizens.

When the UK leaves the European Union however, the DPA will be the primary privacy regulation that applies to UK residents.

How to Comply with DPA 2018

How to Comply with DPA 2018

Since the UK will most likely be withdrawing from the European Union before 2020, companies that collect personal data from UK consumers would be well-advised to comply with DPA 2018 as soon as possible.

Below we've listed the basic requirements set forth by DPA 2018 for businesses that collect personal information from UK residents.

Post a Privacy Policy

Post a Privacy Policy

Post a public Privacy Policy that describes data processing activities in clear, plain language. The Privacy Policy should include the following:

  • Detailed descriptions of which types of personal information you collect, your methods for collecting that data, how it is used, and with whom it is shared
  • Which legal bases justify your collection of personal data
  • A description of your data retention practices
  • List the rights of UK residents in regard to their own personal data, as well as how those citizens may request or claim those rights
  • The methods used to perform and safeguard international data transfers
  • Contact information for the company Data Protection Officer, or the department that handles privacy matters in the absence of a DPO

Facebook's Data Policy (same thing as a Privacy Policy here) is organized with each of these elements, as demonstrated in the Table of Contents section:

Facebook Privacy Policy subsections

This type of format makes it very easy for readers to jump to what section is most relevant to their needs at the moment and helps keep things organized. While it isn't necessary, considering doing some sort of table of contents organization with key points as section titles is a nice touch for a Privacy Policy.

Disclose Your Legal Bases for Processing Personal Information

Different types of businesses will need to use different types of legal bases for collecting and processing consumer data. These are the six possible legal bases for processing UK consumer data:

  1. Fulfillment of a contract
  2. Consumer consent
  3. Public interest or vested authority
  4. Protection of an individual's vital interest
  5. Legal obligation
  6. To fulfill the legitimate interest of an individual without intruding upon individual rights and freedoms

Once you have your legal bases identified, be sure to list them in your Privacy Policy, as the European Advertising Standards Alliance (EASA) has done here:

EASA Privacy Policy: Excerpt of Legal Basis clause

Most online businesses will fall under contract, legitimate interest, or consent. If you're not sure which applies to your business practices, it might be a good idea to seek advice from a legal expert or data protection expert.

If user consent is one of your legal bases, you will need to make sure your practices for obtaining consent are considered valid by the DPA. This means that consent collection methods must be:

  • Unambiguous - Consent forms must be simple, clear, and easy to understand.
  • Explicit - Consent must never be assumed or bundled in with other offers or items.
  • Informed - Users should be informed fully as to what they are consenting to.
  • Freely given - Consent must be given via a clear, affirmative action, such as by ticking a checkbox or clicking a button. Pre-ticked checkboxes will not be considered valid.
  • Recorded - You must keep records of consent for each consumer you collect information from.

Remember, consent should be obtained before any personal data is collected from a UK resident, so make sure to implement cookies banners if your website or mobile app uses cookies.

Here is a great example from Mailchimp:

Mailchimp cookies consent notice

Mailchimp informs the user as to why and how cookies are used. The customer then has the option to agree and consent to the use of cookies or change cookie settings. In this way, Mailchimp obtains the informed, unambiguous consent of each user before placing cookies on their internet browser.

When it comes to consent on contact forms or signup forms, the same conditions of consent will be required.

This signup form on the Starbucks website exhibits explicit and freely given consent:

Starbucks Create Account form with checkboxes and email consent

As you can see, Starbucks invites new members to consent to receive email marketing messages and to agree with the Terms and Conditions before creating an account. The checkboxes are not pre-ticked, so the user has to perform a clear, affirmative action in order to provide consent.

Disclose and Uphold Consumer Rights

Disclose and Uphold Consumer Rights

DPA 2018, like the GDPR, grants citizens certain rights that must be published in the Privacy Policy and, of course, upheld by the businesses that collect and process consumer data.

