A Guide to the Data Protection Act 2018
Big changes are sweeping across the United Kingdom's political stage as the country prepares to withdraw from the EU. This leaves online companies who do business in or with the UK asking, "So does the General Data Protection Regulation (GDPR) apply to UK citizens or not?"
The Data Protection Act of 2018 is the UK's final answer to that question.
By adopting the statutes of the GDPR, the DPA passes EU privacy regulations into UK law. In this way, the UK ensures that its citizens will be protected by the same privacy regulations as EU citizens.
In fact, DPA 2018 is even more specific than the GDPR in some areas, expanding on state-specific provisions.
- 1. Data Protection Act 2018 Basics
- 2. Key Differences Between the GDPR and DPA 2018
- 3. How to Comply with DPA 2018
- 3.2. Disclose Your Legal Bases for Processing Personal Information
- 3.2.1. Consent
- 3.3. Disclose and Uphold Consumer Rights
- 3.4. Appoint a Data Protection Officer
- 3.5. Address Data Protection Risks and Breaches
- 3.5.1. International Data Transfers
- 3.5.2. Data Breach Protocols
- 3.6. Limit Data Collection and Retention
- 3.7. Implement Privacy by Design
Data Protection Act 2018 Basics
DPA 2018 replaces the previous UK regulation, DPA 1998. It was passed with three main intentions:
- To pass the tenants of the GDPR into UK law so that the same stipulations that protect citizens of the EU will also protect citizens of the UK, even after they officially withdraw from the EU
- To specify the UK's position on sections of the GDPR that are left up to each member state to decide
- To elaborate on local privacy issues that are beyond the scope of the GDPR, such as law enforcement and intelligence affairs
DPA 2018 applies to any business that collects personal information from UK residents and, first and foremost, it adopts the major tenants of the GDPR, such as:
- Full Transparency - Any business that collects personal information from UK residents must be open and honest about how and why they collect the data, as well as how the information is used and shared. Risks to personal information and data breaches must be communicated to authorities and data subjects in a timely manner.
- Legal Basis and Consent - In order to collect, process, or store consumer data, businesses must identify and publish their legal basis for processing the data. If the legal basis is consumer consent, that consent must be obtained in a legal and valid manner.
- Data Limitation - Businesses may only collect the data necessary to fulfill specific processing purposes and may only use personal data to fulfill those purposes that the consumer agreed to. Furthermore, once the purposes for data processing have been fulfilled, personal data that is no longer used or needed must be erased.
- Privacy by Design - All data processing activities, tools, and infrastructure must be designed with consumer privacy and data security as a priority. Data security should be integrated into every process by default and by design.
- Data Protection Measures - Additional protection measures must be taken in situations that present a high risk to data security. Data Protect Impact Assessments will be required before high-risk projects may be carried out, and international data transfers may not be performed without the approved safeguards.
- Personnel - All employees who handle consumer data must be trained in DPA requirements. Data Protection Officers and/or UK representatives may also need to be employed by some companies.
Key Differences Between the GDPR and DPA 2018
Even though the DPA performs the function of passing GDPR requirements into UK law, there are some differences between the two. The DPA elaborates on some areas that the GDPR leaves up to local interpretation, for one thing, and it also clarifies privacy matters that are not covered by the GDPR.
These are some of the key differences between DPA 2018 and the GDPR.
- The DPA further specifies fines and criminal repercussions for privacy law infringements, such as unlimited fines for individuals who illegally re-identify consumer data that was previously anonymized for data protection purposes.
- The UK designates the age of consent at 13, whereas the GDPR leaves the option open for member states to define the age of consent anywhere between 13 and 16 years old.
- Areas that are not covered by the GDPR, such as data processing for law enforcement, national security, and immigration, are covered by the DPA.
- The DPA clarifies some terms and definitions, elaborating on GDPR definitions of personal identifiers, public bodies, controllers, processors, and so on.
- The GDPR states that data subjects may object to any automated processing or profiling of personal data while the DPA allows for automated processing and profiling if there are legitimate grounds for doing so.
- The DPA allows for some consumer privacy rights to be waived when data processing is necessary for approved scientific, historical, or statistical purposes. The GDPR does not.
- In the UK, some exemptions exist for data processing that is carried out for the greater public interest.
It is evident that there are a few rare cases in which DPA statutes may contradict those of the GDPR. The natural question is, which will be applied to your business activities? The short answer is that, at the moment, the GDPR takes precedence over the DPA for businesses collecting personal information from UK citizens.
When the UK leaves the European Union however, the DPA will be the primary privacy regulation that applies to UK residents.
How to Comply with DPA 2018
Since the UK will most likely be withdrawing from the European Union before 2020, companies that collect personal data from UK consumers would be well-advised to comply with DPA 2018 as soon as possible.
Below we've listed the basic requirements set forth by DPA 2018 for businesses that collect personal information from UK residents.
