UK GDPR & Data Protection Act (DPA) 2018

The UK has its own Data Protection Framework that governs how organizations collect, use, and manage personal data. This framework is built on two key pieces of legislation: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018. 

The UK GDPR came into effect after Brexit, replacing the EU GDPR within the UK. While it mirrors the EU's regulation in many areas, the UK version gives the government flexibility to introduce changes tailored to national priorities. 

The DPA 2018 works alongside the UK GDPR as the UK’s domestic data protection law. It covers specific areas not addressed by the UK GDPR, such as law enforcement, public safety, and national security exemptions. 

UK GDPR and DPA 2018 create a complete system for protecting personal information in different situations, and following both is required for organizations handling personal data in the UK. 

What Is the UK GDPR?

The UK GDPR is the primary law governing how personal data is processed in the UK. It applies to any organization, whether based in the UK or abroad, that collects, stores, or processes personal information of UK residents. This includes both digital systems and manual records.

Effective from January 1, 2021, after the UK left the EU, the UK GDPR was established through the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. It keeps the core ideas of the EU GDPR, which became law across Europe in 2018, focusing on lawful, fair, and transparent data handling.

The UK GDPR protects individual rights by setting clear rules for responsible data use, from customer details to employee records. While it aligns with the EU GDPR, it allows future changes to suit the UK’s needs, so organizations must watch for updates to stay compliant.

This law promotes trust by requiring organizations to handle personal information carefully, balancing accountability with practical data use. 

What Is the Data Protection Act (DPA) 2018?

The DPA 2018 supports the UK GDPR to form a full data protection framework for the UK. It adds specific rules tailored to the UK’s legal and policy needs, covering areas where the UK GDPR alone is not enough.

The DPA 2018 addresses unique situations, such as: 

• Data processing for law enforcement: It outlines separate rules for how personal data can be handled by police and criminal justice agencies. This balances privacy rights with public safety. 
• Immigration control: It introduces specific exemptions related to immigration matters. 
• National security: It allows certain exemptions where data processing relates to security or intelligence services. 

Additionally, the DPA 2018 defines the roles and powers of the Information Commissioner's Office (ICO), the UK's independent data protection regulator responsible for enforcing data protection laws, investigating breaches, and providing guidance to organizations. 

The DPA 2018 also clarifies rules for processing sensitive data, like children’s information, and sets legal bases for data use in specific cases. Together with the UK GDPR, it forms a clear system that organizations must follow to operate legally. 

UK GDPR vs DPA 2018: What’s the Difference?

The UK GDPR and the DPA 2018 overlap in some areas. Yet, each law serves a different function within the broader data protection framework.

The UK GDPR sets out the main principles, rights, and obligations for processing personal data. It mirrors the structure of the original EU GDPR, focusing on fair, lawful, and transparent data use. It safeguards individual rights and promotes accountability among organizations. 

The DPA 2018 supplements the UK GDPR by adding provisions specific to the UK's legal and policy environment. It clarifies how the UK GDPR applies in certain contexts and introduces additional rules where needed. 

‍Key Differences

The primary differences between the UK GDPR and the DPA 2018 are as follows: 

• Law enforcement and criminal justice data processing: The DPA 2018 contains a dedicated section covering personal data processing for law enforcement purposes. These rules aim to balance public safety with privacy protections. 
• National security exemptions: The DPA 2018 includes specific exemptions for processing personal data related to national security, intelligence services, and related activities. 
• Special category data handling: Both laws place strict requirements on processing sensitive data, such as health information, racial or ethnic origin, and political opinions. However, the DPA 2018 provides further detail on how these rules apply in the UK. 
• ICO codes of practice: The DPA 2018 gives the ICO the authority to issue codes of practice and guidance helping organizations apply the law in practice. 

‍

Organizations must follow both laws together, as complying with only one would leave gaps, risking penalties and loss of trust. 

