How we deal with data protection within the EU significantly changed on 25th May 2018. The vast majority of the population are aware of the coming into force of the General Data Protection Regulation due to the abundance of emails in their inbox providing them with updated Privacy Policies or asking them for consent to use their personal data. However, less well publicised was the fact that on the same date, the UK’s Data Protection Act 2018 received the Royal Assent. So what does the Data Protection Act 2018 differ from the GDPR?
Firstly, the GDPR has direct effect across all EU member states. Organisations must comply with this regulations and will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions determining how particular terms will apply in their own country. One part of the Data Protection Act 2018 will deal with these areas so must be read alongside the GDPR.
In contrast, the Data Protection Act 2018 is obviously only applicable within the UK. Beyond setting out how the UK is to apply various sections of the GDPR, it also deals with the following:
- Processing which falls out-with EU law such as immigration. This applies GDPR standards to areas which require regulation at a national level.
- The transposition of the EU Data Protection Directive (2016/280)(Law Enforcement Directive) into UK law. This complements the GDPR and sets out the requirements for processing of personal data for criminal law enforcement purposes.
- National Security. Each country within the EU has the right to determine how national security is regulated and this is dealt with in part within the DPA 2018. The UK’s intelligence services are required to comply with internationally recognised data protection standards and the DPA 2018 contains provisions based on the Council of Europe Data Protection Convention 108 which applies to them.
- The ICO’s duties, functions and powers plus enforcement provisions are covered by the DPA 2018.