Data Protection Act 2018 (DPA2018)

The Data Protection Act 2018 (DPA2018) is a domestic law governing the use of personal data and the flow of information in the United Kingdom.

After the UK leaves EU on Exit Day January 31, 2020, a new and amended DPA2018 will take effect.

In this article, we will dive into the Data Protection Act 2018 (DPA2018) – what does the law say now and how will it change after Brexit?

Data Protection Act 2018 - 2020 Update

So, the UK is leaving the EU on January 31, 2020. This means changes to the legal landscape of data protection in the United Kingdom.

The Data Protection Act 2018 was actually passed in April 2016 and took effect (received Royal Assent) on May 25, 2018 – the same day as the European General Data Protection Regulation (GDPR) went into effect.

This is no coincidence.

The DPA2018 was passed before the Brexit referendum later that summer and is in fact constructed around and meant to be read in conjunction with the EU GDPR, that has uniform authority over all member states.

As long as the UK is an EU member state, the GDPR applies in-country. However, the UK is leaving the EU on January 31, 2020 and this will have an impact on the future of data protection law in the UK.

Data protection law in the UK after Brexit 2020

Here are the overall changes to UK law after Exit Day –

The EU’s GDPR is being amended into a new “UK-GDPR” (United Kingdom General Data Protection Regulation) that will take effect on January 31, 2020.
The Data Protection Act 2018 is being amended to be read in conjunction with the new UK-GDPR instead of the EU GDPR.
The European GDPR will apply to the UK in the transition period lasting from January 31, 2020 until December 31, 2020 (unless further extensions are agreed upon between the UK and EU).
It is likely that the UK government will move to consolidate the two amended laws (UK-GDPR and DPA2018) into one, comprehensive piece of data protection law at a later point.

Data Protection Act 2018 summary

The Data Protection Act 2018 (DPA2018) is the UK’s third generation of data protection legislation. It replaces the previous 1998 law by the same name and modernizes the country’s legal framework in response to new technologies.

Data Protection Act 2018 is being amended due to Brexit

Brexit means an amended Data Protection Act 2018 in the UK.

The Data Protection Act 2018 contains four parts that create four different “data protection regimes” within the UK:

Part one is structured around the European GDPR, supplementing and tailoring it into domestic UK law.
Part two extends beyond the EU GDPR and modifies it in certain cases to apply differently to UK law.
Part three creates a new and separate regime for law enforcement authorities.
Part four creates a new and separate regime for the UK’s intelligence services.

The general processing regime found in Part 2, Chapter 2 of the DPA2018 appropriates and supplements the EU GDPR.

Most of the processing of personal data is subject to the EU GDPR, and so the DPA2018 refers to the GDPR’s most central provisions for the protection of personal data.

These include –

Requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified legal basis.
Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified.
Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

The DPA2018 also adopts the central definitions of the EU GDPR, such as:

Personal data meaning “any information relating to an identified or identifiable living individual.”
Processing meaning “an operation or set of operations which is performed on information,” such as collection, recording, storage, disclosure, combination etc.
Data subject meaning “living individual to whom personal data relates.”
Controller and processor meaning the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Where the DPA extends beyond the EU GDPR

However, the Data Protection Act 2018 makes certain provisions to the processing of personal data that goes beyond the EU’s GDPR, as well as extensions into areas not covered by the EU GDPR.

These are mostly found in the area of national security, law enforcement and immigration.

In the area of national security, which lies outside the scope of the EU GDPR, the DPA2018 applies the same requirements for personal data processing to the UK intelligence services.

In the area of immigration, the DPA2018 grants the UK Home Office the power to refuse personal data access requests based on the risk it could pose to immigration enforcement.

In addition, the DPA2018 frames the role – jurisdiction, function and powers – of the Information Commissioner (ICO) as the leading data protection authority (DPA) in the UK.

Read the Data Protection Act 2018 law text here (pdf).

The new and amended DPA2018

When the UK leaves the EU on January 31, 2020, several legal changes will take effect in the area of data protection.

The EU Withdrawal Agreement that takes effect on Exit Day specifies that the UK “shall ensure a level of protection of personal data essentially equivalent to that under Union law” (Article 71).

This is important because of Article 45 in the European GDPR, which requires countries that are not part of the EU to have an adequate level of domestic data protection laws in order to ensure a free flow of information to and from the EU.

Data Protection Act 2018 changes with Brexit.

To avoid interruptions in the flow of data, UK data protection law must ensure EU-equivalent levels.

If the UK is without an adequacy decision from the EU when the transition period ends, the UK will technically be ranked as a third country.

This will mean that the EU, according to its GDPR, will deem the UK unsafe for European personal data to be sent to.

The UK will ensure its adequacy status by amending the DPA2018 and the European GDPR, introducing it into UK law.

New DPA2018 and a new GDPR

This new law will be called UK-GDPR (United Kingdom General Data Protection Regulation) and must be read in conjunction with the newly amended Data Protection Act 2018 (DPA 2018).

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DPPEC Regulations) is the statutory instrument amending both the GDPR (turning it into the new UK-GDPR) and the Data Protection Act 2018.

Read the DPPEC regulations here.

Important amendments to the Data Protection Act 2018

The most important amendments to the DPA2018 include:

The first two parts of the DPA2018 that are currently referring to the EU GDPR will be amended and refer to the new UK-GDPR instead.
All places in the DPA2018 where the law refers to EU legislation and institutions are changed to the UK equivalents.
The Information Commissioner becomes the lead enforcer of the DPA2018 and the UK-GDPR instead of the lead supervisor in the EU of the European GDPR.
The DPA2018 deems all EAA/EU countries (including Gibraltar) as adequate.
The DPA2018 also integrates all EU adequacy decisions made prior to Brexit, e.g. the US Privacy Shield program.

Data Protection Act 2018 is being revised on Exit Day January 31, 2020.

New data protection laws in the UK will become effective on Exit Day January 31, 2020.

These DPPEC Regulations can be viewed in the following Keeling Schedules showing changes which will take effect on Exit Day (January 31, 2020).

Keeling Schedule for the amendments to the Data Protection Act 2018.

Keeling Schedule for the creation of the new UK-GDPR.

Cookiebot and UK compliance

The UK has been protected and regulated by the European GDPR since May 2018, but once the country leaves the bloc on January 31, 2020, it will have its own, equivalent set of data protection legislation.

The transition period that begins January 31 will run until December 31, 2020 – unless extended or absolved on account of new deals agreed upon between the UK and EU.

In this period, the UK will technically be governed by both the new UK-GDPR, the Data Protection Act 2018 and the European GDPR that applies until the end of the transition phase.

Cookiebot is a leading consent management provider built specifically for the strong GDPR provisions of personal data protection.

Cookiebot’s GDPR compliant consent banner, unfolded for a detailed view of cookies and trackers.

Cookiebot scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary until the user has given their consent as to which they want to activate.

This way, you can ensure that your website is in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.

Under the new UK-GDPR and the amended DPA2018, users in the United Kingdom will have the same rights as users in the EU, and websites, companies and organizations who collect or process data of users in the UK will have to comply by the same requirements as those set out by the EU GDPR.

Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.

This is what Cookiebot does best.

Try Cookiebot for free today to ensure EU and UK GDPR compliance.

Resources

What is the GDPR?

The new and amended Data Protection Act 2018 (DPA2018) (Keeling Schedule)

The new UK-GDPR (Keeling Schedule)

Information Commissioner’s Office (ICO), the lead enforcer of DPA in UK

The ICO’s introduction to DPA2018