Who Must Comply with the UK GDPR and DPA 2018?

The UK GDPR and the DPA 2018 apply to a wide range of organizations that process personal data. These laws are designed to protect the privacy rights of individuals, and they set clear rules for how personal information is collected, stored, and used. 

The two laws apply to: 

• UK-based organizations: Any organization established in the UK that processes personal data must comply. This applies to businesses, public authorities, charities, and other organizations, regardless of their size or sector. 
• Non-UK organizations: The rules also apply to organizations based outside the UK if they offer goods or services to individuals in the UK (even if free of charge) or monitor the behavior of individuals in the UK. 

The types of data that are covered are:

• Automated data processing (e.g., customer databases and CRM systems). 
• Structured data brackets (e.g., organized files or spreadsheets). 
• Some unstructured data, particularly if held by public authorities. 

In short, both private and public sector organizations, regardless of where they're located, may be subject to these laws if they process personal data of UK residents. 

What Counts as Personal Data Under the UK GDPR & DPA?

The UK GDPR and the DPA 2018 define personal data as any information that relates to an identifiable individual. This includes information that can identify someone directly, such as their name, or indirectly when combined with other details. 

Some examples of personal data include: 

• Name and contact details. 
• Identification numbers (e.g., National Insurance number or passport number).
• Location data and online identifiers (e.g., IP addresses).
• Biometric and genetic data used to identify individuals. 

If information can be used to identify a person, alone or with other data, it's considered personal data under UK law. 

Certain types of personal data are seen as more sensitive and require additional protections. These are known as special category data and include: 

• Racial or ethnic origin.
• Religious or philosophical beliefs. 
• Political opinions.
• Trade union membership.
• Health information. 
• Genetic and biometric data used for identification. 
• Details about a person's sex life or sexual orientation. 

‍

Organizations must have a stronger legal basis to process special category data, and additional safeguards often apply. 

It's also important to note what actually constitutes “processing” under the UK GDPR and DPA 2018. Essentially, it refers to any operation carried out on personal data, such as: 

• Collecting
• Storing
• Organizing
• Using
• Sharing
• Deleting or destroying

The laws apply to both automated processing (such as digital records) and manual filing systems if personal data is organized in a structured way.  

What Are the 7 Principles of Data Protection?

The UK GDPR outlines seven core principles guiding how organizations handle personal data. These principles form the foundation of the UK’s data protection system and apply to all data processing. 

The 7 Principles of Data Protection

1. Lawfulness, fairness, and transparency

Data must be processed legally and fairly, with clear information provided to individuals about its use, like through privacy notices. 

2. Purpose limitation 

Data should only be collected for specific, clear purposes and should not be used for anything incompatible with those purposes, unless the individual agrees. 

3.  Data minimization 

Data minimization is collecting only the personal data organizations genuinely need for their stated purposes. For instance, asking for a customer's name and address to deliver a product without requesting unnecessary details. 

4. Accuracy 

Reasonable steps must be taken to keep personal data accurate and up to date. This includes things like providing ways for individuals to correct inaccurate contact information. 

5. Storage limitation 

Personal data should not be kept for longer than necessary for the purposes it was collected. For instance, organizations should delete old customer records that are no longer required for business or legal reasons.

6. Integrity and confidentiality (security)

Appropriate security measures must be in place to protect personal data from unauthorized access, loss, or damage. This includes using encryption to protect sensitive information stored on company systems.  

7. Accountability 

Organizations must show compliance by keeping records of data activities and training staff. 

These seven principles apply to all organizations processing personal data, and they form the basis for building a lawful and transparent data protection approach. 

Data Subject Rights Under UK GDPR & DPA 2018

The UK GDPR and DPA 2018 give individuals clear rights over their personal data and more control over how the information is collected, used, and shared. 

Organizations must understand and respect these rights. They also need to respond to requests from individuals within set time frames. 