- Detailed descriptions of which types of personal information you collect, your methods for collecting that data, how it is used, and with whom it is shared
- Which legal bases justify your collection of personal data
- A description of your data retention practices
- List the rights of UK residents in regard to their own personal data, as well as how those citizens may request or claim those rights
- The methods used to perform and safeguard international data transfers
- Contact information for the company Data Protection Officer, or the department that handles privacy matters in the absence of a DPO
Disclose Your Legal Bases for Processing Personal Information
Different types of businesses will need to use different types of legal bases for collecting and processing consumer data. These are the six possible legal bases for processing UK consumer data:
- Fulfillment of a contract
- Consumer consent
- Public interest or vested authority
- Protection of an individual's vital interest
- Legal obligation
- To fulfill the legitimate interest of an individual without intruding upon individual rights and freedoms
Most online businesses will fall under contract, legitimate interest, or consent. If you're not sure which applies to your business practices, it might be a good idea to seek advice from a legal expert or data protection expert.
If user consent is one of your legal bases, you will need to make sure your practices for obtaining consent are considered valid by the DPA. This means that consent collection methods must be:
- Unambiguous - Consent forms must be simple, clear, and easy to understand.
- Explicit - Consent must never be assumed or bundled in with other offers or items.
- Informed - Users should be informed fully as to what they are consenting to.
- Freely given - Consent must be given via a clear, affirmative action, such as by ticking a checkbox or clicking a button. Pre-ticked checkboxes will not be considered valid.
- Recorded - You must keep records of consent for each consumer you collect information from.
Here is a great example from Mailchimp:
When it comes to consent on contact forms or signup forms, the same conditions of consent will be required.
This signup form on the Starbucks website exhibits explicit and freely given consent:
As you can see, Starbucks invites new members to consent to receive email marketing messages and to agree with the Terms and Conditions before creating an account. The checkboxes are not pre-ticked, so the user has to perform a clear, affirmative action in order to provide consent.
Disclose and Uphold Consumer Rights
These consumer rights include:
- Right to access - Data subjects must be given access to view, edit, or delete any personal data a company holds about them.
- Right to information - Companies must divulge information as to what personal data is collected, processed, shared, or stored about any UK resident upon request.
- Right to data portability - Consumer data must be available for electronic transfer to another entity upon request.
- Right to rectification - The consumer may request or make changes to their personal data upon request.
- Right to withdraw consent - Consent for data processing may be withdrawn at any time.
- Right to object - A consumer may object to any type of data processing at any time.
- Right to be forgotten - If a consumer requests erasure, the data controller must erase all records of their personal information in a timely manner.
- Right to object to automated processing - Data subjects may object to the automated processing or profiling of their personal data.
Make sure your users know what their rights are and how they can go about exerting them if they want to. This is a very important part of compliance.
Appoint a Data Protection Officer
Some businesses will be required to hire a Data Protection Officer (DPO). Find out more about when a DPO is required and how to formally and legally appoint one here.
Here's how Mailchimp achieves this:
Make it easy for your users to contact you if they have questions or wish to express concerns relating to your privacy practices. Even if you don't have a DPO, someone will have to handle these issues within your business.
Address Data Protection Risks and Breaches
Certain measures will need to be taken in situations of high risk to data security or data breaches. For new projects or business ventures that present a high risk to the privacy of individuals, a Data Protection Impact Assessment (DPIA) must be performed.
International Data Transfers
Another scenario that is considered high risk to data protection is an international data transfer.
If the personal information of UK consumers is transferred over international borders, the appropriate safeguards and processes must be implemented to ensure the security of the transfer.
Businesses who wish to perform these transfers must use certified transfer procedures, such as standard contract clauses or the Privacy Shield framework.
Be as clear as possible here about your practices and link to other useful and informative resources about the topic.
Data Breach Protocols
In the event of a data breach that affects UK data subjects, the Information Commissioner's Office must be informed within 72 hours. In most cases, the consumers that are affected by the breach will also need to be informed in a timely manner.
Ideally, your data protection team will formulate a data breach plan of action so that these processes are ready to implement quickly if the worst should occur.
Limit Data Collection and Retention
DPA 2018 lays out several important statutes regarding the limitation of data collection, processing, and retention.
- Collect only the data that is absolutely necessary to the agreed-upon processing activities.
- Do not process data for any other reasons beyond those activities that the data was collected for.
- Once the data processing agreement has come to an end, unused consumer data should be erased or anonymized.
Consider Including contact information in this clause like the EASA has done. This makes it easy for your users to reach out if they have questions about your data retention, which is a common area of concern for privacy-privy consumers.
Implement Privacy by Design
Data protection and security should be designed into all processes, systems, and frameworks that relate to consumer data. From collection methods to storage, data protection must be an integral part of the business infrastructure, by default and by design.
Read more about this topic, whether you're a brand new business or long established. It applies to every business. It used to be a best practice, but the GDPR now requires it.
Following the above recommendations will help your online business handle UK consumer data safely while complying with the specific regulations laid out by the DPA. Even after the UK parts ways with the EU, the statutes laid out by DPA 2018 will still hold valid.