UK Data Protection Act 2018 Deciphered: Maneuvering Through the Post-GDPR Landscape
A complete guide to decoding the Data Protection Act 2018 and the UK Cookie Rules, ensuring your business’s compliance, and understanding its significant consequences.
What is the UK Data Protection Act 2018?
The UK Data Protection Act 2018 (DPA 2018) is a domestic UK piece of legislation governing personal data use. The Act is the UK implementation of GDPR and was aimed on January 1st, 2021, after Brexit.
It sets out the legal framework for data protection in the country, and it is designed to protect the privacy of individuals and ensure that their personal data is processed in a fair, lawful, and transparent manner. Data must be used in a way that is adequate, relevant, limited, and up-to-date, and stored for only the necessary duration.
It covers various aspects of data protection, including general processing, law enforcement processing, intelligence services processing and enforcement mechanisms, among others.
Who Does the UK Data Protection Act 2018 Apply To?
The UK Data Protection Act 2018 applies to any organization, business, or government entity that processes personal data. The document mentions any ‘controller’ and ‘processor’ that either processes personal data of UK residents or is based in the UK, regardless of whether the processing of personal data takes place in the UK or not. This includes both public and private sector organizations, regardless of their size or the nature of their activities.
In addition, the Information Commissioner’s Office (ICO) is mentioned in the Act but is an independent authority set up to uphold information rights in the public interest, and its powers and responsibilities are set out in separate legislation.
What Does the UK Data Protection Act 2018 Cover?
The UK Data Protection Act 2018 applies to all personal data, which is any information that can be used to identify an individual. This includes not only what is considered as “sensitive information”, but also names, addresses, phone numbers, IP addresses, and even online identifiers and location data.
There is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life, or orientation. There are separate safeguards for personal data relating to criminal convictions and offences.
In the context of sensitive personal data, explicit consent is usually required. This means the individual must express consent very clearly and specifically. Silence, pre-ticked boxes, or inactivity does not constitute consent; hence, blanket consent without specifying the exact purpose of the processing is not acceptable.
Furthermore, individuals have the right to withdraw their consent at any time. The process for withdrawing consent should be as easy as giving it. Organizations must inform individuals about their right to withdraw before consent is given.
While explicit consent is a key requirement for processing sensitive personal data, it is not the only legal basis under the UK Data Protection Act 2018. Other conditions include employment, social security and social protection law, vital interests, activities of not-for-profit bodies (non-profit organizations), data made public by the individual, legal claims and judicial acts, substantial public interest, health or social care, public health, and archiving, research and statistics. Each of these conditions has specific requirements and limitations, and not all of them would apply in every situation.
Rules for Processing of Personal Data, Including Obtaining Consent
The UK Data Protection Act 2018 emphasizes the principle of data minimization, which requires that the data collected and processed should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Act also underscores the importance of data accuracy, obligating organizations to ensure that personal data is accurate and, where necessary, kept up to date. Lastly, the Act introduces the principle of accountability, stipulating that the controller is responsible for demonstrating compliance with these principles
Organizations must also ensure that personal data is accurate and up to date, taking reasonable steps to erase or rectify inaccuracies without delay. Furthermore, organizations must guarantee they are not retaining personal data for longer than necessary in relation to the purpose for which they were collected.
Under the UK Data Protection Act 2018, organizations must obtain explicit consent from individuals before processing their personal data, unless there is another lawful basis. This consent must be freely given, specific, informed, and unambiguous, and must be made by a statement or a clear affirmative action. In sensitive personal data, explicit consent is required, and blanket consent without specifying the purpose of processing is unacceptable. Individuals have the right to withdraw consent at any time, and organizations must inform them about their right to withdraw before consent is given.
Beyond this, the UK Data Protection Act 2018 requires the implementation of appropriate security measures, including protection against unlawful or unauthorized data processing, access, accidental loss, destruction, or damage. These measures include encryption and pseudonymization, maintaining ongoing confidentiality, integrity, availability, and resilience of processing systems and services, regularly testing and evaluating the effectiveness of these measures, and restoring availability and access to personal data in the event of a physical or technical incident
Other Key Requirements
In addition to the outlined rules for obtaining consent and processing data, the UK Data Protection Act 2018 also mandates several other key requirements. When processing is likely to result in high risk to individuals’ rights and freedoms, especially when using new technologies, a Data Protection Impact Assessment must be carried out. Certain cases necessitate the designation of a Data Protection Officer, who is responsible for advising on and ensuring compliance with data protection provisions.
The Act also requires immediate communication to the data subject in the event of a personal data breach that poses a high risk to their rights and freedoms. Provisions are also in place for the transfer of personal data to third countries or international organizations under specific conditions. Lastly, the Act includes exemptions from data protection principles and individuals’ rights, particularly when data processing is necessary for crime prevention, offender prosecution, or tax or duty assessment or collection.
Sensitive Information Legal Protection
There is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life, or orientation. There are separate safeguards for personal data relating to criminal convictions and offences.
In the context of sensitive personal data, explicit consent is required. This means the individual must express consent very clearly and specifically. Silence, pre-ticked boxes, or inactivity does not constitute consent; hence, blanket consent without specifying the exact purpose of the processing is not acceptable.
Furthermore, individuals have the right to withdraw their consent at any time. The process for withdrawing consent should be as easy as giving it. Organizations must inform individuals about their right to withdraw before consent is given.
The UK Data Protection Act 2018 and the Use of Cookies
When the UK left the EU on January 2020 the laws that govern the use of cookies changed. The UK Data Protection Act 2018 does not explicitly mention cookies or other technologies, such as web beacons, pixels, and local storage, but they are also covered by these rules as they are typically used to process personal data.