Here are the key data subject rights that organizations and individuals need to be aware of: 

‍

• Right to be informed: Individuals have the right to know their personal data is being used. Organizations must provide clear information, often through privacy notices. 
• Right of access: People can request access to the personal data an organization holds about them. This is often called a Subject Access Request (SAR). The organization must provide the information, usually within one month. 
• Right to rectification: If personal data is incorrect or incomplete, individuals can ask for it to be corrected. 
• Right to erasure (right to be forgotten): In certain situations, individuals can ask for their personal data to be deleted. This right applies, for example, when the data is no longer needed for its original purpose, or consent has been withdrawn. 
• Right to restrict processing: Individuals can request that their data is only stored and not used for other purposes in specific circumstances, such as when the accuracy of the data is disputed. 
• Right to data portability: People can ask to receive their personal data in a structured, commonly used, and machine-readable format. They can also ask for the data to be transferred to another organization. 
• Right to object: Individuals can object to the use of their personal data for certain purposes, including direct marketing. 
• Rights around automated decision-making and profiling: People have protections where decisions are made solely by automated processes, especially if the decision has significant effects (e.g., eligibility for credit or employment). 

The DPA 2018 introduces exemptions to some rights in specific situations, including: 

• Data processed for law enforcement purposes
• Data processed for immigration control
• Processing related to national security

In these cases, certain rights may be limited to balance individual privacy with public interest or security requirements. 

Key Business Obligations Under UK GDPR & DPA 2018

Organizations, public bodies, charities, and other groups and businesses that handle personal data in the UK must meet specific responsibilities under the UK GDPR and DPA 2018. 

Establish a lawful basis for processing

Organizations must have a valid reason for collecting and using personal data. The lawful bases under UK GDPR include: 

• Consent from the individual
• Fulfilling a contract
• Protecting vital interests (e.g., saving someone's life)
• Meeting a legal obligation
• Carrying out a task in the public interest
• Legitimate interests pursued by the organization or a third party (unless overridden by individual rights)

Implement data security measures

Appropriate technical and organizational steps must be taken to protect personal data. This includes using encryption, controlling access to systems, and safeguarding data from loss or unauthorized use. 

Appoint a Data Protection Officer (DPO) if required

Some organizations need to appoint a DPO, particularly if they:

• Are a public authority
• Carry out large-scale monitoring of individuals
• Process large volumes of special category data

Maintain records of processing activities (ROPA) 

Most organizations need to keep internal records of the personal data they process, how it is used, and the lawful basis for processing. This helps demonstrate accountability. 

Conduct data protection impact assessments (DPIAs) for high-risk processing 

If an organization carries out processing likely to result in a high risk to an individual's rights, it must conduct a DPIA before starting the activity. For example, a DPIA would be required when a company is carrying out large-scale use of sensitive data or profiling.

Respond to subject access and data rights requests

Organizations must respond to requests from individuals exercising their rights under data protection law, such as access or rectification requests. In most cases, the response must be provided within one month. 

If an organization fails to meet these responsibilities, it can result in enforcement action, reputational damage, and significant penalties. 

How to Handle Data Breaches Under the UK GDPR

A personal data breach can happen when information is lost, accessed without permission, altered, or destroyed. Under the UK GDPR, organizations must follow clear steps to respond to such incidents. 

In the event of a data breach, these are the steps organizations have to follow:

• Notify the ICO within 72 hours: If a breach creates a risk to individuals' rights or freedoms, the organization must report it to the ICO within 72 hours of becoming aware.
• Inform affected individuals: If the breach is likely to result in a high risk to individuals, the organization must also inform those affected without unnecessary delay. 
• Document the breach: Even if a breach doesn't need to be reported, organizations have to keep internal records of what happened, how it was managed, and any corrective action taken. 
• Understanding roles and responsibilities: Both data controllers and processors have responsibilities during a breach. Processors must notify the controller without delay, and controllers are responsible for assessing the impact and deciding on the next steps. 

