The Data Protection Act 2018 (DPA 2018) is a principal data privacy law that regulates the processing of the personal information of United Kingdom (UK) individuals. The DPA 2018 is the UK’s implementation of the EU General Data Protection Regulation (GDPR). It went into effect on 25 May 2018 – the same day as the GDPR. It was amended on 01 January 2021, after Brexit.
The DPA 2018 applies to businesses and organizations that either:
- process personal data of data subjects, based in the United Kingdom (UK residents);
- are based in the UK, and are the personal data controllers or processors, regardless of whether the data processing takes place in the UK or not.
So, how to comply with the UK Data Protection Act 2018?
How to Comply With the UK Data Protection Act 2018?
Even if your business is based outside of the UK, or anywhere else in the world, but you collect personal data from the UK data subjects, you must comply with the DPA 2018. Read this DPA 2018 compliance checklist to ensure your website stays compliant with the DPA 2018.
- Inform users about their personal data processing;
- Describe the users’ rights under the GDPR and inform users how to access and rectify their data;
- Be written in clear and plain language;
- Be available in a concise, transparent, and accessible form.
Obtain consent for collecting data
Like the EU GDPR, the DPA 2018 also requires websites to obtain explicit consent from UK users to collect their personal data. The easiest way to obtain user consent is through the use of a cookie banner.
Consent must be:
- Freely given. Data subjects should be able to refuse to consent or withdraw their consent at any time without any consequences.
- Informed. Data subjects should be informed that their personal data is collected, and for what purposes.
- Specific. Specific consent, separate from other terms and conditions, must be obtained for data processing purposes.
- Unambiguous. Implicit consent must be obtained via clear affirmative action. This is also called opt-in consent.
Know the data you are holding
Make sure all the personal data you collect is based on the Data Protection Act 2018. Find out what data is collected on your website, how it is collected, and where it is stored, shared, and deleted. Separate the categories of data, including sensitive data, and treat them accordingly to the level of protection.
The following DPA 2018 compliance checklist provides the framework that you need to follow to be DPA 2018 compliant:
- What personal data do you already have?
- Does the data include sensitive personal data?
- Do you hold personal data from minors, who are below 13 years of age?
- Do you have consent to collect personal data? Where is it stored?
- Why do you collect this data?
- Where is users' personal data stored and for how long?
- How is users' personal data processed?
- Who has access to this data in your business?
- Do any third parties hold the personal data you collected? If yes, how do you control their usage of this data? Do you have any agreements with them?
The DPA 2018 and the UK GDPR defines special categories of sensitive personal data, including:
- ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where this is used for identification purposes);
- health data;
- sex life;
- sexual orientation.
Personal data also includes identifiers, such as names, emails, phone numbers, location data, social media IDs, online identifiers like IP addresses or cookies, payment details, and others, that should be securely protected. Separate sensitive personal data and take action to secure them even more stricter.
Respect data subject's rights
The DPA 2018 is the UK’s implementation of the EU GDPR, so it brings the GDPR into UK law. There are some exceptions to these rights for intelligence and immigration services, but most businesses will not be affected by these exceptions.
Under the GDPR, the users have the following rights:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights around automated decision-making and profiling.
Be prepared to respond appropriately if an individual asks about the personal data your business possesses. When you receive a valid request regarding an individual's personal data, you must respond within one calendar month. Normally you may not charge a fee for it.
Follow these three tips to respect data subject rights easily:
- Make a procedure within your business on how to delete old, unnecessary, or inaccurate personal data.
- Provide a possibility for your users to exercise their rights. Preferably, there should be several ways your users can inquire about their personal data, for example via a form on your website, e-mail, or phone.
- Ensure that any personal data you possess is well-organized and can be accessed easily on request.
Lawful Basis Requirements
The DPA 2018 and the GDPR allow for the processing of personal data only if your business or organization has at least one of the following six lawful basis for the processing of personal data:
- Consent. Businesses or organizations must obtain the consent of the data subjects to data processing for the specified purpose.
- Performance of a contract. You need the processing of the personal data to fulfill your obligations under a contract with the data subjects, or you want to enter into a contract with them.
- Legal obligation. The processing of personal data is necessary to perform a legal obligation.
- Vital interests. Where an individual is physically or legally incapable of giving consent, and his life or health would be in danger if you failed to process the individual's personal data.
- Public task. The processing of personal data is necessary for the performance of a task in the public interest or you are exercising official authority to carry out a public task.
- Legitimate interests. The processing is necessary for the controller’s legitimate interests after you've weighed the benefits of doing so against the risk to the individual's privacy.
Every time you process the personal data of a data subject, you need to have a record of your lawful basis for doing so.
Create a Data Protection Policy
Creating a Data Protection Policy will guide your employees to understand the law, respond appropriately if an individual asks about their personal data, and prevent data breaches.
Frequently Asked Questions
What is the Data Protection Act 2018?
The Data Protection Act 2018 (DPA 2018) is a principal data privacy law that regulates the processing of the personal information of UK residents. It is the UK’s implementation of the EU General Data Protection Regulation (GDPR). The GDPR has been implemented into English law as the UK GDPR, so the DPA 2018 and the UK GDPR should be read together.
How to comply with the Data Protection Act 2018?
Who does the UK Data Protection Act 2018 apply to?
Who does the UK GDPR apply to?
What are the lawful basis requirements under the DPA 2018 for the processing of personal data?
Businesses or organizations must have at least one of the following lawful basis for the processing of personal data: consent, the performance of a contract, legal obligation, vital interests, public task, or legitimate interests. Try CookieScript to be compliant with the DPA 2018 and other privacy laws.