What is the UK Data Protection Act 2018?

The UK Data Protection Act 2018 (DPA 2018) is a domestic UK piece of legislation governing personal data use. The Act is the UK implementation of GDPR and was aimed on January 1st, 2021, after Brexit.
It sets out the legal framework for data protection in the country, and it is designed to protect the privacy of individuals and ensure that their personal data is processed in a fair, lawful, and transparent manner. Data must be used in a way that is adequate, relevant, limited, and up-to-date, and stored for only the necessary duration.
It covers various aspects of data protection, including general processing, law enforcement processing, intelligence services processing and enforcement mechanisms, among others.

Who does the UK Data Protection Act 2018 apply to?

The UK Data Protection Act 2018 applies to any organization, business, or government entity that processes personal data. The document mentions any ‘controller’ and ‘processor’ that either processes personal data of UK residents or is based in the UK, regardless of whether the processing of personal data takes place in the UK or not. This includes both public and private sector organizations, regardless of their size or the nature of their activities.
In addition, the Information Commissioner’s Office (ICO) is mentioned in the Act but is an independent authority set up to uphold information rights in the public interest, and its powers and responsibilities are set out in separate legislation.

What does the UK Data Protection Act 2018 cover?

The UK Data Protection Act 2018 applies to all personal data, which is any information that can be used to identify an individual. This includes not only what is considered as “sensitive information”, but also names, addresses, phone numbers, IP addresses, and even online identifiers and location data.
There is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life, or orientation. There are separate safeguards for personal data relating to criminal convictions and offences.
In the context of sensitive personal data, explicit consent is usually required. This means the individual must express consent very clearly and specifically. Silence, pre-ticked boxes, or inactivity does not constitute consent; hence, blanket consent without specifying the exact purpose of the processing is not acceptable.
Furthermore, individuals have the right to withdraw their consent at any time. The process for withdrawing consent should be as easy as giving it. Organizations must inform individuals about their right to withdraw before consent is given.
While explicit consent is a key requirement for processing sensitive personal data, it is not the only legal basis under the UK Data Protection Act 2018. Other conditions include employment, social security and social protection law, vital interests, activities of not-for-profit bodies (non-profit organizations), data made public by the individual, legal claims and judicial acts, substantial public interest, health or social care, public health, and archiving, research and statistics. Each of these conditions has specific requirements and limitations, and not all of them would apply in every situation.

Rules for consent and processing personal data

The UK Data Protection Act 2018 emphasizes the principle of data minimization, which requires that the data collected and processed should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Act also underscores the importance of data accuracy, obligating organizations to ensure that personal data is accurate and, where necessary, kept up to date. Lastly, the Act introduces the principle of accountability, stipulating that the controller is responsible for demonstrating compliance with these principles
Organizations must also ensure that personal data is accurate and up to date, taking reasonable steps to erase or rectify inaccuracies without delay. Furthermore, organizations must guarantee they are not retaining personal data for longer than necessary in relation to the purpose for which they were collected.
Under the UK Data Protection Act 2018, organizations must obtain explicit consent from individuals before processing their personal data, unless there is another lawful basis. This consent must be freely given, specific, informed, and unambiguous, and must be made by a statement or a clear affirmative action. In sensitive personal data, explicit consent is required, and blanket consent without specifying the purpose of processing is unacceptable. Individuals have the right to withdraw consent at any time, and organizations must inform them about their right to withdraw before consent is given.
Beyond this, the UK Data Protection Act 2018 requires the implementation of appropriate security measures, including protection against unlawful or unauthorized data processing, access, accidental loss, destruction, or damage. These measures include encryption and pseudonymization, maintaining ongoing confidentiality, integrity, availability, and resilience of processing systems and services, regularly testing and evaluating the effectiveness of these measures, and restoring availability and access to personal data in the event of a physical or technical incident

UK-GDPR and data transfers

The UK-GDPR is more or less identical to the “original” EU version, especially regarding consent, cookies, and data processing. The EU adopted an adequacy decision for the UK in 2021, allowing for continued, unrestricted data flow between the EU and UK. At least until 2025, when the EU has to decide whether or not the agreement shall be renewed.

Other key requirements

In addition to the outlined rules for obtaining consent and processing data, the UK Data Protection Act 2018 also mandates several other key requirements. When processing is likely to result in high risk to individuals’ rights and freedoms, especially when using new technologies, a Data Protection Impact Assessment must be carried out. Certain cases necessitate the designation of a Data Protection Officer, who is responsible for advising on and ensuring compliance with data protection provisions.
The Act also requires immediate communication to the data subject in the event of a personal data breach that poses a high risk to their rights and freedoms. Provisions are also in place for the transfer of personal data to third countries or international organizations under specific conditions. Lastly, the Act includes exemptions from data protection principles and individuals’ rights, particularly when data processing is necessary for crime prevention, offender prosecution, or tax or duty assessment or collection.

