The UK GDPR & Data Protection Act (DPA) 2018: Explained

Following the end of the Brexit Implementation Period on 31 December 2020, the United Kingdom is no longer subject to the European Union General Data Protection Regulation (GDPR).

Currently, the Data Protection Act (DPA) of 2018 is the primary data protection legislation in the United Kingdom (UK) which amended and replaced the Data Protection Act of 1998. Ever since the UK formally left the European Union (EU), the GDPR has been in a “frozen” state, encapsulated within the DPA 2018, which is now referred to as the UK GDPR. The UK GDPR and DPA 2018 should be read together.

The DPA 2018 comprises a total of seven parts, three of which relate to data processing. Parts 2, 3, and 4 of DPA 2018 pertain to general processing by law enforcement bodies and intelligence services, respectively. For the purposes of this article, the focus will be mainly on general processing that applies to both private companies and public authorities.

So what responsibilities do organizations have in the existing UK data protection legal framework? What are the data subjects’ rights? And what powers do the regulators have? Read on below to learn more:

1. Who Needs to Comply with the Law

Here’s how the DPA 2018 applies to organizations:

a. Material Scope

The UK GDPR and the DPA apply to all forms of automated, structured, or unstructured personal data processing regarding data subjects based in the United Kingdom. Data processing by an individual during a purely personal or household activity is not included.

b. Territorial Scope

As far as the DPA and the UK GDPR’s territorial scope is concerned, it can be condensed as follows:

• It applies to organizations processing personal data in the context of the activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not.
• It applies to organizations that are engaged in the processing of personal data of data subjects who are in the United Kingdom. This means the following:
  • It applies to all organizations based outside the United Kingdom providing goods and services to data subjects within the United Kingdom;
  • It applies to all organizations based outside the United Kingdom monitoring the digital behavior of data subjects within the United Kingdom.

2. Obligations for Organizations Under the DPA & UK GDPR

Like all other major data protection laws, the DPA and the UK GDPR place certain obligations and responsibilities over organizations that collect and process users’ data. Some of these responsibilities include the following:

a. Lawful Basis Requirements

Organizations must have one of the following lawful basis for the processing of personal data:

• Consent: The data subject consents to data processing for the specified purpose;
• Performance of Contract: The processing of data is necessary for the performance of a contract to which the data subject is a party to;
• Legal Obligation: The processing of personal data is necessary to perform a legal obligation to which the data controller is subject;
• Vital interests: To protect the vital interests of a natural person where the person is physically or legally incapable of giving consent;
• Public Task: The processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority; This includes the processing of personal data that is necessary for the administration of justice, the exercise of a function of either House of Parliament, the exercise of a function conferred on a person by an enactment or the rule of law, the exercise of a function of the Crown, a Minister of the Crown or a government department or activity that supports or promotes democratic engagement;
• Legitimate interests: the processing is necessary for the controller’s legitimate interests that override the data subject's interests.

b. Consent Requirements

The UK GDPR and DPA define consent as “freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data”.

Under this description, consent gained from the user can only be valid if it is:

• Freely given - Individuals are offered real choice and control concerning processing their personal data. Data subjects must be allowed to refuse to consent without any consequences or withdraw consent at any time without any detriment.
• Informed - Individuals must be informed of the data controller, the purposes of the processing, and the types of the processing activity. All information must be communicated in a concise, easy-to-understand, and user-friendly manner.
• Specific - Specific consent must be obtained for specific data processing purposes. Consent must be separate from other terms and conditions.
• Unambiguous - Consent must be obtained via a clear affirmative action (opt-in). The use of pre-ticked checkboxes is prohibited.

c. Security Requirements

The UK GDPR and the DPA require organizations to undertake standard security measures to protect all collected data appropriately. This includes implementing the following mechanisms:

• Appropriate technical, physical, and organizational security controls that ensure only relevant personnel have access to collected data.
• Encryption or pseudonymization of data, depending on the risks presented to the processing.
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing.
• Measures ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a security incident.
• Process for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures.

d. Data Breach Requirements

When a data breach has occurred, organizations are required to assess the severity of the potential or actual impact on individuals as a result of the breach. If it is likely that there will be a risk to an individual's rights and freedoms, organizations must notify the breach to the Information Commissioner's Office without undue delay and no later than 72 hours after having become aware of the breach.

