On 23 May 2018, the Data Protection Act 2018 (DPA) received royal assent and became UK law. The DPA implements the EU’s General Data Protection Regulation (GDPR), while providing for certain permitted derogations, additions and UK-specific provisions.
- Repeals and replaces the previous Data Protection Act 1998 (the 1998 Act) as the primary piece of data protection legislation in the UK
- Is designed to ensure that UK and EU data protection regimes are aligned post-Brexit
- Implements the EU Law Enforcement Directive, establishing rules on the processing of personal data by law enforcement agencies and intelligence services
This blog looks at key issues of interest in the DPA relating to liability, compliance and enforcement.
Under the GDPR, EU Member States have the freedom to apply certain exemptions or provide for their own national rules regarding certain types of personal data processing. The DPA creates additional data protection offences and provides additional information about the Information Commissioner’s Office’s (ICO) powers and enforcement abilities.
UK-specific data protection offences include:
- Knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, or procuring such disclosure, or retaining data obtained without consent.
- Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed.
- Where an access or data portability request has been received, obstructing the provision of information that an individual would be entitled to receive.
- Taking steps, knowingly or recklessly, to re-identify information that has been “de-identified” (although this action can be defended when it is justified in the public interest).
- Knowingly or recklessly processing personal data that has been re-identified (which is a separate offence), without the consent of the controller responsible for the de-identification.