Cookies can be used to identify individuals. Therefore, the general principles of the Act apply to the use of cookies. Businesses must inform consumers about the use of cookies and obtain their consent.
In addition, the UK cookie rules apply to any organization that operates an online service and uses cookies. This includes both first-party cookies, which are set by the website the user is visiting, and third-party cookies, which are set by a website other than the one the user is visiting.
What are Cookies and how are they Considered under the UK Data Protection Act 2018?
Cookies are small files that websites store on your computer or device. They enable certain website functionalities and can contain various types of information, including personal data such as your browsing history or preferences.
Under the UK Data Protection Act 2018, cookies can be considered personal data if they can be used to identify an individual, either on their own or in combination with other data.
UK cookie rules are part of the Privacy and Electronic Communications Regulations (PECR) and are designed to protect the privacy of internet users.
Informing Consumers about the Use of Cookies
Organizations must disclose their use of cookies to consumers. This information is usually presented in a clear and accessible way, often through a cookie banner or notice that appears when a user first visits a website. This notice should explain what cookies are, how they are used, and why they are used.
Obtaining Consent and Accessing Cookie Information
Under the UK Data Protection Act 2018, organizations must also get the user’s consent before using non-essential cookies. Consent must be freely and clearly given. Obtaining this informed consent is typically done through an opt-in mechanism on the cookie notice or banner. The consumer must actively agree to the use of cookies, typically by clicking a button or checkbox that indicates their consent.
To comply with the rules, organizations must:
Inform people that cookies are being used.
Explain what the cookies are doing and why.
Obtain the person’s consent to store a cookie on their device.
As long as businesses do this the first time they set cookies, they do not have to repeat it every time the same person visits the website. However, they may need to obtain fresh consent if their use of cookies changes over time.
The same rules also apply if organizations use any other type of technology to store or gain access to information on someone’s device.
Opting out and Exemptions for Cookie Consent
Users should have the means to enable or disable non-essential cookies, and this should be easy to do.
There are two exemptions to obtaining consent for the use of cookies:
1. The cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
2. The cookie is strictly necessary to provide an ‘information society service’ (e.g., a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfill their request – cookies that are helpful or convenient but not essential, or that are only essential for the business’s own purposes, will still require consent.
These rules also apply to similar technologies such as Local Shared Objects (sometimes called Flash cookies) and can also cover other types of technology, including apps on smartphones, tablets, smart TVs, or other devices.
Fines for Non-Compliance
Non-compliance with the UK Data Protection Act 2018 can result in severe penalties, including fines and other financial penalties, restrictions on data sharing with third parties, and even temporary or permanent bans on processing activities. Businesses and organizations that fail to comply with the DPA can face fines of up to £17.5 million or 4% of their global annual turnover, whichever is higher.
This is in line with the enforcement powers of the Information Commissioner’s Office. Non-compliance with the UK cookie rules in the Privacy and Electronic Communications Regulations (PECR) can result in monetary penalties, enforcement notices, and undertakings. The ICO is responsible for enforcing these rules and can issue fines of up to £500,000 for serious breaches.
How to Comply with the UK Data Protection Act 2018?
To comply with the UK Data Protection Act 2018, organizations must:
Understand the data they process: Know what personal data they hold, where it came from, who they share it with, and what they do with it.
Provide clear information: Inform individuals about how their data is used, who it is shared with, and their rights in relation to their data.
Obtain valid consent from individuals before processing their data, unless there is another lawful basis for processing.
Respect individuals' rights to access their data, have it corrected or erased, restrict its processing, and object to its processing.
Implement appropriate security measures (technical and organizational) to protect the data they process.
How to Comply with the UK Cookie Rules?
In addition to the Data Protection Act 2018, organizations also need to comply with the Privacy and Electronic Communications Regulations (PECR), which includes specific rules about the use of cookies.
Here is a concise guide to comply with these rules:
Audit Cookies: Identify all cookies used by your website, their purpose, and the data they collect.
Inform Users: Clearly explain the cookies used, their purpose, and the data they collect before setting any non-essential cookies.
Obtain Consent: Secure informed consent from users before setting non-essential cookies. Consent must be freely given, specific, informed, and unambiguous.
Document Consent: Keep a record of consent and provide an easy way for users to withdraw it.
Ensure Security: Implement measures to safeguard your services and inform subscribers about any significant security risks.
Manage Traffic Data: Erase or anonymize traffic data when no longer required for communication transmission. If used for marketing or value-added services, ensure user consent and store only as long as necessary.
Manage Subscriber Directories: If providing directories, inform subscribers about the directory's purpose and obtain their consent for data inclusion. Allow subscribers to verify, correct, or withdraw their data at no charge.
Manage Direct Marketing: Don't transmit unsolicited communications for direct marketing unless the recipient has consented. If contact details were obtained during a sale or negotiation, you may send marketing emails about similar products or services, provided the recipient can easily refuse.
Provide Direct Marketing Information: When using a service for direct marketing, provide the recipient with the sender's name and a free contact method.
Review Regularly: Regularly reassess your cookies and ensure the information provided to users is accurate and up-to-date.
UK-GDPR and Data Transfers
The UK-GDPR is more or less identical to the “original” EU version, especially regarding consent, cookies, and data processing. The EU adopted an adequacy decision for the UK in 2021, allowing for continued, unrestricted data flow between the EU and UK. At least until 2025, when the EU has to decide whether or not the agreement shall be renewed.
