As “GDPR” fast becomes 2018 acronym of the year, the Data Protection Act 2018 has been somewhat neglected in the round-robin emails clogging our inboxes. But, what is it and should you pay attention?

The DPA 2018 is the UK’s domestic data protection law. In photo-finish fashion, it received royal asset on 23rd of May 2018 and came into force on the 25th May, joining the GDPR in forming our new and improved data protection regime.

But, what is the point of the DPA 2018 if we have the GDPR?

Without going into a great constitutional analysis, the Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Without it, the GDPR would still have direct effect, meaning that individuals may immediately invoke GDPR before a national or European court. However, the DPA 2018 brings the provisions of the GDPR into national law along with making some additions of its own.

Member states have limited opportunities to decide how certain provisions should apply to them individually – known as “derogations”. The DPA 2018 fills the gaps of the GDPR and ‘future proofs’ the law in light of our pending departure from the EU. The two must therefore be read alongside one another.

As you may not have time to read all 354 pages of the Act’s guidance, we thought we would share some ‘highlights’ from the DPA 2018:

  • Business:
    • Management forecasts: Personal data processed for the purposes of management forecasting or management planning are subject to exemptions (including data subject rights and reporting requirements) where such disclosure would likely prejudice the conduct of your business or activity concerned.
    • Negotiations: Personal data that consists of records of the intentions in the context of negotiations with the data subject is subject to exemptions (including data subject rights and reporting requirements) where such disclosure would likely to prejudice those negotiations.
    • Confidential references: Confidential references are to be kept confidential in all circumstances by anyone that holds them – not just the Employer or the reference provider. Employees and Volunteers will not be able to exercise their data subject rights such as subject access or the right to be informed. A privacy policy is also exempt from coving this issue. This provision has been subject to criticism, stating that it is too wide and does not have the individual’s interests at heart.
  • Immigration: A controversial exemption has been introduced in relation to immigration control. Many rights (incl. subject access) are removed from the data subject, where there is a risk of prejudice to controls if such information is disclosed. In the wake of Windrush, where access to immigration files is said to have been vital to justice, this exemption will likely face challenge by campaigners going forward.
  • Legal Professional Privilege: Legally privileged information is exempt from certain data processing principles, data subject rights and reporting requirements. Unlike its predecessor however, the DPA 2018 has widened the exemption to information subject to a duty of confidentiality. While the two terms are often used interchangeably by professionals there is a distinct legal difference that could leave a data subject vulnerable. This wider application bridges the gap.
  • Public authorities: Thanks to the DPA 2018, we have a definition of ‘public authority’ in a data protection context. We also now know that a Parish Council is not a public authority and will not be subject to the additional obligations and restrictions that comes with public authority status.
  • Exam Scripts: Sorry kids! You cannot use the GDPR to get your marks sooner by making a subject access request or exercising your right to be informed.
  • Charges: The Data Protection (Charges and Information) Regulations 2018 also joined the May 25th club by coming into force alongside the GDPR and DPA 2018. It imposes different levels of fees on Data Controllers depending on the organisation’s size.

There are also two new offences under the DPA 2018:

    • Re identifying Information: it is now an offence for a person to knowingly or recklessly try and match anonymous data with publicly available information, or auxiliary data, in order to discover the individual to which the data belongs to.
    • Alteration etc of Personal Data: it is now an offence for the Data Controller or a person employed by it to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a Data Subject enforcing his/her rights would have been entitled to receive.

So, there you have it – DPA 2018 in a nutshell – there are, of course, a large number of provisions not covered in this short note. But, we will continue to keep you updated.