Introduction
The General Data Protection Regulation (GDPR) is a landmark piece of legislation in data protection and privacy law. When the United Kingdom was part of the European Union, it adhered to the EU GDPR. Post-Brexit, the UK established its own version, known as the UK GDPR. However, this regulation does not operate in isolation. It works together with an Act of Parliament – the Data Protection Act 2018 (DPA 2018), which serves to supplement and tailor the broader provisions of the GDPR within the context of UK-specific issues.
UK GDPR and Data Protection Act 2018
The Data Protection Act 2018 replaced the Data Protection Act 1998 in the UK and is designed to harmonise with the UK GDPR. The DPA 2018 serves as the national law which complements and fills in the details of the general data protection framework set out in the UK GDPR.
The DPA 2018 and the UK GDPR together form the cornerstone of the UK’s data protection regime. The DPA 2018 provides a detailed framework for data protection in the UK, with specifics on everything from definitions of personal and sensitive data, through to the legal bases for processing, the rights of individuals, and the penalties for non-compliance.
Relationship Between UK GDPR and DPA 2018
While the UK GDPR sets out the key principles, rights, and obligations for most processing of personal data, there are areas which are covered in greater depth by the DPA 2018. These areas include specifics on processing special category data, criminal conviction data, data relating to national security, and rules on processing by intelligence services. The DPA 2018 also provides more detailed provisions on individual rights, such as the right to be informed, the right of access, and the right to object.
The DPA 2018 further implements the EU’s Law Enforcement Directive, which pertains to the processing of personal data by law enforcement agencies. It also sets out regulations for processing that does not fall within EU law, for example, where it is related to immigration.
The Role of Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO), the UK’s independent body set up to uphold information rights, plays a significant role in ensuring compliance with the DPA 2018 and UK GDPR. The ICO provides guidance on the application of both the UK GDPR and the DPA 2018, including codes of practice and technical guidance notes.
Conclusion
The Data Protection Act 2018 works in tandem with the UK GDPR, providing a comprehensive and robust data protection framework in the UK. These laws give individuals more control over their personal data and provide businesses with clear guidelines on lawful processing of data. Companies must ensure they comply with both the UK GDPR and the DPA 2018 to avoid severe penalties and to maintain the trust of their customers and the public. Therefore, understanding these two pieces of legislation and how they interact is crucial for businesses and individuals alike.