The Data Protection Act 2018 (DPA) has received Royal Assent and came into force on Friday 25 May 2018, repealing the previous Data Protection Act 1998. The Information Commissioner, Elizabeth Denham has said that the DPA “will put in place one of the final pieces of much needed data protection reform. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime”.
The new Act has been drafted to ensure that we will be able to exchange personal data with the EU freely, after Brexit. The General Data Protection Regulation 2018 (GDPR) is an EU regulation which should be read alongside the DPA. The majority of core principles under the DPA and GDPR are the same, however the DPA contains tailored provisions for how the law is to be applied specifically within the UK. For example, there are provisions which apply to intelligence services within the UK. There are also provisions which deal with processing in relation to immigration and other elements of the GDPR which UK national law requires expansion on.
The new legislation imposes obligations on those who process and control data, to be compliant with the law. As of 25 May 2018 data controllers and processors are expected to be, or have proof that they are working towards being, GDPR/DPA compliant. This is particularly important because the DPA has granted the Information Commissioner’s Office (ICO), heightened powers of enforcement. The maximum penalty has been increased in the UK for data breaches and failure to comply. Organisations can now be fined up to £17 million or 4% of their global turnover, whichever is higher. The revision of data protection offences in comparison to the previous DPA, instils a more contemporary approach to the modern realities of data protection, in the hope that it will deter organisations from being careless or reckless with data. How strictly and stringently the ICO will be in exercising their heightened powers however, remains to be seen.
We have developed a number of useful guides and tools to help you and your business maintain GDPR compliance. If you would like further information regarding this, please contact us.