The report to the ICO must include the following information:

• The nature of the personal data breach including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records concerned;
• Contact details of the DPO;
• Likely consequences of the data breach;
• Description of all measures taken since the data breach to mitigate its effects.

If the data controller fails to notify the ICO within 72 hours, it must include an explanation for the delay.

If the data breach is likely to present a “high risk” to the rights and freedoms of individuals, the data controller must inform the data subjects of such without undue delay.

The communication must include the following:

• The nature of the breach in clear and plain language;
• Name and Contact details of the DPO;
• Likely consequences of the data breach;
• Description of all measures taken since the data breach to mitigate its effects.

Data processors are also required to notify personal data breaches to data controllers without undue delay after becoming aware of the personal data breach.

e. Data Protection Officer Requirement

The data controller must hire a Data Protection Officer (DPO) unless the controller is a court, or other judicial authority, acting in its judicial capacity.

The hired DPO must have the following:

• Expert knowledge and skills related to data protection laws and practices;
• Ability to perform the tasks assigned to a DPO. A DPO is tasked with monitoring compliance with the data protection framework.

f. Data Protection Impact Assessment

In case data processing activity is likely to result in a high risk to the rights and freedoms of individuals, the data controller/processor must conduct a data protection impact assessment (DPIA) before beginning the processing of data.

The DPIA must include the following:

• A general description of processing activities envisioned;
• An assessment of potential risks to data subjects’ rights and freedoms;
• The measures are undertaken to mitigate identified potential risks;
• All other safeguards, security measures, and mechanisms are implemented to protect personal data.

g. Record of Processing Activities

The data processor or data controller must maintain a regular record of all processing activities.

Such a record must contain information about how the processing satisfies the lawful basis of processing conditions and how personal data is retained and erased per the policies explained in the UK GDPR and DPA documents.

h. Cross Border Data Transfer Requirements

Cross-border or international data transfers are allowed if there is a legal basis for doing so and one of the following criteria is met:

• The data is to be transferred to a country with an adequacy decision;
• There are binding corporate rules in place;
• There are approved standard contractual clauses in place;
• The data is to be transferred to a country that holds the necessary certifications related to data protection and security as per the approved certification scheme by the ICO;
• The data receiver has signed up to a code of conduct approved by the ICO;
• There exist administrative arrangements between public authorities or bodies.

In the absence of the above mechanisms, the cross-border transfer can take place in any of the following exceptions. These exceptions can be utilized in exceptional cases and not for routine data transfers.

• The data subject has provided his or her explicit consent
• The transfer necessary for the performance of a contract with the individual
• The transfer is necessary for the performance of a contract with an individual that benefits another individual whose data is being transferred
• The transfer is necessary for public interest reasons
• The transfer is necessary to defend a legal claim
• The transfer is necessary to protect the vital interests of an individual
• The transfer is made from a public register
• The transfer is in the controller’s legitimate interests

For the purposes of transfer of personal data from the UK to third countries, the Secretary of State may specify which third countries ensure an adequate level of data protection The European Economic Area countries are considered to be adequate. More recently, the Secretary of State presented the international data transfer agreement (IDTA) and UK addendum to the new EU Standard Contractual Clauses. Here’s a detailed resource for more information on how these two affect data transfers to and from the UK to and from the EU.

