On 23 May 2018, the Data Protection Act 2018 (DPA) received royal assent and became UK law. The DPA implements the EU’s General Data Protection Regulation (GDPR), while providing for certain permitted derogations, additions and UK-specific provisions.
- Repeals and replaces the previous Data Protection Act 1998 (the 1998 Act) as the primary piece of data protection legislation in the UK
- Is designed to ensure that UK and EU data protection regimes are aligned post-Brexit
- Implements the EU Law Enforcement Directive, establishing rules on the processing of personal data by law enforcement agencies and intelligence services
This blog looks at key issues of interest in the DPA relating to liability, compliance and enforcement.
Under the GDPR, EU Member States have the freedom to apply certain exemptions or provide for their own national rules regarding certain types of personal data processing. The DPA creates additional data protection offences and provides additional information about the Information Commissioner’s Office’s (ICO) powers and enforcement abilities.
UK-specific data protection offences include:
- Knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, or procuring such disclosure, or retaining data obtained without consent.
- Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed.
- Where an access or data portability request has been received, obstructing the provision of information that an individual would be entitled to receive.
- Taking steps, knowingly or recklessly, to re-identify information that has been “de-identified” (although this action can be defended when it is justified in the public interest).
- Knowingly or recklessly processing personal data that has been re-identified (which is a separate offence), without the consent of the controller responsible for the de-identification.
The DPA also provides for the liability (and so potential prosecution) of company directors, managers, secretaries, officers and others, as well at the company itself, where an offence by the company is proved to have been committed with their consent, connivance or neglect. If a company’s affairs are managed by its members they can be personally prosecuted for their acts or omissions. This replicates the position previously taken under the 1998 Act.
ICO enforcement powers
The ICO’s enforcement powers include several kinds of notices that can be issued against organisations that infringe the DPA:
- Information Notice – to provide the ICO with information that it reasonably requires in order to carry out its functions.
- Assessment Notice – giving the ICO the right to enter business premises, access documents, equipment and other material, observe personal data processing and interview staff as part of its investigations.
- Enforcement Notice – requiring an organisation to take steps specified in the notice, or requiring the organisation to refrain from taking certain steps.
- Penalty Notice – penalising an organisation for non-compliance (including non-compliance with an enforcement notice).
Depending upon the offence committed, an organisation may be liable to a range of fines. In cases relating to the unlawful obtaining and forced disclosure of personal data the courts can order that materials containing personal data be destroyed.
The prosecuting authorities in England, Wales and Northern Ireland are the ICO or the Director of Public Prosecutions. Prosecutions may be brought within a period of six months, beginning from the day the prosecutor first knew of evidence sufficient to bring such proceedings. Proceedings must be brought within three years of the offence being committed.
The penalties in place under the GDPR are incorporated into the DPA. However, under the DPA, UK government ministers have the power to introduce new regulations to stipulate how an organisation’s turnover is to be determined, for the purposes of establishing what level of penalty should be handed down for non-compliance.
The ICO has emphasised that the most severe GDPR enforcement measures will only be used as a last resort. The ICO is seeking intelligent engagement by organisations with the GDPR and the DPA, highlighting that genuine, reasoned and documented attempts to comply should result in lower penalties. For now, it seems that the ICO’s focus is on helping organisations move toward compliance, rather than cracking down on non-compliance immediately.
Organisations can expect further detailed guidance and codes of practice from the ICO. The DPA imposes statutory duties on the ICO to produce a number of new codes of practice in areas such as data sharing, direct marketing, and the processing of personal data by journalists, as well as in relation to age-appropriate design of websites, apps and other “information society services” likely to be accessed by children. The ICO has also stated it will be issuing further detailed guidance on the DPA now that it has come into force.
Ongoing work will be required to ensure organisations are and remain GDPR and DPA compliant. Businesses should monitor developments to see how the ICO exercises its powers and what kind of enforcement strategy is exercised.