The Business Owner's Guide to the Data Protection Act 2018

If you operate in the United Kingdom or handle the data of UK citizens, you must follow the Data Protection Act 2018 (DPA).

It works alongside the GDPR that applies across the European Union and includes some UK-specific measures and clarifications. Some of these points are particularly relevant to businesses, so you'll need to be familiar with them.

Legal Status of the DPA

The Data Protection Act 2018 is a United Kingdom law that updates (and replaces) the Data Protection Act 1998. The main reason for the update was to reflect the European Union's General Data Protection Regulation, which also took effect in 2018.

It's easy to get confused about how European Union law works with national (domestic) laws. These are the key points you need to know:

• Rules passed by the European Union fall into two main categories: Directives and Regulations.
• Directives are a set of agreed aims which each EU country must achieve by writing and passing domestic legislation.
• Contrastingly, regulations have immediate legal effect across the EU. Countries can pass domestic legislation that clarifies how the regulation will work in their country. For example, existing domestic law may already go beyond some measures in the regulations. In some cases, the domestic legislation may cover some exceptions to the regulations.
• The Data Protection Act 2018 is the UK law that provides this clarification. It works alongside the GDPR rather than replacing it.

Do the GDPR and DPA 2018 Affect Me?

You are subject to the GDPR in any of three cases:

• Your organization is located in the EU
• You offer good or services in the EU
• You collect, hold or process personal data about somebody in the EU

Note that it doesn't matter where you physically store or process the data.

You can be affected by the GDPR in two ways.

• If you collect, hold or process the data you are classed as a processor. You are legally responsible for following the GDPR.
• If somebody else collects, holds or processes the data but you decide what they do, you are classed as a controller. You are legally responsible for making sure the processor follow GDPR.

You could also be subject to the Data Protection Act 2018 if:

• Your organization is located in the United Kingdom
• You collect, hold or process personal data about somebody in the United Kingdom
• You physically collect, hold or store personal data in the United Kingdom

This data protection notice from National Records of Scotland informs users that both laws apply to their activity:

What About Brexit?

If and when the United Kingdom stops being a member of the European Union, both the Data Protection Act 2018 and the GDPR will continue to have legal force:

• The Data Protection Act 2018 will be unaffected as it is a domestic law
• The GDPR will continue to have force in the UK because of the European Union (Withdrawal) Act 2018. This is a UK domestic law that effectively means EU regulations will automatically be turned into UK laws when the UK leaves the EU.

It is possible that after leaving the EU, the UK government and parliament will decide to repeal, amend or replace the GDPR. However, there's no indication at the moment of any plans to do so.

GDPR Summary

Before exploring the Data Protection Act 2018, it's worth recapping the main measures in the GDPR. In short, you need to make sure you respect the eight rights that the GDPR gives individuals regarding their personal data, namely:

• To know you have collected data about them
• To access the data
• To correct the data if it's wrong
• To remove the data if it's no longer necessary
• To restrict data processing to a particular use
• To take their data elsewhere (for example, making it easier to switch from one online service to another)
• To give or withhold consent for collecting and processing data
• To limit the ways in which you can use data for automated decision-making and profiling

Some of the key things you need to do to comply with the GDPR are:

• Only collect data for one of six specific, legally allowed reasons (known as a legal bases):
  • The individual gave consent for a specific purpose. (This should be the most common reason for a business.)
  • You have to do so under a contract with the individual.
  • You're legally required to do so.
  • You must do so to protect someone's life.
  • You must do so in the public interest.
  • Doing so is necessary in your "legitimate interests" and won't override the individual's rights.
• Only use data for the specified purpose and delete it when you no longer need it.
• Have clear processes for complying with the GDPR, including having specific staff members responsible for data handling.
• Publish a Privacy Policy explaining how and why you collect and use data and how individuals can exercise their rights under the GDPR.
• Get clear, active consent from users before collecting data.

Farewill's Privacy Policy combines several key points including the company's legal basis for collecting data, how the data is used, and how users can withdraw consent:

The GDPR has other specific requirements for what your Privacy Policy must contain, so make sure you get familiar with what you must do when creating or updating your policy.

Data Protection Act 2018's Main Measures

The Data Protection Act 2018's main measures address the following topics.

Part 2 Chapter 2 of the legislation covers the general processing regime, which is the legal framework that covers most cases where businesses are processing personal data. It's the part of the law that most directly works alongside the GDPR.

As a business, the main things you need to know about Part 2 Chapter 2 are the following clarifications and additional rules that the Data Protection Act 2018 adds on to the GDPR.

