Register for our GDPR email updates
The UK Data Protection Act
The United Kingdom (UK) Data Protection Act (DPA) sets out rules for how your personal information can be used by organisations, businesses or the government.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
The DPA 2018, which came into effect on 25 May 2018, updates and replaces the Data Protection Act 1998. Post Brexit, the act was further amended in January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.
The Data Protection Act 1998
The Data Protection Act 1998 was a UK Act of Parliament designed to protect personal data stored on computers or in organised paper filing systems. It replaced the 1984 Data Protection Act, which had barely mentioned digital media and computers.
The 1998 Act, which enacted provisions from the EU Data Protection Directive 1995, was based on 8 principles that were used by organisations to design their own data protection policies. The eight principles related to the protection, processing, and movement of data, and mostly did not apply to domestic use. The eight guiding principles of the act were as follows:
- Principle 1 – Fair and Lawful
- Principle 2 – Purposes
- Principle 3 – Adequacy
- Principle 4 – Accuracy
- Principle 5 – Retention
- Principle 6 – Rights
- Principle 7 – Security
- Principle 8 – International transfers
Data Protection Act 2003
The Data Protection (Amendment) Act, 2003 implemented the European Data Protection Directive 95/46/EC. Together with the Data Protection Act 1998, these acts regulated how employers collect, store and use personal data about their employees (past, prospective, and current) that is held by them. The Acts stated that anyone responsible for holding or using data followed the ‘data protection principles’, and they must make sure that the information they collect is used fairly and lawfully, for limited, specifically stated purposes, in a way that is adequate relevant, is accurate, is handled according to people’s data protection rights, and is kept safe and secure.
What is the Data Protection Act 2018?
The Data Protection Act 2018 is a United Kingdom Act of Parliament that replaced the Data Protection Act 1998. The 2018 Act served to update data protection laws in the UK, and it is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR). The Act sets out rules for the processing of personal data, and implements the parts of GDPR that “are to be determined by member state law” and sets out its own similar framework for the processing of personal data that is not subject to GDPR, such as intelligence services processing, immigration services processing, and the processing of personal data held in unstructured form by public authorities.
The main differences between the 2018 Act as opposed to the 1998 Act are in the right to reassure, inclusions of exemptions from the Data Protection Act, the fact that the Act works in tandem with GDPR, and a revision that allows law makers to erase data if an individual chooses to, which is based on the individual’s right to privacy.
Changes to Data Protection Under GDPR
Data protection law in the UK is based on the 1998 Data Protection Act. However, with continued changes in technology, 20 years on that law looks outdated and not relevant to the data protection concerns we face today. In May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act and will impose many new responsibilities and sanctions on organisations. Despite all the noise around GDPR, the eight principles of data protection laid out in the 1998 Data Protection Act will remain relevant, with changes to some of the key principles. Below is an overview of the eight principles of data protection, with guidance on the changes and what they could mean for your business.
Editor’s note: the eight principles of data protection have now been amended to become the six principles of GDPR.
VinciWorks’ GDPR training suite
The Eight Principles of Data Protection
1. Fair and lawful
Your organisation must have legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect. Organisations are required to provide full transparency about how they wish to use the data, as well as ensure their data is only used in ways customers would expect. Detailing precisely what a consumer’s information is being used for allows them to make an informed decision as to whether to share certain pieces of personal information.
Changes under GDPR
Under GDPR, conducting criminal record checks on employees must be justified by law. For example, a school is far more likely to be permitted to carry out such checks on their teachers than a restaurant hiring kitchen staff.
Continue reading