Data Protection Act 2018 (DPA)
The UK has implemented the DPA. This replaces the DPA 1998 and came into effect on 25th May 2018. It basically tailors how the GDPR applies in the UK.
It provides a number of exemptions some of which are processing personal data:
- for law enforcement reasons
- in the interest of national security and defence
- in relation to immigration
- for purposes of freedom & expression
Key Sections – DPA
There are key sections that should be considered by any organisation processing personal data and these are as follows:
- Sections 1-20
- Schedule 1 (Processing of Special Categories of Personal Data)
- Schedules 2-4 (List the Exemptions)
Some of the Key Differences – GDPR & DPA
Age of Consent of a Child
Under the GDPR the age of Consent is 16 years
As far as the DPA is concerned the age of consent is 13 years
Processing of Criminal Data
The GDPR makes it clear that those that process personal data which is ‘Criminal Data’ must have official authority. The DPA does not require this.
Automated decision making or processing
The DPA allows individuals to be subject to automated decision making or profiling if the organisation can establish legitimate grounds exist…provided that there are safeguards present to protect the rights and freedoms of individuals. The GDPR makes it clear that this is not possible.
Data Subject Rights
The GDPR ensures that individuals have rights and those rights can always be exercised. The DPA 2018 restricts such rights being exercised if the exercise of those rights would have a serious impact on the organisation’s ability to carry out its functions when processing personal data. Examples are for: archiving, historical or statistical purposes.
Brexit
GDPR is governed by the Court of Justice of the European Union, if the UK leaves the European Union, then the DPA will be governed solely by the UK justice system.
