• Contact DPO Centre
  • 0203 797 1289
  • hello@dpocentre.com
DPO CentreDPO CentreDPO CentreDPO Centre
  • Services
    • Outsourced Data Protection Officer
    • Article 27 EU and UK Representation
    • Consultancy
    • Interim Data Protection Officers
    • Return to Work Compliance Check
    • Training
    • Advice Line
    • The Data Security and Protection Toolkit (DSPT) Audit
    • Caldicott Guardians
    • Services for Schools
  • Sectors
    • Finance &
      Insurance
    • Medical &
      Healthcare
    • Software &
      Technology
    • Retail &
      eCommerce
    • Data Protection for Education
    • Charities &
      not-for profit
  • Case Studies
  • About Us
    • About Us
    • Our Team
    • Benefits of Outsourcing
    • *Join the Team*
    • Events
    • News
  • Blog
  • Resources
    • UK Data Protection Index
    • DSAR White Paper
    • CCTV White Paper
    • COVID-19 Remote Working Tips
    • GDPR Basics
    • Why you need a Data Protection Officer
    • Why you need GDPR Representation
    • GDPR Policy Toolkit
    • The impact of Brexit on GDPR
    • Christmyths
    • The Full GDPR Text
  • Contact us
  • * Join Us *
  • Home
  • Data Protection
  • What is the difference between the DPA 2018 and the GDPR? (and why does it matter?)
ignore data retention at your peril!
Ignore data retention at your peril!
December 3, 2018
Data Subject Access Request
Data Subject Access Request = 4 words to fear?
December 10, 2018

What is the difference between the DPA 2018 and the GDPR? (and why does it matter?)

December 7, 2018
Categories
  • Data Protection
Tags
  • data breach
  • data class action
  • data protection
difference between DPA and GDPR

The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).... (GDPR) and the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998).... (DPA) have some key differences which may impact the UK’s relationship with the EU, post-Brexit. The GDPR became enforceable on 25thMay 2018. As a European regulation, it is directly effective in EU Member States, meaning that all UK organisations must comply with it.

The GDPR does however give Member States limited scope to shape how certain aspects of the Regulation apply in their country. The DPA 2018 enacts the GDPR into UK law, and in doing so has included various ‘derogations’ as permitted by the GDPR, resulting in some key differences.

The subtle differences…

Child consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed....

    • The GDPR states that a child can consent to data processing at age 16, whilst the DPA sets this at 13.

Extended definition of ‘identifier’

    • The GDPR extends the meaning of ‘identifier’ to include IP addresses, internet cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences.... and DNA in the definition of personal dataInformation which relates to an identified or identifiable natural person....

Criminal data

    • The GDPR requires those processing criminal data to have official authority, the DPA does not.

Automated decision making/processing

    • The GDPR states that data subjects have a right not to be subject to automated decision making or profiling, whereas the DPA allows for this whenever there are legitimate grounds for doing so and safeguards are in place to protect individual rights and freedoms.

Data subjectAn individual who can be identified or is identifiable from data.... rights

    • The GDPR ensures that all data subjects have rights in relation to the processing of their personal data.
    • The DPA allows these rights to be ignored if compliance with these rights would seriously impact an organisation’s ability to carry out their functions when processing data for scientific, historical, statistical and archiving purposes.

Privacy vs Freedom of Expression

    • The GDPR gives Member States scope to balance the right to privacy with the right to freedom of expression and information.
    • The DPA provides an exemption from certain requirements of personal data protection in respect of personal data processed for publication in the public interest.

Other Differences

The DPA is wider in scope than the GDPR, covering:

    • Criminal sanctions and fines for GDPR infringements (for example the introduction of an unlimited fine for the new offence of intentionally or recklessly re-identifying individuals from anonymised data)
    • Processing relating to areas outside the scope of EU law (and the GDPR) such as national security and immigration
    • Transposition of the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into UK law
    • The role and powers of the UK’s independent authority (the ICO) in upholding information rights and freedoms

Finally, whilst the GDPR is governed by the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions.... (CJEU), when the UK leaves the EU, the DPA will be governed solely by the UK justice system, leaving the CJEU out in the cold.

Why do these differences matter?

Being an EU Member State, means data can flow unhindered across borders to and from the UK.  This makes business cheaper, faster and generally easier.

However, when the UK leaves the EU, data will no longer be able to rely on data flowing freely, this will depend on our data protection laws being considered ‘Adequate’ (as defined by Article 45 of the GDPR by the EU Commission).

This means our data protection laws must be sufficiently similar to the EU data protection laws so that the EU feel that citizens’ data is being ‘adequately’ protected if shared with the UK.

Clearly, the more negative the disparity between the DPA and GDPR, the less likely we will be deemed Adequate, therefore these differences really do matter.

Finally, it should also be mentioned that Acts other than the DPA may cause the UK problems post Brexit, such as the Investigatory Powers Act 2016, which confers on the state new powers that clearly contradict the GDPR, especially regarding data processing in the investigation of criminal offences.

As experts in Data Protection legislation, the DPO Centre provides advice and guidance to organisations to help them navigate the ever-evolving regulatory landscape by providing outsourced Data Protection Officers as a service, GDPR EU Representation Services required under Article 27 for organisations outside the EU, as well as Data Protection Impact Assessments, Consultancy and Training.

 

Click one of the options below to speak to us about our Data Protection Services

 

Email Call Contact Form

Share

Related posts

February 22, 2021

EU & UK GDPR Representation for sponsors of European clinical trials


Read more
February 8, 2021

New EDPB guidance clarifies when you should report a data breach, sort of…


Read more
February 5, 2021

Updated EDPB Guidance on Controllers and Processors – Part 2


Read more

Contact us

The DPO Centre Ltd
Head Office: 50 Liverpool Street, London, EC2M 7PR
The DPO Centre (Europe): Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland
Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ
Telephone: +44 (0) 203 797 1289
Company Number: 10874595 VAT: GB 275694357

More information

  • Contact us
  • Sitemap
  • Privacy Policy
  • Cookie Notice

 

© 2021 DPO Centre. All Rights Reserved.