These consumer rights include:

  • Right to access - Data subjects must be given access to view, edit, or delete any personal data a company holds about them.
  • Right to information - Companies must divulge information as to what personal data is collected, processed, shared, or stored about any UK resident upon request.
  • Right to data portability - Consumer data must be available for electronic transfer to another entity upon request.
  • Right to rectification - The consumer may request or make changes to their personal data upon request.
  • Right to withdraw consent - Consent for data processing may be withdrawn at any time.
  • Right to object - A consumer may object to any type of data processing at any time.
  • Right to be forgotten - If a consumer requests erasure, the data controller must erase all records of their personal information in a timely manner.
  • Right to object to automated processing - Data subjects may object to the automated processing or profiling of their personal data.

Don't forget to list these rights in your Privacy Policy, as demonstrated by the UK TransUnion:

TransUnion UK Privacy Notice: User Rights clause

Make sure your users know what their rights are and how they can go about exerting them if they want to. This is a very important part of compliance.

Appoint a Data Protection Officer

Appoint a Data Protection Officer

Some businesses will be required to hire a Data Protection Officer (DPO). Find out more about when a DPO is required and how to formally and legally appoint one here.

Once you have determined if a DPO is necessary, list their contact details in your Privacy Policy. If your company doesn't need a DPO, contact details for the person or department in charge of privacy matters will need to be listed instead.

Here's how Mailchimp achieves this:

Mailchimp Privacy Policy: Questions and Concerns clause with contact information

Make it easy for your users to contact you if they have questions or wish to express concerns relating to your privacy practices. Even if you don't have a DPO, someone will have to handle these issues within your business.

Address Data Protection Risks and Breaches

Address Data Protection Risks and Breaches

Certain measures will need to be taken in situations of high risk to data security or data breaches. For new projects or business ventures that present a high risk to the privacy of individuals, a Data Protection Impact Assessment (DPIA) must be performed.

International Data Transfers

Another scenario that is considered high risk to data protection is an international data transfer.

If the personal information of UK consumers is transferred over international borders, the appropriate safeguards and processes must be implemented to ensure the security of the transfer.

Businesses who wish to perform these transfers must use certified transfer procedures, such as standard contract clauses or the Privacy Shield framework.

Your Privacy Policy should describe the processes your business uses to perform safe international data transfers. You can see an example of this type of statement from Facebook:

Facebook Data Policy: International data transfer clause

Be as clear as possible here about your practices and link to other useful and informative resources about the topic.

Data Breach Protocols

In the event of a data breach that affects UK data subjects, the Information Commissioner's Office must be informed within 72 hours. In most cases, the consumers that are affected by the breach will also need to be informed in a timely manner.

Ideally, your data protection team will formulate a data breach plan of action so that these processes are ready to implement quickly if the worst should occur.

Limit Data Collection and Retention

Limit Data Collection and Retention

DPA 2018 lays out several important statutes regarding the limitation of data collection, processing, and retention.

  • Collect only the data that is absolutely necessary to the agreed-upon processing activities.
  • Do not process data for any other reasons beyond those activities that the data was collected for.
  • Once the data processing agreement has come to an end, unused consumer data should be erased or anonymized.

Data retention processes must also be posted to the Privacy Policy, as the EASA has done here:

EASA Privacy Policy: Data Retention clause

Consider Including contact information in this clause like the EASA has done. This makes it easy for your users to reach out if they have questions about your data retention, which is a common area of concern for privacy-privy consumers.

Implement Privacy by Design

Implement Privacy by Design

Data protection and security should be designed into all processes, systems, and frameworks that relate to consumer data. From collection methods to storage, data protection must be an integral part of the business infrastructure, by default and by design.

Read more about this topic, whether you're a brand new business or long established. It applies to every business. It used to be a best practice, but the GDPR now requires it.

Following the above recommendations will help your online business handle UK consumer data safely while complying with the specific regulations laid out by the DPA. Even after the UK parts ways with the EU, the statutes laid out by DPA 2018 will still hold valid.

Article categories