The main objective of data protection – as the name suggests – is to safeguard personal information, ensuring that it is not only processed in a fair way but also that it does not face unauthorised disclosure or alteration.
In the UK, the Data Protection Act 2018 (DPA) governs the acquisition and management of personal data by businesses and other organisations. Itself an implementation of the EU’s General Data Protection Regulation, personal data is defined as any information that involves an identified or identifiable person.
Personal data can also be classified as ‘special category data,’ which refers to deeply personal information such as religious or political beliefs, medical information and so on. As such, data of this type is subject to extra security responsibilities.
What is the Data Protection Act (DPA)?
The UK’s Data Protection Act (DPA) is a domestic law, originally passed in 1988, that controls how personal data and other information is managed. According to the UK Government’s website, the law “controls how your personal information is used in organisations, businesses or the government”.
The DPA includes principles that every organisation handling personal data must follow, as defined by GDPR. The seven principles are lawfulness, fairness and transparency, as well as purpose limitation, data minimisation and accuracy. Finally, there is also storage limitation, integrity and confidentiality, and accountability.
Data controllers have the responsibility of complying with the principles and letters of the regulation. They can also be held accountable for their processing of personal data and must demonstrate their compliance with the DPA.
However, there are some exceptions to the rules of the DPA. For instance, the police are not obliged to disclose information that is being held or processed to prevent crimes; a school student can’t access personal files or exam results before publication; research by journalists or academics is an exception too if it is in the public interest or anonymous.
The Information Commissioner’s Office (ICO) is in charge of all data protection in the United Kingdom and provides rules and solutions for managing privacy and risks such as security breaches.
What is the difference between UK and EU GDPR?
The UK DPA is the domestic implementation of the EU GDPR. This means that it adapts European rules on the acquisition and management of personal data to the British legal system.
UK GDPR, meanwhile, is a separate piece of legislation. Borne out of the necessity to carry over swathes of EU law after Brexit, the UK’s version of GDPR is almost identical to its European antecedent in its articulation of the principles behind data protection and management. As such, it is useful to think of UK GDPR as providing the philosophical underpinnings behind how personal data is protected, while the DPA provides the framework for how those recommendations are acted on in practice.
GDPR is “the toughest privacy and security law in the world”. It imposes obligations and rules onto organisations and businesses everywhere, as long as EU residents are targeted. Since 2018, the GDPR can heavily fine anyone who violates its privacy and security standards. With it, Europe has set broad and far-reaching rules, making GDPR compliance a factor of worry, especially for small and medium-sized enterprises (SMEs).
However, UK GDPR does diverge from the EU version in several minor ways. Not only is the age of consent for the acquisition of personal data lower in the UK than in the EU (13 years and 16 respectively), but the former’s legislation also encompasses personal data harvested by security and border agencies.
UK GDPR is applied also outside of the UK, so European data controllers will have to follow the rules of UK GDPR too. For example, when they offer services to UK citizens or observe the behaviour of individuals in the UK.
Why is the UK moving away from GDPR?
Now that the UK has left the EU, the British Government has stated its intention to distance itself from GDPR, the principles of which lie at the heart of the DPA.
The UK government believes that the EU has been slow to sign data transfer agreements with states across Europe, which led to businesses applying GDPR with little flexibility. On the other hand, some argue that the regulation has led to issues in commercial data exchange between large and small enterprises, preventing their growth and their ability to deliver digital services.
As such, the UK government plans to introduce a Data Reform Bill by the end of the summer with the intent to create a new data regime under its overarching National Data Strategy. According to the Department for Digital, Culture, Media and Sport (DCMS), the new legislation will “give individuals greater clarity over their rights and a clearer sense of how to determine access to, and benefit from, their own data”. Rules on the use of personal data by businesses and other organisations, meanwhile, will be loosened so as to encourage faster adoption of automated decision-making tools powered by AI and digital employees (software robots).
Critics, however, point out that the Data Reform Bill, if not implemented correctly, could jeopardise the UK’s current data adequacy status with the EU, which would halt the flow of data across borders.
It is too early to know whether the Data Reform Bill will achieve its goals. What is certain, however, is that the law marks a clear divergence in data protection regulations between the UK and the EU – a gap that is likely to widen as Brexit recedes further into the rear-view mirror.