3. Data Subject Rights

Here are the data subject rights users are entitled to as per the DPA and the UK GDPR. These rights can be exercised upon data subject’s request under certain limited circumstances and have exemptions as discussed below:

a. Right to be Informed

All data subjects have a right to be informed about the collection and usage of their personal data. This right entails giving them precise, unambiguous information about what organizations (as controllers or processors) do with their personal data in concise, easily accessible, and plain language. The right to be informed includes the following:

• Whether the provision of personal data by data subjects is a legal or contractual requirement;
• The nature of the business of controller and processor;
• Contact details of the data protection officers;
• Purposes and the lawful basis for processing the personal data, including automated decision-making and profiling purposes;
• The retention period;
• The rights available to data subjects such as access, objection, rectification, erasure, etc., including the right to withdraw consent;
• Whether the data will be shared with a third country or international organization;
• Right to lodge a complaint with ICO.

b. Right of Access

All users have the right to access and know exactly what information has been collected on them. This includes the following:

• Purpose of data collection;
• Categories of collected data;
• How long the collected data will be stored;
• Any third parties the collected data has been shared with or sold to;
• Existence of automated decision-making mechanisms.

The data subject will be informed if his/her personal data is transferred to a third country or an international organization and the safeguards organizations undertake. Moreover, data subjects have a right to obtain a copy of the personal data that is being processed.

The DPA has introduced several exemptions to the right of access such as personal data processed for crime and taxation-related purposes such as for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or imposition of a similar nature is exempt from the right of access. Similarly, there are exemptions to the right of access if personal data relates to legal professional privilege, data to protect the public, regulatory functions relating to legal services, the health service, and children’s services, and there are exemptions concerning child abuse data, health, education, and social data and academic data.

c. Right of Rectification

All data subjects have the right to request rectification or modification of any data collected on them if it has become outdated/incorrect/obsolete since it was collected.

d. Right of Erasure

All data subjects have the right to request that any data collected on them be deleted and any further data processing be ceased. A data subject can exercise this right in the following circumstances:

• Data collected is no longer necessary for the purpose they were collected;
• The data subject has withdrawn their consent to data collection;
• The data subject has objected to data collection, and there are no overriding legitimate grounds for the processing;
• Data was unlawfully processed;
• Data must be erased pursuant to a legal obligation in a state where the data controller is a subject.

e. Right of Data Portability

All data subjects have the right to receive any data collected on them in a structured, commonly used, and machine-readable format that can be easily accessed via an appropriate electronic device without any hindrance as long as:

• The data subject has consented to such processing of the personal data and;
• The processing is carried out via automated means.

f. Right to Object

All data subjects have the right to request a data processor or data controller to cease all data processing activities related to their data, including direct marketing or scientific or historical research purposes, or statistical purposes. The data processor or data controller must abide by this request unless there are legitimate legal, contractual, and public interest reasons for continuing to do so.

g. Right to Restriction of Processing

All data subjects can request a restriction on the processing of their personal data in the following cases:

• The data subject contests the accuracy of the data collected;
• Data was unlawfully processed, and the data subject requests the restriction of data processing rather than erasure of data;
• The data controller no longer needs to process the data;
• The data subject has objected to their data being processed, and verification is pending.

Where a data subject has exercised her/her right to restrict the processing, data can only be processed with the data subject’s consent or if there is a legitimate reason related to legal claims, protection of rights of another person, or public interest.

h. Automated Individual Decision-Making

All data subjects have the right to request an end to automated decision-making. This includes profiling which may lead to legal implications for the data subject.

However, data subjects cannot exercise this right under the following circumstances:

• The data subject has explicitly consented to automated decision-making;
• The state permits the data controller to carry out such activities;
• The automated decision-making is necessary to perform a contract between the data subject and the data controller.

i. Notification Obligation Regarding Rectification/Erasure of Personal Data

If a data subject makes a rectification, erasure, or restriction of processing data requests, the data processor or data controller must ensure that it communicates such requests to all parties with whom the data subject’s data was previously shared.

However, the data processor or data controller is exempt from making such a communication if it proves impossible or would require a disproportionate effort.

Lastly, the DPA contains exceptions to data subjects’ rights. The aforementioned rights do not apply in situations pertaining to:

• prevention or detection of crime,
• prosecution of offenders or,
• imposition of duty (tax etc.) on an individual,
• Maintenance of effective immigration process or policies,
• Safeguard national security or defense purposes,
• All other functions designed to protect the public and regulatory functions.

