There can be few people by now who missed the news that the requirements of the European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25.
For those working in companies and organisations that store the private data of individuals, there are compelling legal reasons why you needed to know.
Consumers had a high level of awareness about it also, chiefly because their inboxes filled up with emails from companies asking them to “opt in” to marketing databases ahead of the deadline so they could continue to receive such emails.
In the background, though, another important piece of legislation came in on the same day in the UK; the Data Protection Act 2018 (DPA 2018). It almost passed unnoticed in the tsunami of GDPR emails, but it’s important to be aware of what it could mean for you and your organisation.
Emma Fox of UK law firm TLT LLP has helpfully pulled out five things you need to know.
It Brexit-proofs GDPR
Says Emma: “It might not be the word on everyone's lips anymore, but Brexit is coming. Whilst the DPA 2018 does not directly transpose the GDPR into UK law post-Brexit – this is the job of the European Union (Withdrawal) Bill – the DPA 2018 assists with that transposition.”
It provides for exemptions
GDPR itself does not describe “exemptions and derogations”, says Emma, because that is left to Member States. DPA 2018 will introduce “broadly similar” exemptions, such as a provision that allows the processing of certain personal data when it comes to offering insurance.
It implements the Law Enforcement Directive in the UK
This is a separate EU law that allows the processing of personal data by law enforcement agencies. Part 3 of the DPA 2018 allows that to be imported into UK law, while part 4 confers the same rights for use and processing of data by the intelligence services.
It creates additional offences
Existing offences include unlawfully obtaining personal data without the data controller's consent. The DPA 2018 introduces some new offences, including “re-identifying de-identified personal data” and changing or destroying personal data to avoid having to disclose it following a person’s lawful request to see what personal data might be held about them.
It clarifies the role of the Information Commissioner’s Office (ICO)
This ensures that the role of the ICO enshrined in GDPR will be mirrored in UK law via the DPA 2018. It also adds certain obligations such as creating codes of practice. Finally, it sets out the ICO’s rights, such as auditing and requiring disclosure of data and information.
In summary, the DPA 2018 creates the framework by which GDPR will mirrored in UK law after Brexit, and it creates some additional requirements and provisions with which you will need to become familiar.