What is the Data Protection Act 2018 and what does it do?

Operating a business in a world that is driven by data usage and technological advances means that protecting personal data has never been more important. With a potential maximum fine of £17.5 million or 4% of your business’s annual turnover, the cost of failing to protect such data is greater than ever.

What is the Data Protection Act 2018 and what happened to the GDPR?

The General Data Protection Regulation (GDPR) introduced by the European Union in 2016 has formed the basis of privacy law across the EU and the EEA.

As a member state of the EU, Britain was required to implement the GDPR into domestic law in 2018, also introducing the Data Protection Act 2018 (DPA), which updated its predecessor, the Data Protection Act 1998.

Following the end of the Brexit transition period, the GDPR was retained in UK law by introducing the UK GDPR, which will be used in conjunction with the DPA.

Enough acronyms! What does the DPA actually do?

In short, the DPA controls how organisations, businesses and/or the UK government use an individual's personal information.

The DPA requires those processing personal data to follow strict principles whereby the data is:

1. Used fairly, lawfully and transparently
2. Used for specific purposes
3. Used in a way that is relevant and limited to only what is necessary
4. Accurate and, where necessary, kept up to date
5. Kept for no longer than is necessary

Handled securely in a way that ensures protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

In addition, there are stricter rules around more sensitive data, which are known as “special categories” of data, including race, ethnicity, political opinions, religious beliefs, trade union membership, genetics, biometrics, health, and sexual orientation.

What does the DPA mean for your business? 

Processing personal data is necessary for almost all businesses, whether large-scale companies or sole traders. Your business has a legal obligation to process personal data in accordance with the principles referred to above.

Whilst your business can benefit from processing personal data, equally, the DPA provides individuals with certain rights to find out what your business uses its data for and how it stores it. The individual (known as the “data subject”) has the right to:

1. Be informed about how their data is being used
2. Access their personal data
3. Have their data erased
4. Stop or restrict the processing of their data
5. Retrieve their data and reuse it for different services
6. Object to how their data is processed in certain circumstances

Data subjects can enforce their rights above by making a “data subject access request”, which your business must respond to within one month.

What if your business does not comply with the DPA?

Failing to comply with the DPA can have serious consequences.

Data subjects who have made an access request and are dissatisfied with your business’ response and how it has been processing their data have the right to complain to both you and, if necessary, the Information Commissioner’s Office (ICO).

Whilst the ICO cannot punish an organisation for breaching the DPA (it can only enforce fines in the most serious cases), it can offer advice to your business if it feels you have not fulfilled your obligations.

However, data subjects can enforce their rights through the courts and seek damages for breach of your business’ statutory obligations, which can be costly in terms of litigation and/or settlement.

In addition, in the age of social media, where personal data is an invaluable asset, the PR consequences of a data breach or unlawful data processing could be significantly damaging to your business’ reputation.

Is your business DPA compliant?

For more information on what the DPA principles mean for your business in practice, or if you are unsure whether your business is DPA compliant, contact Alex Craig at [email protected] or on 0191 211 7911.