Legal protection of sensitive information

There is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life, or orientation. There are separate safeguards for personal data relating to criminal convictions and offences.
In the context of sensitive personal data, explicit consent is required. This means the individual must express consent very clearly and specifically. Silence, pre-ticked boxes, or inactivity does not constitute consent; hence, blanket consent without specifying the exact purpose of the processing is not acceptable.
Furthermore, individuals have the right to withdraw their consent at any time. The process for withdrawing consent should be as easy as giving it. Organizations must inform individuals about their right to withdraw before consent is given.

The UK Data Protection Act 2018 and the use of cookies

When the UK left the EU on January 2020 the laws that govern the use of cookies changed. The UK Data Protection Act 2018 does not explicitly mention cookies or other technologies, such as web beacons, pixels, and local storage, but they are also covered by these rules as they are typically used to process personal data.
Cookies can be used to identify individuals. Therefore, the general principles of the Act apply to the use of cookies. Businesses must inform consumers about the use of cookies and obtain their consent.
In addition, the UK cookie rules apply to any organization that operates an online service and uses cookies. This includes both first-party cookies, which are set by the website the user is visiting, and third-party cookies, which are set by a website other than the one the user is visiting.

What are cookies and how are they considered under the UK Data Protection Act 2018?

Cookies are small files that websites store on your computer or device. They enable certain website functionalities and can contain various types of information, including personal data such as your browsing history or preferences.
Under the UK Data Protection Act 2018, cookies can be considered personal data if they can be used to identify an individual, either on their own or in combination with other data.
UK cookie rules are part of the Privacy and Electronic Communications Regulations (PECR) and are designed to protect the privacy of internet users.

Informing consumers about the use of cookies

Organizations must disclose their use of cookies to consumers. This information is usually presented in a clear and accessible way, often through a cookie banner or notice that appears when a user first visits a website. This notice should explain what cookies are, how they are used, and why they are used.

Obtaining consent and accessing information on cookies

Under the UK Data Protection Act 2018, organizations must also get the user’s consent before using non-essential cookies. Consent must be freely and clearly given. Obtaining this informed consent is typically done through an opt-in mechanism on the cookie notice or banner. The consumer must actively agree to the use of cookies, typically by clicking a button or checkbox that indicates their consent.
To comply with the rules, organizations must:
As long as businesses do this the first time they set cookies, they do not have to repeat it every time the same person visits the website. However, they may need to obtain fresh consent if their use of cookies changes over time.
The same rules also apply if organizations use any other type of technology to store or gain access to information on someone’s device.

Opting out and exemptions for cookie consent

Users should have the means to enable or disable non-essential cookies, and this should be easy to do.
There are two exemptions to obtaining consent for the use of cookies:
1. The cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
2. The cookie is strictly necessary to provide an ‘information society service’ (e.g., a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfill their request – cookies that are helpful or convenient but not essential, or that are only essential for the business’s own purposes, will still require consent.
These rules also apply to similar technologies such as Local Shared Objects (sometimes called Flash cookies) and can also cover other types of technology, including apps on smartphones, tablets, smart TVs, or other devices.

Fines for non-compliance

Non-compliance with the UK Data Protection Act 2018 can result in severe penalties, including fines and other financial penalties, restrictions on data sharing with third parties, and even temporary or permanent bans on processing activities. Businesses and organizations that fail to comply with the DPA can face fines of up to £17.5 million or 4% of their global annual turnover, whichever is higher.
This is in line with the enforcement powers of the Information Commissioner’s Office. Non-compliance with the UK cookie rules in the Privacy and Electronic Communications Regulations (PECR) can result in monetary penalties, enforcement notices, and undertakings. The ICO is responsible for enforcing these rules and can issue fines of up to £500,000 for serious breaches.
fines digital markets act

How to comply with the UK Data Protection Act 2018?

To comply with the UK Data Protection Act 2018, organizations must:

How to comply with the UK cookie rules?

In addition to the Data Protection Act 2018, organizations also need to comply with the Privacy and Electronic Communications Regulations (PECR), which includes specific rules about the use of cookies.
Here is a concise guide to comply with these rules:

How do I ensure compliance on my website?

A Consent Management Platform (CMP) like Cookie Information’s helps you effortlessly collect and log valid user consents, ensuring compliance with the UK Data Protection Act.

It includes a customizable cookie banner and ready-to-use cookie policy, giving your users clear information to make informed consent choices. With granular consent settings and an intuitive banner widget, users have full control over their preferences at any time. Thanks to its integration with Google consent mode v2, you can still gather valuable insights when users decline cookies. Use these insights to enhance your reporting, optimize attribution, and fine-tune bidding strategies.
With Cookie Information’s CMP, you can safeguard user privacy while maintaining effective marketing performance. Try it free for 14 days—no commitments or hidden fees.