Public Interest

One of the six legally allowed purposes for collecting personal data under the GDPR is to carry out a task in the public interest. The Data Protection Act 2018 gives a UK-specific definition of public interest, namely that the data processing is necessary for:

• Administering justice
• Carrying out the functions of the House of Commons or House of Lords
• Carrying out a legal power
• Carrying out the power of the Crown or Government
• Carrying out "an activity that supports or promotes democratic engagement"

This means the public interest purpose will rarely be valid for a business collecting data.

Child's Consent

The GDPR says a child must be at least 16 to consent to personal data being collected though an "information society service." Although the GDPR's wording mentions "remuneration," most case rulings so far suggest this can cover free-to-use websites and online services.

The Data Protection Act 2018 overrides the GDPR by saying that in the UK, a child can give the necessary consent from the age of 13. It also says the minimum age requirement doesn't apply at all for counselling and (harm) preventative services.

Special Categories of Personal Data

The GDPR says some personal data is so sensitive that it can only be collected in special circumstances. Examples include racial background, religious beliefs, sexual orientation and genetic data.

The Data Protection Act 2018 clarifies how some of these circumstances apply in a UK context. Among the key points businesses need to know are the following:

Businesses can collect the sensitive data when it's necessary to comply with employment or social security law. They will need a specific policy document explaining why and how they do this.

You can collect and use sensitive data for the specific purpose of checking whether you are offering equal opportunity or treatment. For example, you could collect details of sexual orientation as part of an audit into whether you treat people equally regardless of their sexual orientation. When you gather sensitive data for these purposes, you can't use it to make decisions about the individual. You also can't collect or use the data if it's likely to cause "substantial" damage or distress.

You can process sensitive data without the person's consent if doing so is necessary to:

• Prevent fraud or other unlawful activity
• Prevent dishonesty, malpractice and other conduct in order to protect the public
• Comply with UK laws on money laundering and financing of terrorism

Criminal Convictions Data

In simple terms, the Data Protection Act 2018 says you can include process data about a person's criminal convictions in the following cases that are relevant to businesses:

• The person consents to you processing the data
• The person has clearly made their criminal conviction public

Automated Decision-making

You can only use and process personal data to make automated decisions when a UK or EU law specifically says it's allowable in your particular situation. The Data Protection Act 2018 says that when this does happen:

• You must let the person know you've used automated decision making
• You give them a month to ask you to reconsider the decision or make it manually. You have a month to comply with this request and let them know the outcome.

This example from Chubb's Privacy Policy gives users an overview of when and why it uses automated decision making and makes customers aware they have relevant rights:

Other Relevant Sections of the DPA 2018

Part 2 Chapter 3

Part 2 Chapter 3 is known as applied GDPR. It's designed to take the principles of the GDPR and apply them to UK situations that would otherwise fall into a loophole where European Union rules can't apply in the UK. Generally it won't apply to businesses.

The most likely situation to be relevant is if you are processing data for the purposes of defense or national security, in which case you may be exempt from some data protection rules.

Parts 3 and 4

Parts 3 and 4 of the Data Protection Act 2018 shouldn't affect most businesses.

Part 3 only applies if you're a 'competent authority' meaning police, courts, prisons or another organization with law enforcement powers, and you are processing the data as part of law enforcement.

Part 4 only applies if you are only of the UK's intelligence services (MI5, SIS/MI6 or GCHQ) or are processing data on their behalf.

The main effects of parts 3 and 4 are to allow exemptions to the normal rules, with these exemptions considered necessary for law enforcement or intelligence services to carry out their activities.

Conclusion

Let's recap what you need to know about the Data Protection Act 2018 and how it works with the GDPR:

• The Data Protection Act 2018 isn't "the UK version of the GDPR." They are separate laws and both are part of UK law in their own right.
• The Data Protection Act 2018 works alongside the GDPR. It clarifies and extends the GDPR's measures to work in the UK context.
• Both laws will remain in place if and when the UK stops being a member of the European Union.
• Some of the key points the Data Protection Act adds to the GDPR are:
  • The UK has specific criteria for the "public interest" basis for collecting data and these will rarely cover business activity.
  • The minimum age to give consent for most websites to collect data is 13 rather than the 16 listed in GDPR.
  • You can collect sensitive data if its necessary to comply with UK law, to prevent unlawful activity, or to check you are offering equal opportunity and treatment.
  • You can't usually make automated decisions using personal data. If you do, you must tell the individual and let them ask you to reconsider the decision.
  • You might be exempt from some GDPR requirements if you've been contracted to process data for defense or national security purposes.