The Data Protection Act 2018 comes into operation on 23rd May 2018. This was basically the third generation of data protection law in the United Kingdom. Following the previous Data Protection Act 1998.
The General Data Protection Bill (GDPR) rule set is for EU and all the organizations have to comply with the clauses. However, DPA (UK) is supplementing GDPR, updating the data protection laws in the UK. And implementing the laws into areas which are left by GDRP.
The DPA is basically purposed to strengthen individuals to take charge of their personal data. And to back the organizations in their legitimate processing of data.
The DPA’s permitted derogations, additions, and UK-specific provisions are;
- The reverting and replacement of previous Data Processing Act 1998 as the basic part of data protection legislation in the UK.
- It is enforced to make sure that the UK and EU data laws remain coordinating post-Brexit.
- Establishes rules regarding the processing of personal data by intelligence and law enforcement agencies through implementing EU law enforcement directive.
The Data Protection Act has some variations when compared to the GDPR. This flexibility is given by the GDPR itself according to which the member states could implement their own national rules on the certain type of data processing.
Therefore, the DPA has added some protection offenses and provides information about the Information Commissioner’s Office’s (ICO’s) powers and implementing capabilities.
These offenses are;
- Intentional or unintentional gaining or exposing personal data without the permission of data, or procuring such disclosure or keeping the data without consent.
- Selling or presenting to sell the personal data which is intentionally or unintentionally gained or exposed.
- Hindering the provision of data for which an individual has been entitled after the access or data portability has been received.
- Unintentionally or intentionally re-identifying the information that was previously de-identified.
- Purposely or unknowingly processing re-identified information without the permission of the controller responsible for the de-identification.
According to the DPA, the company who has carried out these offenses with their consent, recklessness or connivance is responsible along with the company directors, managers, secretaries, offices and others.
ICO’s Prosecution Powers
The organizations who have committed the offenses are liable to certain notices by the ICO, as allowed by the DPA.
- An Information Notice will provide the information to the ICO which is reasonably necessary to carry out its functions.
- The Assesment Notice provides the right to ICO for entering business premises, checking the documents, equipment, and other material observing personal data processing and interrogating staff as a part of the investigation.
- Enforcement Notice directs the organization to take certain steps or to avoid steps which are mentioned in the notice.
- Penalty Notice enforces penalties on the organizations which carry out an offense or neglects any of the notice directions.
ICO could charge penalties within three years of offense. The ICO or the Director of Public Prosecution is, the prosecuting authorities in England, Wales and Northern Ireland.
The prosecution could be implemented within a period of six months after the prosecutor first gets to the proof enough to bring such prosecution.
Although the penalties in DPA are aligned with GDPR, the DPA gives additional powers to UK government ministers. They have the power to mold penalty level after a non-compliance act. As they are leveraged to introduce new legislation to specify how an organization’s turnover is determined.
The ICO ha mentioned that the extreme GDPR laws will only be implemented as the last option. With GDPR and DPA, ICO is looking for intelligent cooperation by the organizations making presenting the concept that there will be lower penalties for the ones which seek genuine, reasoned and documented attempts to comply.
Although the present regulations are depicting the ICO’s approach to help organizations to move towards compliance. However, there could be detailed guidance and codes of practice from ICO in future.