The compliance work around data protection after the era of GDPR is a complex and challenging task. Some small business may get even confused about the existence of two pieces of legislation concerning the same subject – the GDPR and the Data Protection Act 2018.
So are they the same? Are they different? And which takes precedence over the other?
The simple answer is that these pieces of legislation are complimentary.
GDPR has been directly applicable in the UK since 25th May 2018. Most of the detailed legal provisions that all businesses must comply with are presented in the GDPR. However, it doesn’t cover everything that is needed to have a workable data protection regime so each EU country still has some of its own legislation to fill in the gaps – and this is why the new Data Protection Act (DPA) 2018 was adopted.
The creation of DPA 2018 serves three main functions:
- To Fill the legal gaps implemented into the GDPR and to give each member state the opportunity to develop the legislation in accordance with its internal rules and laws. The GDPR provides member states with limited opportunities to make provisions for its implementation and the DPA 2018 fills those gaps for the UK – for example: how to define ‘public authorities’.
- to further extend and clarify how data protection laws apply to certain broad areas that are excluded from the GDPR and are left to each member state, such as immigration, intelligence, and law enforcement.
- to set out the detailed provisions needed for the funding and functioning of the UK’s data protection regulator – the Information Commissioner’s Office (ICO). For instance, it covers the ICO’s duties, functions and powers, plus the enforcement provisions.
Another important function of the DPA 2018 is that it deals with some administrative points, such as repealing the old Data Protection Act 1998 and making the needed changes to deal with related legislation, like the Freedom of Information Act.
For comparison we’ve presented the most valuable information with a table:
Further, the DPA 2018 covers a few other areas, connected with data protection and privacy, though very specific to the UK. For example, the DPA 2018 has in its scope the criminal sanctions and fines for GDPR infringements (for example the introduction of an unlimited fine for the new offense of intentionally or recklessly re-identifying individuals from anonymised data). DPA 2018 clarifies areas such as processing relating to areas outside the scope of EU law (and the GDPR) such as national security and immigration; the role and powers of the UK’s independent authority (the ICO) in upholding information rights and freedoms; it decides the issues around the transposition of the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into UK law.
In conclusion, the DPA 2018, therefore, sits alongside the GDPR. When considering your data protection duties, both the GDPR and the new DPA 2018 will have to be consulted.