The Data Protection Act 2018 or DPA is a United Kingdom national law that controls what information is collected and used by organisations. It is designed for all UK businesses and organisations.
The General Data Protection Regulation, or GDPR, is an act of European Union law that applies to all 28 member-states that also controls the type and volume of information that businesses collect and store. It was agreed on by the European Parliament in 2016, and officially made EU common law in 2018.
Both of these regulations are at least in part enforced by the UK’s Information Commissioner’s Office or ICO.
Is GDPR Part of the DPA?
In short, GDPR is not strictly part of the Data Protection Act, neither are they the same law or regulation despite coming into force in the same year. They coexist and have a more co-operative relationship, as they work alongside each other to achieve overlapping goals. The DPA was designed to work alongside the General Data Protection Regulation “by filling in sections of the regulation that were left to individual member states to interpret and implement”.
There are some small differences in the rules that the two acts lay out, including the processing of criminal data, child consent and data subject rights. The General Data Protection Regulation states that any person aged sixteen or above can give their consent for organisations to collect their data, whereas the DPA sets this age at thirteen. The EU law obliges all those that are processing criminal data be authorised to do so, but the Data Protection Act does not set any restrictions on this. Finally, GDPR data protection ensures all people having their data processed and collected have certain rights to e.g. request the deletion of their data, or the so-called right to be forgotten. The DPA also secures similar basic rights, but they do not apply if processing is carried out in the public interest into topics of scientific or historical nature.
There are also the more significant differences between the two that effect penalties, and who is actually penalised. The DPA covers organisations that order the collection of data but do not necessarily collect it themselves, called controllers. However, the General Data Protection Regulation covers both controllers and those that actually collect the data, or processors. This means that the EU can penalise more types of institution and enact heavier fines as well. For example, the largest DPA fine ever recorded was the maximum of £500,000, because Facebook was mishandling and unlawfully selling user data in the wake of the Cambridge Analytica scandal. But, the EU can fine companies a sizeable 4% of their yearly global income, such was the case when British Airways were fined £183 million for non-compliance in June 2019.
Although the DPA is much less widespread in terms of geography as it only covers UK territory and therefore significantly less organisations, it does cover a wider range of topics associated with data protection and outside of EU jurisdiction. As such, it legislates for areas like national security defences and some immigration-related matters that are not covered under EU law. Furthermore, it grants ICO different enforcement powers, despite both being overseen by the European Court of Justice (ECJ). However, when the UK leaves the EU, the Data Protection Act will be overseen and enforced by the UK’s own courts and legal system. The EU’s data protection law will still apply however, as it legislates for any country that supplies goods to European citizens and processes their personal information.