Data Protection Act 2018

What is the 2018 Data Protection Act?

The Data Protection Act 2018 manages how data is accessed and managed.

Building on existing principles from the 1998 Data Protection Act, the 2018 Act now addresses how data is managed online, not least in light of the substantial digital advances that have occurred since the passing of the original 1998 Act.

Why was the 2018 Data Protection Act introduced?

Recent digital developments, such as e-commerce and social media, made the 1998 Data Protection Act an inefficient tool.  It was not created to be able to cope with such a prevalence of online data sharing.

Data Protection Act

Data protection laws were updated in 2018 to reflect the move to a digital world

This was an issue faced across the European Union, leading to a collective effort being made at the European level in order to develop a data protection law more suited to the times. New European data protection legislation resulted in the European Union’s General Data Protection Regulation (GDPR), which began to be implemented by member states in 2018.

The European Union allowed its member states to introduce their own domestic data protection laws to embody the principles of GDPR, and in the UK this led to the 2018 Data Protection Act.

A further key aim of the 2018 Act was to allow people greater control over their own personal data.

Main Provisions of the 2018 Data Protection Act

The main changes brought about by the 2018 Data Protection Act included:

New Offences
Personal data is defined as ‘any information relating to an identified or identifiable natural person’. In general, sensitive personal data may not be collected and processed without people’s express permission.

The 2018 Data Protection Act has made certain behaviours around the use of personal data illegal. These include obtaining, processing, storing, and selling personal data without the approval of the data controller.

Article Nine of the Data Protection Act further defined special category data, this was data ‘revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership’ and ‘genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.  Data covered under Article Nine is governed by further legality conditions.

Lawful Bases
Under certain conditions, sensitive personal data may be legally processed. These include for social protection, health, law enforcement, and statistics purposes. Under the 2018 Act, organisations that handle such data are required to have a written policy regarding how it is protected, how long it will be kept for, and when it will be deleted.

The Data Protection Act 2018 allows a person to consent to their personal data being collected and processed, such as through cookie consents on websites. The minimum age for this is 13. If an individual requests data stored about them to be deleted, the Data Protection Act obligates the organisation storing the data to do so.

Data Subject Access Requests
The Act 2018 governs the process through which anyone may submit a Data Subject Access Request (DSAR) in order to find out what personal information a company or organisation is storing about them. The company may refuse these in specific cases, including when the personal data is regarding crime, taxation, and held by protection authorities such as the police.

Information Commissioner
The 2018 reconfirmed the role of the Information Commissioner’s Officer. The Information Commissioners Office (ICO) is an independent supervisory body responsible for the enforcement of data protection law. It now has the right to impose large fines for noncompliance – up to £17.5 million or 4% of annual global turnover if this is greater.

Codes of Practice
Codes of Practice are voluntary ICO guidance for companies to follow in order to more easily comply with the Act.

Examples of the 2018 Data Protection Act in action

Following the 2018 Data Protection Act, the Information Commissioner Office has handed out a number of significant large fines to companies who have breached the Act in relation to their data processing.

A notable example is British Airways, which was initially fined an eye watering £183 million by the Information Commissioner’s Office due to their failings in 2018  to protect customer’s personal data from computer hackers. This involved data said to be related to around four hundred thousand customers.  The £183 million fine was later reduced to £20 million in part to account for the Coronavirus’ impact on British Airways’ revenue. Victims of this data breach may potentially also be entitled to monetary compensation.

In 2018, the Information Commissioners Office also fined the Marriott hotel chain £18 million for a breach of the Act.

Another company, Pownall Marketing Limited, received a fine of £250,000 for having allegedly breached the Act through 365,369 unsolicited, or so called nuisance, calls, to people around potential claims management services.

British Airways has fallen foul of the Information Commissioners Office since the 2018 Act

The Data Protection Act and Brexit

In light of its 2016 referendum, the United Kingdom left the European Union in December 2020. As of January 2021, the European Union’s own GDPR regulations no longer have any force in the United Kingdom. However, as a result of the 2018 Data Protection Act, the same regulations have been enshrined into domestic law through the UK GDPR 2018.

In practice, this means that companies will follow the same policies they established to comply with the European GDPR in 2018, although they do now need to change the wording to say ‘UK GDPR’.

The 2018 Data Protection Act has also since been amended to take Brexit into account.  It will continue to apply, only alongside the British version of GDPR rather than the European GDPR. The EU GDPR as it was in December 2020, informally known as ‘frozen GDPR’, will continue to regulate some non-UK personal data, such as EU data processed before January 2021.

Post Brexit, the Information Commissioners Office retains its current role with regards to regulating UK data protection but will no longer enforce the EU version of the GDPR.

The Brexit transition has triggered some changes, particularly regarding receiving personal data from Europe. European Union GDPR will apply whenever data from the EU is involved, or goods and services from UK companies are sold in the EU.

Although considered unlikely, there could be further restrictions on the flow of data between the UK and the EU in the future.   This would not occur should the EU assesses that UK data protection laws to be sufficiently similar to its own, thus eliminating the need for additional safeguards to the flow of information between the two areas.  The UK, however, may send data to Europe without restrictions in any case, as it has already declared the EU and all EEA territories adequate.

2018 Data Protection Act in Full

The 2018 Data Protection Act can be read in full here.