Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

The Data Protection Act of 2018 & The UK GDPR

Operationalize DPA compliance with the most comprehensive PrivacyOps platform.

background-image

The Data Protection Act (DPA) of 2018 was passed in April 2016 and came into effect on May 25, 2018. This was the same day the General Data Protection Regulation (GDPR) came into effect.

The DPA implemented the GDPR in the UK, codified its requirements into the UK law, and made the necessary exemptions and requirements based on the UK’s data protection needs. However, from December 2020, the UK is no longer subject to the EU GDPR due to Brexit. The UK GDPR refers to the GDPR as it was on 31st December 2020 in a “frozen” state and any applicable case law at that point. Now, the UK GDPR and the DPA should be read together. The UK DPA has specific chapters on data processing by law enforcement and intelligence service bodies.


The Solution

Securiti promises thorough compliance with both the Data Protection Act of 2018 and the UK GDPR thanks to its PI data discovery, DSR automation, documented accountability, and AI-process automation features, among others.

Each of the aforementioned solutions is backed up by state-of-the-art artificial intelligence and machine-learning-based algorithms, making Securiti a market leader in providing data compliance and governance solutions.

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.

securiti dashboard

With its state-of-the-art artificial intelligence and machine-learning-based tools, Securiti is a market leader in providing data governance and compliance solutions.

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.


 

Automate Consumer Data Access Request Handling

DPA Sections 12, 13 & UK GDPR Article 15

Organizations can easily automate the process related to data access requests while being compliant with the law.

dsr workbench ccpa
dsr requests

Secure Fulfillment of Data Access Requests

DPA Sections 12, 13 & UK GDPR Article 15

A central portal ensures all data access requests are streamlined and easily viewable via a singular dashboard, allowing you to keep track of them in real time.

Automate Processing of Rectification Requests

UK GDPR Article 16

All rectification requests received can be automated, and their progress visible via the central dashboard in real time.

data rectify request
data erasure request

Automate Erasure Requests

UK GDPR Article 17

All erasure requests received can be automated, and their progress visible via the central dashboard in real time.

Automate Object & Restriction of Processing Requests

UK GDPR Articles 18, 19

All objections and restrictions of data processing requests can be automated, and their progress visible via the central dashboard in real time.

processing request
personal data monitoring tracking

Monitor & Track Consent

UK GDPR Articles 6, 7, 9

Organizations can monitor their users’ consent related to various data processing activities via the central dashboard. This ensures that all data collection is compliant with the data protection requirements while also guaranteeing no illegal transfers, sharing, or selling of data not consented by the user occurs.

Assess Readiness

DPA Section 4, 8, 13 & UK GDPR Articles 5, 24, 25

Organizations can conduct regular internal assessments of their various data-related processes to evaluate their effectiveness. Additionally, these assessments can help identify gaps and deficiencies, which can be appropriately remedied.

Map Data Flows & Generate Reports

UK GDPR Article 30

Automate all incoming and outgoing data transfers in real time to ensure all transfers are compliant with the appropriate data protection requirements.

Automate Data Breach Response Notifications

UK GDPR Articles 33, 34

Organizations can easily automate compliance actions and data breach response notifications to concerned stakeholders in connection to security incidents by leveraging a knowledge database on security incident diagnosis and response.

breach response notification
manage vendor risk

Manage Vendor Risk

​​UK GDPR Articles 28

Organizations can easily track all their vendors’ data processing activities to ensure their practices are in compliance with the law.

Meet Cookie Compliance

UK GDPR Articles 6, 7, 21

Ensure all cookies being used by an organization are compliant with the appropriate requirements of the law.

cookie consent

Privacy Policy & Notice Management

UK GDPR Articles 12, 13

Generate privacy policies that are compliant with the appropriate data protection laws in informing the users about the data collection practices of the organization while also automating any notice requirements.

Key Rights Under Data Protection Act & UK GDPR

The DPA and the UK GDPR ensure all users have a specific set of rights, known as data subject rights, to ensure they retain control over how their data is used. These rights include the following:

Right of Access

The data subjects have a right to obtain confirmation as to whether or not personal data concerning the data subject are being processed and access to personal data.

