The Data Protection Act 2018 (353-page / 1.35MB PDF) replaces the previous Data Protection Act that had been in place since 1998 and will supplement major reforms to data protection laws that are contained in the General Data Protection Regulation (GDPR).
The GDPR is EU legislation that has direct effect in the UK and in other EU member states and will also apply from 25 May. The new Data Protection Act contains provisions will which allow for continuation of the GDPR in the UK post-Brexit. It also implements the EU Law Enforcement Directive, setting rules on the processing of personal data by law enforcement agencies and intelligence services.
Under the GDPR, EU countries have the freedom to apply certain exemptions or provide for their own national rules in relation to certain types of personal data processing. In this regard, the new UK Data Protection Act contains special rules regarding the processing of personal data for journalistic purposes and in the areas of employment, health and research.
The GDPR also sets out new powers that allow data protection authorities to conduct mandatory data protection audits of businesses. The UK's Information Commissioner's Office (ICO) scope to exercise those powers is provided for in the new UK legislation. The ICO will be able to serve 'assessment notices' on businesses that would give them the right to enter business premises, access documents, equipment and other material, observe personal data processing and interview staff.
The ICO will also face statutory duties to produce a number of new codes of practice in areas such as data sharing, direct marketing, and the processing of personal data by journalists, as well as in relation to age-appropriate design of websites, apps and other 'information society services' likely to be accessed by children.
One of the main changes under the GDPR is a stiffer penalties regime which can impose fines of up to 4% of the annual global turnover of companies, or €20 million, whichever is highest, for certain breaches of the new laws. Under the new Data Protection Act, UK government ministers have the power to introduce new regulations to stipulate "how an undertaking's turnover is to be determined" for the purposes of determining what level of penalty they should face for non-compliance.
The new Act also introduces a number of new data protection offences into UK law. The new offences include knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent. Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed would also be an offence.
Taking steps, knowingly or recklessly, to re-identify information that has been "de-identified" could also result in a criminal conviction, although one of the defences that could be raised is where that action can be justified in the public interest.
Claire Edwards, a data protection expert at Pinsent Masons, the law firm behind Out-Law.com, said: "The UK's new data protection framework is now complete. While most of the focus has been on the GDPR, the updated Data Protection Act contains important rules that supplement the EU legislation and indeed new rules on special types of processing that the GDPR does not make detailed provision for. It also provides for enhanced powers of the information commissioner. We can expect further data protection regulations and guidance to be issued by the government and ICO over time."
In a statement, the UK government said the new Data Protection Act "makes our data protection laws fit for the digital age in which an ever increasing amount of data is being processed; empowers people to take control of their data; supports UK businesses and organisations through the change; ensure[s] that the UK is prepared for the future after we have left the EU".