‍

Data breach preparation should be a core part of any organization's compliance readiness. This means having clear procedures, response plans, and staff training in place to deal with incidents effectively and reduce potential harm. 

International Data Transfers Under UK Law

The UK GDPR places restrictions on transferring personal data to countries outside the UK. These rules exist to make sure that individuals' information remains protected when it leaves the UK's legal framework.

Organizations must use appropriate safeguards unless the destination is approved as adequate by the UK government. 

These are the legal mechanisms for international transfers: 

• Adequacy decisions: The UK government can decide that a country, territory, or international organization provides a level of data protection comparable to UK standards. Transfers to these locations are permitted without further measures. 
• Standard Contractual Clauses (SCCs): SCCs are legal agreements approved by the UK government. They set out contractual obligations to protect personal data when transferring it to countries without an adequacy decision. 
• International Data Transfer Agreements (IDTAs): IDTAs are tailored for UK organizations transferring data internationally. They provide an alternative to SCCs, offering a standard set of terms to safeguard personal data. 
• Binding Corporate Rules (BCRs): BCRs allow multinational organizations to transfer data within their group of companies. However, they can only do this if they have approved, enforceable policies that meet UK GDPR requirements. 

In some exceptional cases, organizations may transfer personal data without these mechanisms. For example: 

• The individual is given explicit consent after being informed of the potential risks. 
• The transfer is necessary for the performance of a contract. 
• There are important reasons of public interest. 

‍

International transfers carry legal and reputational risks. So, organizations must assess the circumstances carefully and use the appropriate safeguards. 

Enforcement and Penalties

The ICO is responsible for enforcing the UK GDPR and DPA 2018. The ICO has the authority to investigate organizations, issue guidance, and take action when the law is breached. Its specific powers include: 

• Investigating complaints or suspected non-compliance. 
• Conducting audits and inspections. 
• Issuing warnings or reprimands.
• Imposing fines for breaches of data protection law.

The ICO can issue significant fines based on the seriousness of the breach: 

• Up to £8.7 million or 2% of global annual turnover (whichever is higher) for less serious infringements. 
• Up to £17.5 million or 4% of global annual turnover (whichever is higher) for more serious breaches. This includes things like unlawful processing or failing to uphold individuals' rights. 

Organizations often face penalties for: 

• Collecting or using personal data without proper consent. 
• Failing to implement adequate security measures to protect data. 
• Ignoring data subject access requests (DSARs) or failing to respond within the required time frame. 

Regulators expect organizations to take data protection seriously. Failing to meet legal obligations can lead to financial penalties, reputational damage, and legal action. 

How to Build a Compliant Data Protection Program

Building an effective data protection program helps organizations meet their responsibilities under the UK GDPR and the DPA 2018. 

Here are the key steps to support compliance: 

• Create a clear, concise privacy policy: Your privacy policy should explain what personal data you collect, how you use it, your legal basis for processing, and how individuals can exercise their rights. 
• Train staff on responsibilities and data handling: Everyone involved in handling personal data should understand their role. This includes how to recognize and report potential risks or breaches. 
• Implement vendor management processes: Organizations must assess and manage the risks associated with third-party suppliers that process personal data. This includes having clear contracts and data protection terms in place. 
• Carry out data risk assessments: A regular data risk assessment helps organizations identify vulnerabilities, assess the likelihood of incidents, and apply appropriate controls to protect personal data. 
• Maintain records and audit trails: Keeping accurate records of data processing activities demonstrates accountability. This includes documenting lawful bases for processing, data flows, and security measures. 
• Monitor for updates to UK GDPR and DPA 2018 guidance: Data protection law evolves over time. Organizations should regularly check for updates from the ICO and review internal processes to reflect changes in legal requirements. 

By adopting these practices, organizations can meet legal standards, protect personal data, and build trust with their users, clients, and customers.