Data subjects can request the following information about the data collected:

  • Purpose of data collection;
  • Categories of collected data;
  • How long the collected data will be stored;
  • Any third parties the collected data has been shared with or sold to;
  • Existence of automated decision-making mechanisms.

Right to Rectification

All data subjects have a right to request rectification of any collected data if it has become outdated/incorrect/obsolete since the data was initially collected. In case of incomplete data, the data subjects will have the right to provide a supplementary statement to complete such incomplete data.


Right to Erasure

Also known as the Right to be Forgotten, all data subjects have the right to request any collected on them be destroyed, and any existing data processing activities be ceased accordingly.

The data processor/controller must abide by any such requests if any of the following criteria are met:

  • Data collected is no longer necessary for the purpose they were collected;
  • The data subject has withdrawn their consent to data collection;
  • The data subject has objected to data collection;
  • Data was unlawfully processed;
  • Data has to be erased pursuant to a legal obligation in a state where the data controller is a subject.

Right to Data Portability

All data subjects have the right to receive all data collected on them by a data processor or controller in a structured, commonly used, and machine-readable format that can be accessed easily via an appropriate electronic device.


Right to Object

All data subjects have the right to request an end to all data collection and processing activities related to their data. The data processor/controller must cease all their data collection activities once such a request is made unless they have legitimate reasons for continuing to do so related to legal, contractual, and national security reasons. The right to object includes the right to withdraw consent for direct marketing purposes.


Right to Restriction of Processing

All data subjects have the right to request a restriction on the processing or collection of their personal data in the following circumstances:

  • The data subject contests the accuracy of the data collected;
  • Data was unlawfully processed and the data subject requests the restriction of data processing rather than erasure of data;
  • The data controller no longer needs to process the data;
  • The data subject has objected to their data being processed and verification is pending.

Automated Individual Decision-Making

All data subjects have a right to request an end to any automated decision-making, including profiling that may have legal implications for the data subject.

However, this right does not apply in the following cases:

  • The data subject has explicitly consented to automated decision making;
  • The state permits the data controller to carry out such activities;
  • Automated decision-making is necessary for the performance of a contract between the data subject and the data controller.

Notification Obligation Regarding Rectification/Erasure of Personal Data

The data processor/controller must ensure that any rectification, erasure, and restricting of processing data requests made by a data subject are properly communicated to all parties that had access to the data subject’s data.

The data processor/controller may be exempt from this requirement if notifying all such parties would require a disproportionate effort. The data subject must be informed of all these parties that had access to their data if they request such information.

The DPA contains several limitations to data subjects’ rights as they are provided under the UK GDPR. One such exception aims to protect the national security and defense of the country. Accordingly, the rights of data subjects do not apply if the exemption is required to safeguard national security or defense purposes, however, only in relation to manual unstructured data held by FOI public authorities.

Facts Related to Data Protection Act & UK GDPR

Here are some facts about the Data Protection Act 2018 & the UK GDPR

1

The Data Protection, Privacy and Electronic Communications (Amendments etc.) EU Exit Regulations 2019 amended the EU GDPR, resulting in the UK GDPR.

2

In case of data breaches, organizations can be fined €20 million or 4% of annual global turnover (whichever one is higher) and €10 million or 2% of annual global turnover (whichever one is higher) in case of administrative failures.

3

The Data Protection Act of 2018 applies to any organization that holds data belonging to UK residents. It also applies to entities processing personal data in the context of the activities of an establishment of a controller or a processor in the UK, regardless of whether the processing takes place in the UK or not.

4

Data processors and controllers must respond to all data subject requests without undue delay and in any event, within 30 days of the receipt of the request.

5

UK post-Brexit International Data Transfer Agreement is a replacement of former SCCs and facilitates cross-border data transfers from the UK to non-adequate third countries.

6

The Information Commissioner’s Office (ICO) is the relevant regulatory body responsible for ensuring compliance with the DPA read with UK GDPR.

Solutions

Systems

Newsletter

Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award