The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy, which affects those within the European Union (EU) and the European Economic Area (EEA). The main goal of this regulation is to give citizens and residents more control over their data and what happens to it. With all EU countries adhering to the same regulations, it makes business between countries a lot easier. All companies doing business in the EU or EEA must store personal data using pseudonymisation or full anonymisation, as well as the highest privacy settings possible. The data cannot be made publicly available without the customer giving prior consent. If a data breach occurs, businesses must report it within 72 hours of it happening in case customer data is at risk.
Although the GDPR was adopted on 14th April 2016, it wasn’t enforced until 25th May 2018. Since it is a regulation, it doesn’t require a national government to decide on any legislation. In the UK, the Data Protection Act 2018 was granted royal assent on 23rd May 2018, which ensures alignment with the EU on data protection after Brexit.
What is the Data Protection Act 2018?
The act is essentially the UK’s implementation of the GDPR. Its aim is to modernise data protection laws to make sure they are effective in upcoming years. The GDPR is quite restrictive on member states, whereas the DPA 2018 covers more in addition to applying GDPR standards:
- It contains a part on processing that doesn’t fall within EU law, e.g. relating to immigration. The GDPR standards still apply, but those that are unsuitable for the UK have been amended.
- One part transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. It lists the requirements for processing personal data for criminal law enforcement purposes.
- Intelligence services must comply with internationally recognised data protection standards. Therefore, provisions based on Council of Europe Data Protection Convention 108 apply to them.
- There are parts covering the ICO, duties, functions, and powers plus the enforcement provisions. The Data Protection Act 1998 is being repealed therefore these changes are necessary for dealing with the interaction between FOIA/EIR and the DPA.