Data Protection Act 2018 (DPA 2018)

What is the Data Protection Act 2018 (DPA 2018)?

The Data Protection Act 2018 (DPA 2018) is a legislative framework in the United Kingdom governing the processing of personal data. Enacted in 2018, it superseded the Data Protection Act 1998 and serves as the U.K.'s implementation of the European Union's General Data Protection Regulation (GDPR).

The DPA 2018 complements the GDPR, ensuring consistency in data protection standards for organizations operating within the U.K. and the European Union. It also establishes rigorous principles organizations must follow when processing personal data. Lastly, the DPA 2018 empowers individuals with control over their personal data.

What are the main points of the Data Protection Act 2018?

The DPA 2018 significantly reshaped the U.K.'s data privacy landscape. Its key goals include the following:

Elevating data protection standards

The DPA 2018 enacts stricter regulations on how organizations handle personal data. This aligns the U.K. with the EU's GDPR, improving consistency across Europe. Organizations must follow these more rigorous principles, including transparency in data usage, processing data only for legitimate purposes and minimizing data collection. In addition, they are required to ensure accuracy and keep information up to date.

Empowering individuals

A core aspect of the DPA 2018 provides individuals with greater control over their personal data. The act lists several essential rights, including the following:

• Transparency and awareness. Individuals have the right to be informed about how their data is used, by whom and for what purposes.
• Access and control. People can request access to their personal data held by organizations. This allows them to verify its accuracy.
• Right to rectification. Individuals have the right to have inaccurate or incomplete information corrected.
• Right to erasure. Individuals have the right to be forgotten. Under certain conditions, individuals can request that organizations erase their personal data entirely.
• Restriction and objection. People can restrict or object to how their data is processed in specific situations.
• Data portability. The act grants individuals the right to obtain and reuse their data for different services, facilitating a switch between providers.

By establishing these rights, the DPA 2018 empowers individuals to make informed decisions about their personal information and hold organizations accountable for their data practices.

What are the 7 principles of the Data Protection Act 2018?

The DPA 2018 builds upon the seven core data protection principles established by the GDPR. These principles act as a compass for organizations navigating the ethical and legal use of personal data. They include the following:

• Lawfulness, fairness and transparency. This principle emphasizes that personal data must be processed with legitimacy, fairness and openness. Individuals have the right to understand how their data is used. Organizations must be transparent about their data collection practices and purposes, along with the legal basis for processing the data.
• Purpose limitation. Data collection cannot be a free-for-all. This principle dictates that organizations must clearly define and limit the purposes for which personal data is collected. They cannot use the data for reasons incompatible with these original purposes without explicit consent from the individual.
• Data minimization. This principle goes hand in hand with purpose limitation. Organizations should only collect data that is strictly necessary to fulfill the specific purpose for which it's collected. Collecting excessive data is not only a privacy concern, but it introduces security risks.
• Accuracy. Maintaining accurate and up-to-date data is crucial. Inaccurate data precedes unfair decisions and hinders the purpose for which it was collected. The DPA 2018 places the onus on organizations to ensure the accuracy of the personal data they hold. This involves procedures for regular data review and updating, as well as mechanisms for individuals to request corrections.
• Storage limitation. Organizations shouldn't keep personal data indefinitely. This principle limits data retention to the time frame necessary to achieve the purpose for which it was collected. Once the purpose is fulfilled, data must be deleted or securely anonymized. Establishing clear data retention policies demonstrates an organization's commitment to data protection.
• Integrity and confidentiality. The security of personal data is paramount. This principle mandates that organizations implement appropriate technical and organizational safeguards to protect personal data from a range of threats. These safeguards mitigate risks such as unauthorized access, accidental loss, damage or destruction.
• Accountability. This principle emphasizes that the organization determining the purposes and means of processing personal data, also known as the data controller, is ultimately accountable for adhering to all these principles. The DPA 2018 requires data controllers to demonstrate their compliance with these principles, from maintaining comprehensive records of data processing activities to generating accurate data protection impact assessments. A data protection officer might be required.

What does the Data Protection Act 2018 make illegal?

The DPA 2018 doesn't explicitly outline illegal activities. Instead, it sets out a framework of principles organizations must follow regarding personal data processing. Breaching these principles can lead to regulatory action by the Information Commissioner's Office, the U.K.'s data protection authority. The following are examples of noncompliance and their potential practical outcomes:

• A company employee loses their laptop containing unencrypted personal data of customers, such as names, addresses and government ID numbers. This breaches the principle of integrity and confidentiality -- or security -- since the organization has failed to implement appropriate safeguards to protect the data.
• A fitness app with a weak password policy experiences a data leak, exposing user information such as weight, location and dietary habits. This violates both transparency and purpose limitation since the user is unaware of some of the data collected, how it's secured and its use for unintended purposes.
• A company accidentally posts a spreadsheet containing employee salaries on social media. This breaches the principles of data minimization and accountability for collecting unnecessary data and failing to govern the data properly.
• Employees fall victim to a phishing scam, providing login credentials to a hacker who then accesses and steals customer data. Inadequate employee training and insufficient access controls are precursors to this organization's accountability and integrity-and-confidentiality failures.
• A company sends out marketing emails to a list of purchased email addresses without obtaining prior consent from the individuals. This violates the lawfulness, fairness and transparency principle because it's unclear how the data is obtained and used.
• An online service buries data privacy terms within lengthy, complex terms and conditions that most users wouldn't read. This breach of transparency makes it difficult for users to understand how their data is used.

In reality, the many ways to breach the DPA 2018 are evolving. Organizations must stay informed about best practices and potential risks to ensure compliance.