The Data Protection Act has been around longer than you think. This article covers some things you might not know about this piece of legislation.
The Data Protection Act (2018) is the most recent iteration of this piece of legislation. It interacts with the GDPR, both the EU version and the newest UK GDPR. At it’s heart, the Data Protection Act sets out the framework for data protection law in the UK. It works with the GDPR in a way that essentially tailors how the latter applies, such as providing exemptions.
The Act also contains rules for law enforcement authorities, powers of the Information Commissioner’s Office, and extends data security to areas such as national security and defence.
When most people think about the Act, they think about GDPR, consent, withdrawal of consent, and probably little else – because to a lot of people, personal data simply means their name, phone number, or email address.
Because of that, understanding the Data Protection Act can be difficult; it’s not quite as straightforward as you think. We’ve found a few interesting points about the Act that you might not know.
What do you think about when you hear ‘1984’? If it’s the dystopian fiction novel by George Orwell, you’re probably not alone. Mass surveillance is one of the key concepts – big brother is watching. But 1984 is also when the Data Protection Act first came in to being, although at the time it only related to computer data.
GDPR Article 23
Whilst the Act has been around much longer than GDPR, it is Article 23 within the GDPR which made room for the Act to interact with it. Article 23 allows for member states (remember, the UK was in the EU when this came about) to make amendments reflecting national requirements.
Therefore, the Act adapts GDPR and extends its scope within the UK, and extends GDPR standards to areas of processing that are not covered in those regulations.
Generally, obligations under the data protection act changed very little between the 1998 and 2018 versions. What the 2018 version did bring in, however, was an increase in regulatory reach of the ICO. In short, this expanded the reach of potential fines – which is why so many companies started really paying attention to their data protection requirements.
Take Back Control
A phrase that might make a few people recoil. The Data Protection Act 2018 was designed to update the law and allow people to ‘take back control’ of their personal data – and those are the words of Information Commissioner Elizabeth Denham, not us!
But that was the idea behind updating the DPA – the version of the act passed in 1998 couldn’t have accounted for the changes in digital technologies and the widespread use of the internet – and so updating it in 2018 helped to strengthen the rights of the individual when it comes to new technologies and ways of sharing data.
Children and Criminals
The GDPR and the Data Protection Act both differ in how they deal with Children and Criminals. Just as the ages for things such as drinking and driving differ between the UK and other countries around the world, the age at which you can give consent for data processing is different.
The GDPR states that children can consent to processing at 16 years of age – in the Data Protection Act, this is 13 – typically age 13 is when you stop being a child and become a teenager in UK.
Dealing with criminal data is also slightly different. The GDPR requires that anybody processing criminal data must have official authority – the Data Protection Act does not.
And so much more
There is so much to know about the Data Protection Act, and how it interacts with other similar data protection laws and regulations. So much in fact, that we run an entire training day just to help people understand it and how it works in practice.
If you’re interested in learning more about data protection law, this is almost certainly the place to start. Find out more about our course ‘How to Understand the Data Protection Act 2018’ or browse all upcoming courses.