In 2016, the United Kingdom (UK) voted to depart from the European Union (EU), commonly referred to as “Brexit.” This decision had several implications for cybersecurity laws, considering existing EU laws would no longer apply to the UK after Brexit.
The UK Data Protection Act 2018 (DPA 2018) was implemented to establish cybersecurity regulations for the newly independent state. It comprised rules concerning the use of data, responsible handling of data, and the protection of individual rights over their data.
What is The UK Data Protection Act 2018?
The DPA 2018 is a UK law that regulates how personal data is collected, processed, and stored in the UK. The UK Government passed it to provide cybersecurity regulations in the UK post-Brexit. It incorporates most of the EU General Data Protection Regulation (GDPR), an EU cybersecurity law the UK followed while part of the union. The EU GDPR provided a general outline the UK adapted for their specific needs.
The DPA 2018 places importance on the rights of individuals and their personal data while establishing guidelines for organizations on handling and safeguarding data. Additionally, it contains provisions explicitly tailored to the UK, such as regulations for data processing related to law enforcement and national security.
In summary, the DPA 2018 fulfills three primary purposes for the UK:
- Allows the UK to adopt the EU GDPR into their national legislating process formally
- It gives the UK authority to amend and exempt parts of the EU GDPR that may or may not apply to the UK
- Extends UK data protection regulation to new areas not initially included in the EU GDPR
Data Protection Principles
A significant part of the DPA 2018 is the data protection principles used throughout the legislation. Each section includes these data protection principles and their application to specific entities.
- Lawfulness, Fairness, and Transparency: The processing of personal data must be obtained lawfully and legally in the best interest of the data subject, and parties must communicate what, how, and why you process data to data subjects.
- Purpose Limitation: The processing of personal data should only be used for the purpose intended initially and never reused for other purposes.
- Data Minimisation: Individuals or organizations will not gather more personal data than is needed for their services.
- Accuracy: The personal data being processed must be correct and up to date, and reasonable measures must be taken to ensure that.
- Storage Limitations: Personal data should not be stored when it is no longer used for the original purpose, and processes must be implemented for securely destroying data.
- Integrity and Confidentiality: Personal data must be correct and cannot be manipulated, and the processing should only be done by people with access to the data.
- Accountability: Data controllers and processors must be held accountable and responsible for their data processing, prioritizing compliance with the DPA 2018.
There are seven main sections in the DPA 2018. Not all apply to every organization, but businesses should review and understand each section to maintain compliance.
- Part 1: Overview of the DPA: The introductory section outlines the purpose and main topic of the DPA 2018, which is all about protecting personal data. It includes definitions of terms used in the act, including defining “personal data,” “processing,” “data subject,” and various other entities outlined throughout the legislation.
- Part 2: General Processing: This section includes two primary purposes. First, it supplements the EU GDPR by adding sections originally left open for EU member state interpretation and implementation. Second, it applies the EU GDPR requirements to specific general processing situations. This section contains more definitions and regulations about data protection for data processing under the EU GDPR and data processing that the EU GDPR does not cover.
- Part 3: Law Enforcement Processing: This section of the DPA 2018 applies to any data processing in a law enforcement environment, utilizing the six data protection principles outlined above. It also includes the rights of the data subject and the roles and obligations of law enforcement data controllers and processors.
- Part 4: Intelligence Services Processing: Section 4 applies specifically to intelligence services, including the Security Service, the Secret Intelligence Service, and the Government Communication headquarters. Once again, the six principles for data protection are explicitly outlined for data processing within an intelligence services setting, along with the rights of the data subjects. Unique to this section are exemptions from the data protection principles, mainly for situations to safeguard national security.
- Part 5: The Information Commissioner: This section of DPA 2018 outlines the role of the Information Commissioner, the UK’s national supervisory authority for regulation and oversight of the data protection law, and handles enforcement and investigations of non-compliance.
- Part 6: Enforcement: This section explains the process of enforcing the DPA 2018 through information, assessment, and enforcement notices. It also provides penalties, appeals, complaints, and court remedies guidelines.
- Part 7: Supplementary and Final Provision: The final section outlines regulations under the act, changes to the data protection convention, and other specific situations dealing with personal data processing. It finishes with the dates on which the act becomes effective and the extent of the act.
Brexit’s Impact on Cybersecurity
Brexit significantly impacted cybersecurity across the European Union. When the United Kingdom exited the union, it became a “third country,” a name given to all countries outside the European Economic Area (EEA). Due to this exit, they were no longer required to comply with existing cybersecurity laws in the EU.
EU’s General Data Protection Regulation (GDPR)
Before Brexit, the United Kingdom operated under the General Data Protection Regulation (GDPR). Passed in 2016, the GDPR focuses on data privacy, cybersecurity, and breach management. All EU member states were required to have GDPR compliance. The regulation aims to standardize data protection, protect personal data and privacy, and simplify the regulation processes for international organizations.
When the United Kingdom was a member of the European Union, the GDPR was directly applicable, negating the need for specific UK cybersecurity legislation. However, after voting to leave the EU and during the Brexit transition period, the UK signed various withdrawal agreements with the EU, including a cybersecurity requirement. The EU Withdrawl Agreement specified that the UK ensured a level of data protection essentially equivalent to that under Union law.
The UK General Data Protection Regulation (UK GDPR)
Along with the DPA 2018, the UK General Data Protection Regulation (UK GDPR) was signed into law. The UK GDPR and the DPA 2018 comprises the United Kingdom's cybersecurity landscape at the end of the transition period.
