Data Protection Act & GDPR
The Data Protection Act 2018 (DPA 2018) works with the General Data Protection Regulation (GDPR) to protect your personal information (personal data).
DPA 2018 updates UK data protection laws for the digital age. It received Royal Assent on 23 May 2018. It works with the General Data Protection Regulation (GDPR) to protect your personal information. The Act provides a comprehensive and modern framework for data protection, with stronger sanctions for malpractice.
GDPR introduced accountability, mandatory personal data breach notification, data portability and new obligations on processors. It gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
What Is the DPA 2018?
- It has replaced the Data Protection Act 1998 (DPA 1998) and is now the law concerning the processing of personal data.
- It makes the EU General Data Protection Regulations (GDPR) part of UK Law, so that most processing of personal data is also subject to the GDPR. Personal data must be processed lawfully and fairly, on the basis of the individuals consent or another specified basis. Individuals can obtain information about the processing of their personal data and ask for incorrect information about them to be rectified.
- It makes Article 8 of the Charter of Fundamental Rights of the EU about the right to the protection of personal data part of UK law.
- It covers processing of unstructured manual files by public authorities. This is not covered by GDPR or EU Law.
- Part 3 is about Law Enforcement Processing and brings the Data Protection Law Enforcement Directive which concerns the police and criminal justice sector into force.
- Part 4 provides new data protection rules for the intelligence services, which is based on the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108 ).
- Part 5 gives the Information Commissioner new powers with responsibility for monitoring and enforcing its provisions.
- Part 6 brings all the data protection enforcement powers together and increases maximum fines for breaches. It provides for maximum fines up to 20 million Euro or 4% of the undertaking’s total annual worldwide turnover.
- Part 6 also introduces two new criminal offences. Section 171 makes it an offence to re-identify de-identified personal data and alter personal data to prevent disclosure and Section 173 makes it an offence to alter personal data to prevent disclosure following a subject access request.
Public Interest Under DPA 2018
Article 6 of GDPR says that personal data can only be processed if there is a lawful basis for it, and Section 8 of DPA 2018 explains that a lawful basis means that processing must be in the public interest or in the exercise of official authority that is necessary for:
- The administration of justice.
- The exercise of a function of either House of Parliament.
- The exercise of a function conferred on a person by an enactment or rule of law.
- The exercise of a function of the Crown, a Minister of the Crown or a government department.
- An activity that supports or promotes democratic engagement.
Your Rights Under DPA 2018