Updated July 8, 2020.
The Data Protection Act 2018 (DPA ACT) is a domestic law governing the use of personal data and the flow of information in the United Kingdom.
Brexit happened on January 31, 2020 and a new and amended Data Protection Act has taken effect.
In this article, we dive into the Data Protection Act 2018 – what does the law say and how has it changed after Brexit?
So, the UK left the EU on January 31, 2020. This means changes to the legal landscape of data protection in the United Kingdom.
The Data Protection Act 2018 was actually passed in April 2016 and took effect (received Royal Assent) on May 25, 2018 – the same day as the European General Data Protection Regulation (GDPR) went into effect.
This is no coincidence.
The UK Data Protection Act was passed before the Brexit referendum later that summer and is in fact constructed around and meant to be read in conjunction with the EU GDPR, that has uniform authority over all member states.
However, the UK has now effectively left the EU (Brexit happened on January 31, 2020) and this has an impact on the future of data protection law in the UK.
Try Cookiebot free for 30 days... or forever if you have a small website.
Here are the overall changes to UK law after Exit Day –
The UK has been protected and regulated by the European GDPR since May 2018, but now that the country has left the EU, it has its own, equivalent set of data protection legislation.
The transition period that took effect on January 31, 2020 will run until December 31, 2020 – unless extended or absolved on account of new deals agreed upon between the UK and EU.
In the transition period, the UK will technically be governed by both the new UK-GDPR, the Data Protection Act 2018 and the European GDPR that applies until the end of the transition phase.
Cookiebot is a leading consent management provider built specifically for the strong GDPR provisions of personal data protection.
Cookiebot’s standard consent banner for compliance with EU's GDPR and UK's Data Protection Act.
Cookiebot scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary until the user has given their consent as to which they want to activate.
This way, you can ensure that your website is in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.
Under the new UK-GDPR and the amended UK Data Protection Act, users in the United Kingdom will have the same rights as users in the EU, and websites, companies and organizations who collect or process data of users in the UK will have to comply by the same requirements as those set out by the EU GDPR.
Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.
This is what Cookiebot does best.
The Data Protection Act 2018 is the UK’s third generation of data protection legislation. It replaces the previous 1998 law by the same name and modernizes the country’s legal framework in response to new technologies.
Brexit means an amended Data Protection Act 2018 in the UK.
The Data Protection Act 2018 contains four parts that create four different “data protection regimes” within the UK:
The general processing regime found in Part 2, Chapter 2 of the Data Protection Act appropriates and supplements the EU GDPR.
Most of the processing of personal data is subject to the EU GDPR, and so the Data Protection Act refers to the GDPR’s most central provisions for the protection of personal data.
These include –
The Data Protection Act 2018 also adopts the central definitions of the EU GDPR, such as:
However, the Data Protection Act 2018 makes certain provisions to the processing of personal data that goes beyond the EU’s GDPR, as well as extensions into areas not covered by the EU GDPR.
These are mostly found in the area of national security, law enforcement and immigration.
In the area of national security, which lies outside the scope of the EU GDPR, the Data Protection Act applies the same requirements for personal data processing to the UK intelligence services.
In the area of immigration, the Data Protection Act grants the UK Home Office the power to refuse personal data access requests based on the risk it could pose to immigration enforcement.
In addition, the Data Protection Act frames the role – jurisdiction, function and powers – of the Information Commissioner (ICO) as the leading data protection authority (DPA) in the UK.
Now that Brexit has happened, several legal changes has taken effect in the area of data protection.
The EU Withdrawal Agreement that took effect on Exit Day specifies that the UK “shall ensure a level of protection of personal data essentially equivalent to that under Union law” (Article 71).
This is important because of Article 45 in the European GDPR, which requires countries that are not part of the EU to have an adequate level of domestic data protection laws in order to ensure a free flow of information to and from the EU.
To avoid interruptions in the flow of data, UK data protection law must ensure EU-equivalent levels.
If the UK is without an adequacy decision from the EU when the transition period ends, the UK will technically be ranked as a third country.
This will mean that the EU, according to its GDPR, will deem the UK unsafe for European personal data to be sent to.
The UK will ensure its adequacy status by amending the Data Protection Act 2018 and the European GDPR, introducing it into UK law.
This new law is called UK-GDPR (United Kingdom General Data Protection Regulation) and will be read in conjunction with the newly amended Data Protection Act 2018 (DPA 2018).
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DPPEC Regulations) is the statutory instrument amending both the GDPR (turning it into the new UK-GDPR) and the Data Protection Act 2018.
The most important amendments to the Data Protection Act include:
New data protection laws in the UK took effect on Exit Day January 31, 2020.
These DPPEC Regulations can be viewed in the following Keeling Schedules showing the changes that took effect on Exit Day (January 31, 2020).
The Data Protection Act 2018 is the UK’s third generation of data protection laws. The Data Protection Act was passed in 2016 and took effect on May 25, 2018 – the same day as the EU’s General Data Protection Regulation (GDPR). The DPA 2018 was meant to be read in conjunction with the EU’s GDPR, but was amended in 2019 because of Brexit.
Brexit means overall changes to UK data privacy law. The EU’s GDPR has been amended into a new UK-GDPR that the amended Data Protection Act 2018 now must be read in conjunction with. The EU’s GDPR will apply to the UK for the remainder of the transition period (until December 31, 2020).
The UK-GDPR is the United Kingdom’s domestic General Data Protection Regulation that will replace its European equivalent when the country finally and formally leaves the bloc by the end of the transition phase. The UK-GDPR mirrors the GDPR in its substance and scope.
Your website must ask for and obtain the consent of users before processing their personal data. If your website uses third-party cookies, you need to implement a consent management solution that ensures that these cookies and trackers are not activated to process personal data before users have given their explicit consent to do so.