Think of the UK GDPR as a broad framework for data protection across the United Kingdom. It was modeled after the EU GDPR and provided a domestic law for cybersecurity regulations for the UK post-Brexit. The DPA 2018 expands upon that framework with UK-specific details and exceptions. Together, both are integral to comprehensive data protection across the United Kingdom.
Who Must Comply with The UK Data Protection Act 2018?
The DPA 2018 applies broadly across industry sectors in the United Kingdom. The baseline stipulation is whether your organization handles personal data—including obtaining, processing, storing, or erasing it.
This includes data controllers and data processors, but also any UK business or company (public and private) that uses personal data. Individuals who process personal data, whether independently or in a specific role within a company, must also comply with the DPA 2018.
Penalties for Non-Compliance
There are a variety of penalties for non-compliance with the DPA 2018, ranging from fines to criminal offenses. This includes situations when individuals have suffered damage due to non-compliance, resulting in compliance orders and compensation.
Monetary penalties include lower-tier fines of up to £10 million or upper-tier fines of up to £17.5 million. The Information Commissioner’s Office (ICO), the leading data protection authority in the UK, also has the power to ensure compliance and address non-compliance through various notices that allow them to conduct inspections, audits, or request information.
Criminal offenses outlined in the DPA 2018 include
- Unlawfully obtaining personal data
- Re-identifying anonymized data
- Altering records to prevent disclosure
- Destroying or falsifying data
- False statements in response to Information Notices
- Prohibition of the requirement to produce relevant records
These high-level offenses result in hefty fines determined by the courts.
How to Comply with UK-GDPR & DPA 2018
UK GDPR requires organizations to follow principles including lawfulness, transparency, data minimization, accuracy, and confidentiality. Data subjects must be informed of their rights, including access, rectification, erasure, and transfer. Security measures must protect personal data, and impact assessments conducted for high-risk processing. Data breaches must be reported to the ICO and affected individuals within 72 hours.
To comply with DPA 2018, organizations need a valid reason to handle personal data—for consent, contracts, legal requirements, and vital, public, or legitimate interests. The Act has specific guidelines for law enforcement, security, and intelligence data, so those entities must adhere to their requirements. Also, organizations must respect the digital age of consent (13 in the UK), appoint a DPO for public entities, and have audits, training, and policies to stay compliant.
The Impact of The UK Data Protection Act 2018
The DPA 2018 reshaped the cybersecurity landscape in the United Kingdom, especially around data protection. Its long-lasting impact emphasizes individual rights, organizational accountability, and aligning legislation with existing cybersecurity laws.
Modernization of UK's Data Protection Laws
Before the DPA 2018, the UK operated under the Data Protection Act 1998. There have been substantial technological advancements between then and now, and the DPA 2018 amends and replaces this previous Act. The DPA 2018 brought legislation up-to-date, especially regarding how personal data is used and processed.
The European Commission even adopted a UK adequacy decision after Brexit, deeming the UK’s data protection laws equivalent to the EU’s and allowing data flow between the two. This eliminates the need for SCCs (standard contractual clauses).
Enhanced Individual Rights
Individuals are given more robust rights under the DPA 2018. This expands upon the rights outlined in the EU GDPR, which covers access, erasure, and portability. The DPA 2018 has given data subjects greater power and control over their data.
Tougher Penalties for Breaches
The DPA 2018 brought about stricter penalties for violating the data protection law, requiring companies to constantly comply with these updated regulations. Non-compliance results in hefty fines, lawsuits, and criminal offenses, depending on the severity of the breach.
Data Processing for Law Enforcement
Law enforcement was impacted by the passion of the DPA 2018, which provided provisions for how they process personal data. A transparent data protection regime for any data processing relating to crime prevention, investigations, and national security is included.
Provisions for Special Categories of Data
Along with data related to law enforcement, the DPA 2018 also set out more explicit provisions for special categories of data processing. Organizations now require higher protection levels for personal data (including health, genetic, and biometric data) and criminal conviction data throughout their processing procedures.
Accountability and Governance
The DPA 2018 explicitly emphasizes accountability. Organizations must comply with the regulations but also demonstrate their compliance consistently. Most businesses implemented data protection impact assessments, hired Data Protection Officers (DPOs), and improved their internal data protection policies and corporate rules around data processing activities.
Impact on Public Perception
There was already a substantial public discourse about Brexit and the resulting implication on existing and new legislation across the UK. The passing of the DPA 2018 helped provide the public with information about their data protection rights, including what organizations needed to comply with should they obtain and use their data.
Preparation for Brexit
Although this was not the primary purpose of the DPA 2018, the passage of this legislation prepared the United Kingdom for Brexit, ensuring a smooth transition out of EU legislation and into their own. It was one of many laws written and signed during the Brexit transition period, providing frameworks for operating and regulations when the UK was no longer part of the EU.
How UpGuard Helps Businesses Become DPA 2018 Compliant
The DPA 2018 sits alongside a variety of other European cybersecurity laws that protect personal data, provide compliance with best practices, and ensure safety for connected devices. The DPA 2018 was enacted at a unique time when the UK was transitioning out of the EU. However, it still outlines necessary regulations around personal data use that emphasize individuals' rights.
If your organization handles personal data, and you want to stay compliant with the DPA 2018, we can help. UpGuard BreachSight helps your organization understand the risks impacting your external security posture and that your assets are constantly monitored and protected—including personal data. Continuous monitoring, data leak protection, shared security profiles, and insight reports are just a few highlights of this all-in-one platform.
Check out a product tour below!