Data Protection Act 2018
The Data Protection Act 2018 ("DPA 2018") was passed on 23 May 2018 and replaces the Data Protection Act 1998.
An amended version of the DPA 2018 will apply following Brexit. The Amendment Regulations also amend the GDPR itelf to take account of Brexit. See the Brexit page.
The Information Commissioner has published a Guide to Data Protection, combining the existing guidance on the GDPR and law enforcement regimes with new guidance explaining some basic concepts, how the DPA 2018 works, and which regime applies. Reference should be made to the ICO's guidance for a more detailed explanation of how the DPA 2018 works, and of the alternative regimes.
The printed version of the Act itself is 353 pages, and relevant provisions are not easy to locate. Some of the sections of the Act (in particular in Parts 3 and 4) are expressed in what appears to be general language, but in fact only apply in specific circumstances, such as law enforcement and processing by the intelligence services.
Sections 3 to 20 of the Data Protection Act 2018 contain modifications to the GDPR in respect of matters to which the GDPR applies. Sections 10 and 15 of the Act provide for a number of modifications to and exemptions from the GDPR which are set out in Schedules 1 to 4 of the Act.
You can use this website's Search page to find relevant GDPR Articles and to display, on the same web page, exemptions from and modifications to those Articles which are contained in the UK's Data Protection Act 2018. You will also see links to the ICO's guidance on those Articles.
The Act contains the following overview in section 1:
"(1) This Act makes provision about the processing of personal data.
(2) Most processing of personal data is subject to the GDPR.
(3) Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
(4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
(5) Part 4 makes provision about the processing of personal data by the intelligence services.
(6) Part 5 makes provision about the Information Commissioner.
(7) Part 6 makes provision about the enforcement of the data protection legislation.
(8) Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament."
A brief summary of the Act may be helpful to assist the reader in finding relevant provisions in the Act.
- Part 1 Preliminary - contains an overview and definitions.
- Part 2 General processing - deals with processing of data otherwise than for law enforcement purposes (Part 3) and by the Intelligence Services (Part 4). See below in relation to DPA Parts 3 and 4. Part 2 is the most important Part of the Act for businesses.
- Chapters 1 and 2 contain definitions, and sections which modify the GDPR, provide additional lawful grounds for processing, and exemptions from the GDPR. There are minor differences in the definitions of certain terms (sections 3 and 6).
- Section 9 changes the age of consent for a child from 16 years to 13 years.
- Section 10 provides for additional grounds for processing Special categories of personal data and criminal convictions etc data (Article 10). These additional grounds are set out in Schedule 1. These categories of personal data were referred to in the Data Protection Act 1998 as "Sensitive personal data". See Article 9 and Article 10 for those Articles and the additional grounds.
- Sections 12-14 deal with rights of the data subject, in relation to limits on fees that may be charged by controllers, obligations of credit reference agencies, and automated decision-making authorised by law.
- Section 15 provides for restrictions on data subject's rights. These are contained in Schedules 2 to 4. The restrictions include exemptions which go beyond the exemptions set out in the GDPR itself, and include exemptions from Articles 5 to 11, 13 to 21, 34, 36, 60-62 and 63-67. These examptions are listed under Article 6, Article 23, Article 85 and Article 89.
- Section 16 contains power to make further exemptions etc by regulations.
- Section 17 deals with accreditation of certification providers.
- Section 18 deals with power to make regulations in relation to transfers of personal data to third countries.
- Section 19 deals with processing for archiving, research and statistical purposes: safeguards.
- Section 20 contains a definition of "court".
- Chapter 3 of Part 2 deals with the following types of processing which are not subject to EU law:
(1) the automated or structured processing of personal data in the course of—
(a) an activity which is outside the scope of European Union law, or
(b) an activity which falls within the scope of Article 2(2)(b) of the GDPR (common foreign and security policy activities),
provided that the processing is not processing by a competent authority for any of the law enforcement purposes (as defined in Part 3) or processing to which Part 4 (intelligence services processing) applies.
