The United Kingdom Data Protection Act 2018 (UK DPA 2018) is the primary data protection law of the UK. It lays the foundations for protecting personal data collected by UK businesses or UK citizens’ data processed by anyone globally.
Non-compliance with the UK DPA 2018 leads to penalties. However, that’s not the only data protection law in the UK.
You have to comply with two other laws: the UK GDPR and the Privacy and Electronic Communication Regulations (PECR). The three of them create a comprehensive legal framework for data protection.
UK DPA v. UK GDPR v. PECR
The UK DPA was passed back in 2018 to align the national legislation of the United Kingdom with the GDPR.
Back then, the UK was still part of the European Union. When the EU passes a regulation, it applies directly across all member states as national law in each member state. Still, member states also align their national legislation with the regulation. That’s why the UK DPA 2018 has been passed. The GDPR applied at the same time as the UK DPA.
In 2020 the United Kingdom left the European Union. Therefore the GDPR ceased to apply in the UK. That made the UK a third country for the GDPR, and the EU-UK data transfers became transfers to third countries. As a result, the UK GDPR was passed. It came into effect in February 2021.
Long before these two laws, back in 2003, UK legislators had passed the Privacy and Electronic Communication Regulations (PECR). This law had aligned the UK legislation with the ePrivacy Directive of the European Union.
The PECR regulates what has been controlled with the ePrivacy Directive - primarily the use of cookies, direct marketing, and security of electronic communication.
The UK DPA and the UK GDPR, on the other hand, are way more comprehensive. They are fully aligned with the GDPR of the EU and prescribe a significant set of requirements that every business to which they apply has to implement.
Who Needs to Comply with the UK Data Protection Act 2018
Businesses and individuals that operate from the United Kingdom or collect and process personal data of UK citizens have to comply with the UK DPA 2018.
Simply put, this means that:
- If you are a UK company or a UK individual, you have to comply with the UK DPA at all times, or
- If you are a foreign company or a foreign individual, you have to comply with the UK DPA if
- (i) you offer goods or services to data subjects in the UK and
- (ii) monitor data subjects’ behavior in the UK.
The law does not discriminate based on company size. Every single entity or person that collects and processes other people’s data has to comply with it and meet the requirements prescribed with it.
The UK DPA requirements are the same as the GDPR requirements. To understand these requirements better, first you need first to understand the seven principles of the UK DPA.
The 7 Principles of the UK Data Protection Act 2018
The UK DPA relies on seven principles to ensure the comprehensive protection of personal data. The seven principles of the UK DPA are:
- Lawfulness, fairness, and transparency. This principle is made of three principles that are interconnected. Its requirements are as follows:
- There must be a legal basis for collecting and processing personal data. This would mean obtaining the explicit user’s consent for processing their data in most cases.
- There must not be any violations of any other data privacy law in the process of handling personal data.
- The processing must be fair, which means that it must not be misleading. You have to inform the user about your privacy practices.
- The transparency principle also requires you to inform the user what you do with their personal data. In practice, you can do it by providing them with an up-to-date privacy policy and cookie policy.
- Purpose limitation. Purpose limitation means that you need to process the data only for the purposes it has been collected for. If you collected personal data for website analytics purposes, you must not process it for marketing purposes. In practice, this would mean that if you process personal data with Google Analytics, you must not process that data with the Google remarketing features. You need separate consent for that purpose because the purpose of the collected data is limited to analytics. That’s what purpose limitation means - you process the collected data only for adequate purposes and for nothing else.
- Data minimization. You need to process only the minimum amount of data necessary for your processing purpose. For example, if you need your customer's email address to communicate any discounts with them, you do not need to collect their phone number and their home address. You need just the email address. That’s the minimum amount of data you need to communicate with them; therefore, you should not collect other personal data.
- Accuracy. You are responsible for the accuracy of your data. It needs to be up-to-date and not be misleading whatsoever. If you discover that it is inaccurate or a data subject points out that, you have to correct it.
- Storage limitation. You cannot store personal data indefinitely. It is OK to keep it as long as you need it, but there is no need to store it for longer than that.
Keep in mind that there is no good reason to store other people’s personal data longer than you need it. If you are not using it anymore to get insights that serve your business, the stored data poses only a risk for you. There are two options - it just stays on the servers or gets breached. None of that serves your business. Therefore, delete the data you don’t need anymore.
Even better, set a data retention period for each category of personal data you process. After the expiry of that period, delete the data.
- Integrity and confidentiality. The data you collect and process must be safe and secure. Businesses that need to comply with the UK DPA 2018 have to implement technical and organizational measures to ensure that the data is out of reach of unauthorized persons and organizations.
- Accountability. This principle requires you to take responsibility for what you do with users’ personal data. You are held accountable in two ways: 1) to your users by responding to their data subject requests, and 2) to the data protection authorities by keeping records of your processing activities and providing them with the records upon request.
What Does UK DPA Mean for Businesses?
The UK DPA 2018, the UK GDPR, and the PECR set requirements that every business must meet to comply with the law and avoid penalties.
The laws require a proactive approach, preventing unwanted outcomes before they happen. Implementing the seven UK DPA principles into your day-to-day operations will lead you to control most of the risks associated with data processing.
In practice, you need to:
- Know your purposes of data processing. Self-explanatory. When you collect and process any personal data, you should know why you do that.
- Know your legal basis for processing. Only processing with a proper legal basis is valid. Otherwise, it is unlawful and leads to penalties. Ensure that you have a legal basis for each collection and processing of personal data.
- Obtain explicit user’s consent for the collection of data. That’s the most common legal basis for processing. Also, ensure that the consent is explicit, informed, specific, freely given, and unambiguous. Otherwise, it is invalid.
- Keep records of consents. Data protection authorities may ask for the records during supervision of your activities.
- Process only what is necessary. Processing anything over you need to process is against the law. Stick to the minimum amounts of data.
- Do not keep personal data for longer than necessary. As explained above, data you don’t need is only liable for your business. It brings risks without any benefits.
- Provide users with a privacy policy and a cookie policy. The privacy and cookie policies can merge these two policies into one single policy. The privacy policy ensures transparency to your users. However, not all privacy policies are created equal.
When you create one to comply with the UK DPA, it must contain a minimum set of elements, including the processing purposes, categories of processed data, processing methods, data subject rights, information on international data transfers, etc.
- Ensure that your international data transfers are lawful. Transferring personal data to countries or organizations that do not provide sufficient data protection is risky; hence the law sets requirements for them. Make sure that the countries you transfer data to are safe for processing.
- Respond timely and properly to data subject rights. Data subjects have rights under the UK DPA 2018. These are the same rights they have under the UK GDPR. When a data subject approaches your company with a request related to their personal data, you have to respond. You have no choice but to respond to them.
Finally, make sure that you know your data flow. Determine how the data flows to your businesses, moves around the servers of various processors and subprocessors, all the way until it gets deleted from your servers. That will provide you with an overview of the data-related processes in your company and will give you an idea of what to do for compliance.
In the case of violations, the UK DPA and the UK GDPR penalties have an upper cap of GBP 17.5 Million or 4% or the annual turnover, whichever is greater.
You can read about the Swiss Federal Data Protection Act.
How Secure Privacy Can Help You Comply with the UK Data Protection Act 2018?
Secure Privacy provides you with a comprehensive SaaS to comply with the UK Data Protection Act. It includes a cookie banner (see the ICO Cookie Guidelines) obtaining lawful consent, records of consent, a privacy policy and a cookie policy generator, data subject requests form, and other features.