4. Regulatory Authority

The Information Commissioner's Office (ICO) is the primary regulatory authority and holds investigative, corrective, and advisory powers and is responsible for enforcing both the UK GDPR and the DPA 2018 within the British territories.

Among the ICO’s responsibilities include advising the Parliament, the government, other institutions, and bodies in matters related to legislation on ensuring data subject rights and processing of personal data. In addition to that, ICO is also responsible for making and presenting to the parliament an annual report on the types of infringements that took place and measures that were taken.

The ICO is also responsible to promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to processing, along with spreading awareness to controllers and processors on their obligations. ICO must also handle the complaints lodged by data subjects, adopt standard contractual clauses and maintain a public register of certification mechanisms and data protection seals and marks

Furthermore, the ICO also has the power to issue, per its own initiative or on request, opinions related to the protection of personal data to the Parliament, the government, other institutions, and bodies, as well as the general public.

The ICO is also responsible for preparing a code of practice meant to provide practical guidelines related to sharing personal data per data protection legislation’s requirements.

5. Penalties for Non-compliance

In case of infringements and non-compliance with notices (information, assessment or enforcement notices), administrative fines can be imposed on the organization or a person. While deciding whether to impose an administrative fine and the amount, various factors are taken into consideration, such as:

• Negligence,
• The categories of personal data affected by infringement,
• Responsibility of the controller or processor,
• Actions taken by the controller or processor to mitigate the harm (including the extent of cooperation with ICO in mitigating the harm),
• Any past infringements by the controller or processor,
• Adherence to approved codes of conduct or certification methods.

The standard maximum amount of penalty that can be imposed is £8,700,000 or 2% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher. This penalty is generally imposed in case there is an infringement of obligations of the

• Controller or processor
• Certification body
• Monitoring body

The higher amount of penalty is £17,500,000 or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher. This penalty is generally imposed when the following are not dealt with as prescribed by the UK GDPR and DPA 2018:

• The basic principles for processing, including conditions for consent;
• Data subject rights;
• The transfers of personal data to a recipient in a third country or an international organization;
• Non- compliance with an order of ICO.

6. How an Organization Can Operationalize the Law

The GDPR often comes across as an intimidating piece of legislation for most organizations since it places so many responsibilities on them while detailing them down to the minute details. The fact that the DPA is supposed to be read alongside the UK GDPR makes compliance for organizations in the UK all the more complicated.

However, it doesn’t necessarily have to be so. An effective way to initiate compliance efforts can be to lay the proper foundations. Some steps that can help tremendously in that regard include the following:

• Make sure your privacy policy is easily understandable and communicates all your obligations and data subject rights effectively;
• Hire a DPO that is well-versed in both the UK GDPR and the DPA to ensure your compliance efforts are up-to-par;
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the law;
• Conduct regular data protection impact assessments for high-risk data processing activities as well as data mapping exercises to ensure maximum efficiency in your compliance efforts;
• Implement robust vendor due to diligence processes for third-party agents;
• Notify the regulatory authority and impacted data subjects in case of a personal data breach without undue delay;
• Ensure data subjects' rights fulfillment;
• Ensure adequate consent management by obtaining consent as per the applicable requirements and maintaining consent records.

7. How Can Securiti Help

The GDPR remains a formidable piece of data protection legislation. Despite what its detractors might say, it managed to strike the perfect balance between ensuring user privacy and giving organizations enough leeway to appropriately market their products/services to their desired customers.

The UK is a unique case since, despite no longer being part of the EU, its primary data protection legislation, the Data Protection Act of 2018, is supposed to be read alongside the UK GDPR. For organizations hoping to be in complete compliance with the UK’s data protection framework in the UK, this can pose a challenge.

Securiti aims to alleviate that issue.

Securiti has built a reputation in the privacy industry by providing enterprises with reliable data compliance and governance solutions. These solutions include DSR automation, cookie management, vendor risk assessments, and data mapping.

Request a demo today and learn more about how Securiti can aid your data compliance efforts in the UK.