(2) the manual unstructured processing of personal data held by an FOI public authority.
Chapter 3 brings the above into a simlar regime to the GDPR, referred to as "the applied GDPR". The Department for Digital, Culture, Media and Sport has prepared, for illustrative purposes,
a marked-up version of the GDPR (a "Keeling Schedule")
to assist the reader of the Act to understand the changes to the General Data Protection Regulation ((EU) 2016/679), which are made by Schedule 6 to the Act (as in force on 25 May 2018), for "the applied GDPR".
Chapter 3 does not apply to the processing of personal data by an individual in the course of a purely personal or household activity.
- Part 3 deals with processing for law enforcement purposes. The GDPR does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Article 2(1)(d)). This processing is covered by DPA Part 3. Schedule 7 contains the list of "competent authorities", and includes government departments, chief officers of police and other policing bodies, other authorities with investigatory functions, authorities with functions relating to offender management, and other authorities such as the DPP, courts and tribunals. The regime is similar, but not identical, to GDPR.
- Part 4 deals with processing by the Intelligence Services.
- Part 5 deals with the Information Commissioner.
- Part 6 deals with enforcement - information notices, assessment notices, enforcement notices, penalty notices, complaints and offences.
- Section 155(3) sets out the matters to be taken into account when the ICO assesses the amount of a penalty following non-compliance with a notice, in terms similar to GDPR Article 83(2).
- Sections 167-169 set out additional matters relating to claims brought in the courts for compliance orders or for compensation.
- Part 6 also deals with "special purposes proceedings", ie legal proceedings against a controller or processor which relate, wholly or partly, to personal data processed for the special purposes and which are proceedings under section 167 (including proceedings on an application under Article 79 of the GDPR), or proceedings under Article 82 of the GDPR or section 169. The "special purposes" are one or more of the following: the purposes of journalism, academic purposes, artistic purposes, literary purposes.
- Part 7 deals with supplementary matters, including
- representation of data subjects with their authority in relation to complaints and judicial remedies (sections 187 and 188)
- offences (sections 196 to 200)
- additional definitions (sections 204 and 205)
- an index of defined expressions (section 206)
- the territorial application of the Act (section 207).
- Schedule 1 contains additional grounds for processing Special categories of personal data and Criminal convictions etc. A number of these require an additional document, an "appropriate policy document". The appropriate policy document -
- explains the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question,
- explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the condition, and
- must give an indication of how long such personal data is likely to be retained.
- Schedule 2 - Exemptions from Articles 5 and 13 to 21 of GDPR; the ICO's guidance on exemptions gives simplified explanations of these exemptions.
- Schedule 3 - Further exemptions from Articles 5 and 13 to 21 of GDPR, relating to health, social work, education and child abuse.
- Schedule 4 - Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment; the ICO's guidance on exemptions gives simplified explanations of these exemptions.
- Schedule 5 - Accreditation of certification providers: reviews and appeals
- Schedule 6 - The applied GDPR and the applied Chapter 2
- Schedule 7 - Competent authorities
- Schedule 8 - Conditions for sensitive processing under Part 3
- Schedule 9 - Conditions for processing under Part 4
- Schedule 10 - Conditions for sensitive processing under Part 4
- Schedule 11 - Other exemptions under Part 4
- Schedule 12 - The Information Commissioner
- Schedule 13 - Other general functions of the Commissioner
- Schedule 14 - Co-operation and mutual assistance
- Schedule 15 - Powers of entry and inspection
- Schedule 16 - Penalties
- Schedule 17 - Review of processing of personal data for the purposes of journalism
- Schedule 18 - Relevant records
- Schedule 19 - Minor and consequential amendments.
- Schedule 20 - Transitional provision etc
Delegated legislation under the Data Protection Act 2018 can be found listed here.
There is other legislation relevant to marketing: