United Kingdom’s Data Protection Act of 2018

In an era where digital commerce transcends geographical boundaries, a solid understanding of international privacy laws is essential not only for maintaining legal compliance but also for conducting responsible and ethical business operations.

The Data Protection Act of 2018 was enacted with the aim of modernizing data protection laws in the United Kingdom, adapting them to the digital age, social media, and the ever-evolving landscape of technology and information.

In this article, we’ll take a closer look at what the DPA is, what it entails, and how it applies to your business operations.

KEY TAKEAWAYS:
  • The Data Protection Act 2018 is a UK legislation that sets out rules for processing individuals’ data, individuals’ rights over their data, and penalties for data protection violations.
  • DPA was founded on several fundamental principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
  • Businesses must take DPA compliance seriously to avoid financial and reputational consequences enforced by the Information Commissioner’s Office.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 150,000 businesses.

What Is the UK Data Protection Act of 2018?

The Data Protection Act of 2018 is the primary legislation in the United Kingdom designed to give individuals greater control over their personal data. It describes the protocols for gathering, managing, and safeguarding personal data to uphold UK citizens’ individual privacy.

DPA essentially integrates the principles of the EU’s General Data Protection Regulation (GDPR) into UK law, ensuring that extensive data protection principles are firmly integrated into the UK’s national legal framework. It also tailors certain GDPR provisions to better suit the specific needs of businesses in the UK.

Additionally, it extends the coverage to areas not addressed by the EU’s GDPR, ensuring comprehensive data protection across various business aspects in relation to the UK.

The DPA effectively amends and supersedes the DPA of 1998. Essentially, The DPA outlines the primary obligations for safeguarding the data of UK residents, whether processed by local or global businesses.

Yes, it means even if you’re business is not locally located in the UK, as long as you process the personal data of UK residents, your business needs to comply with DPA’s standards.

The DPA establishes four discrete data protection regimes within UK data protection law. Each framework is tailored to oversee processing within a specific type or category, encompassing various aspects of the activity. These regimes include:

  • within the scope of GDPR
  • outside the scope of GDPR
  • for law enforcement 
  • for intelligence services

DPA also consists of seven distinct sections, with Parts 1 and 2 being the most relevant for businesses. These sections complement the European data protections and expand its coverage into new areas.

Additionally, the DPA includes 20 schedules that provide detailed explanations and further insights into the main sections.

Part 2 of the DPA is particularly pertinent to businesses in the UK, requiring cross-referencing with the UK GDPR for comprehensive compliance. Part 3 is for UK law enforcement agencies and Part 4 is for intelligence services.

The remaining ‘Parts’ and ‘schedules’ encompass topics such as the powers of the Information Commissioner’s Office (ICO), enforcement mechanisms, special categories of personal data, and exemptions from the GDPR.

DPA, much like the GDPR, also grants rights to UK individuals regarding the handling and processing of their data such as the right to access, rectify, erase, and request a portable copy in an accessible format.

Compliance with the DPA is overseen by the Information Commissioner’s Office (ICO) in the United Kingdom.

What Are the General Definitions of DPA 2018?

In order to have a better grasp on the implications of the DPA, let’s first lay the groundwork by understanding its key definitions:

  • Personal Data: Personal data refers to any information related to an identified or identifiable living individual. This could include their name, identification number, location data, or even factors specific to their physical, genetic, mental, economic, cultural, or social identity. Essentially, it’s any data that can be linked back to a person.
  • Identifiable Individual: This term describes a living person who can be directly or indirectly identified, usually by using an identifier like a name, ID number, or even characteristics specific to that person.
  • Processing: Processing means any operation or set of operations performed on personal data. This can include collecting, recording, organizing, altering, retrieving, disclosing, combining, restricting, erasing, or destroying data. It’s a broad term that covers various actions involving data.
  • Data Subject: This refers to the individual to whom the personal data relates. In simpler terms, it’s the person whose data you are dealing with.
  • Controller: In the context of the DPA, a controller is the one who decides both the purposes and the methods used to process personal data. They are essentially in charge of why and how personal data is handled.
  • Processor: A processor is an individual that carries out the processing of personal data on behalf of the controller
  • Filing System: A filing system is essentially a structured collection of personal data that can be accessed based on specific criteria. It doesn’t matter whether this data is stored electronically or manually; what matters is that it’s organized in a way that makes it easy to retrieve based on certain factors.
  • The Commissioner: The commissioner refers to the Information Commissioner which is the central figure responsible for overseeing data protection matters.

Relationship Between DPA & GDPR

The UK’s exit from the European Union had a significant impact on data protection legislation.

Prior to Brexit, the UK adhered to the EU’s General Data Protection Regulation, which provided a unified framework for data protection across the EU member states. Now, the EU’s GDPR does not apply in the UK since 1 January 2021.

In response to Brexit, the UK introduced its version of the GDPR known as the UK General Data Protection Regulation (UK GDPR). While the UK GDPR largely mirrors the EU GDPR, it operates as an independent law specific to the UK and was tailored to specific UK scenarios that fall outside the scope of the GDPR.

The existing DPA remained in place but was modified to align with the UK GDPR. The DPA 2018 now serves as a complementary piece of legislation that works in conjunction with the UK GDPR.

In essence, the UK’s exit from the EU led to the establishment of the UK GDPR, which replaced the EU GDPR in the UK’s jurisdiction. The DPA was retained but adapted to harmonize with the UK GDPR.

Those who need to make the shift should consider what their policies look like now and how to update their privacy policies to remain compliant.

Who and What Does DPA Apply To?

The scope of the Data Protection Act is broad and comprehensive, encompassing a wide range of entities and activities. Let’s take a look at the specifics of who and what the DPA applies to:

  • Data Controllers: The DPA primarily applies to data controllers. The data controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. This includes businesses, government agencies, nonprofit organizations, and even sole traders who handle personal data.
  • Data Processors: While the DPA primarily targets data controllers, it also has implications for data processors. Data processors are entities that process personal data on behalf of data controllers. They must comply with certain data protection principles and obligations, as specified in the DPA.
  • Data Subjects: The DPA is designed to protect the rights and interests of data subjects, who are the individuals to whom the personal data pertains. It grants data subjects a range of rights, such as the right to access their data, rectify inaccuracies, and request erasure.
  • International Data Transfers: The DPA has provisions for international transfers of personal data, affecting organizations that transfer personal data outside the UK or the European Economic Area (EEA). Adequate safeguards must be in place to protect data during such transfers.
  • Processing Special Category Data: The DPA places additional scrutiny on the processing of special and sensitive personal data, such as data concerning health, genetic data, religious beliefs, and biometric data. Stricter rules apply to ensure the protection of these sensitive data types.
  • Overseas Organizations: Even organizations based outside the UK that offer goods or services to UK residents or process their personal data are subject to the DPA.

What Is Considered Personal Data Under DPA 2018

Recognizing whether you handle personal data is fundamental in determining the applicability of DPA to your operations.

Personal data is information that directly or indirectly identifies an individual, such as a name, IP address, or other distinguishing factors.

The notion of indirect identification is also significant; it means that even if you can’t directly pinpoint an individual, the information and data could still qualify as personal data if it relates to them in terms of its content, intended purpose, or potential impact on the individual.

It’s important to note that the scope of personal data is broad. Even pseudonymized data remains within the realm of personal data under the DPA.

However, certain exceptions exist, such as data related to deceased individuals or information about organizations, which typically do not fall under the personal data category.

There are also certain types that are particularly sensitive and demand a higher level of protection, these are referred to as special categories of personal data. These are personal data concerning an individual’s:

  • Data revealing racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of identification)
  • Health data
  • Data concerning a natural person’s sex life and sexual orientation

Additionally, personal data can extend to information regarding criminal convictions and offenses, warranting enhanced protection.

It’s also important to differentiate ‘legal’ entity data from ‘natural’ person data. Information related to a legal entity, such as a limited company with a distinct legal personality from its owners or directors, does not constitute personal data and falls outside the DPA’s scope.

Similarly, information pertaining to public authorities doesn’t qualify as personal data.

However, the DPA applies to personal data concerning individuals functioning as sole traders, employees, partners, or company directors, as long as they are individually identifiable and the data pertains to them as individuals rather than representatives of a legal entity.

What Are the Exemptions Under DPA 2018?

The DPA, along with the UK GDPR, outlines certain circumstances where specific rights and obligations may not apply under certain conditions.

The applicability of these exemptions often hinges on the reasons for processing personal data. It’s essential to approach exemptions on a case-by-case basis, justifying and documenting why you’re relying on them.

However, relying on exemptions should not be automatic; careful consideration is required.

If your data processing activities don’t fall under any exemption, you must comply with the DPA as usual. Here are some notable exemptions under the DPA 2018:

  • Crime, Law, and Public Protection: Certain activities related to crime prevention, law enforcement, and public safety may be exempt from specific DPA provisions.
  • Regulation, Parliament, and the Judiciary: Exemptions apply to activities within the realms of parliamentary, regulatory, and judicial functions.
  • Journalism, Research, and Archiving: Data used for journalistic purposes, academic research, or archiving activities may benefit from exemptions under specific circumstances.
  • Health, Social Work, Education, and Child Abuse: Certain aspects of processing within the fields of healthcare, social work, education, and child protection are subject to exemptions to ensure vital services can function effectively.
  • Finance, Management, and Negotiations: Exemptions may apply in financial transactions, management activities, and negotiations where strict data protection rules could hinder essential operations.
  • References and Exams: Data used for employment references or educational exams may enjoy exemptions under certain conditions.
  • Subject Access Requests – Information About Other People: Exemptions exist when handling subject access requests, particularly concerning information related to other individuals.
  • National Security and Defense: Processing activities related to national security and defense falls outside the scope of the DPA.

Fundamental Principles of DPA 2018

The DPA enshrines seven key principles that illuminate the path to responsible data handling. Here are the essential DPA principles you need to be intimately familiar with:

  • Lawfulness, Fairness, and Transparency: At the core of data protection lies the principle that personal data must be processed lawfully, fairly, and transparently. This means that organizations must have a valid legal basis for processing data, ensure that individuals are informed about how their data will be used, and be honest and transparent in their practices.
  • Purpose Limitation: This means that data should only be collected and processed for specified, explicit, and legitimate purposes. Organizations must be clear about why they are collecting data and ensure that it aligns with the stated purpose.
  • Data Minimisation Principle: Collecting only the data that is strictly necessary for the intended purpose is a key principle. Organizations should avoid collecting excessive or irrelevant information about individuals.
  • Accuracy: Ensuring that personal data is accurate and up-to-date is of paramount importance. Organizations must take reasonable steps to rectify or erase inaccurate data promptly.
  • Storage Limitation: Personal data should not be kept for longer than necessary for the purposes for which it was collected. This principle encourages the responsible management of data, including secure and timely deletion when it’s no longer needed.
  • Integrity and Confidentiality: Organizations must implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This includes maintaining data security and confidentiality.
  • Accountability: Organizations are accountable for their activities. They must demonstrate compliance with data protection principles, have robust policies and practices in place, and be prepared to provide evidence of their adherence to the DPA. Accountability is a fundamental aspect of responsible data handling.

These principles collectively uphold the sanctity of personal data and ensure that it is treated with the respect and care it deserves. They not only form the bedrock of compliance with the DPA but also lay the foundation for building trust with individuals whose data is entrusted to organizations.

By adhering to these principles, businesses can navigate the complex data landscape with integrity and responsibility.

What Are the Data Subject Rights Under DPA?

Data subjects, the individuals whose personal information is processed, are at the heart of the DPA. This is why the DPA grants seven data subject rights to UK residents.

Under the DPA, the following are the rights of the data subjects:

  • The Right to Access: Data subjects have the right of access to personal data obtained and processed by your business, and to obtain a copy of it. This enables individuals to understand how their information is used.
  • The Right to Rectification: If personal data is inaccurate or incomplete, data subjects can request corrections. This ensures that the information held about them is up-to-date and accurate.
  • The Right to Erasure: Data subjects have the right to have their data erased under certain circumstances. This includes situations where the data is no longer necessary for the purposes for which it was collected.
  • The Right to Restriction of Processing: Data subjects can restrict the processing of their personal data in specific situations. For instance, if they contest the accuracy of the data, processing may be limited while the accuracy is verified.
  • The Right to Data Portability: Data subjects can request their personal data in a structured, commonly used, and machine-readable format. They can then transmit this data to another data controller, facilitating data mobility.
  • The Right to Object: Data subjects can object to the processing of their data for certain purposes, such as direct marketing. Organizations must stop processing unless they can demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject.
  • Rights in Automated Decision-Making: If an organization makes decisions solely based on automated processing, data subjects have the right to human intervention, explanation of the decision, and the opportunity to challenge it.

How Can Businesses Comply With DPA?

As a small business owner, achieving compliance with the DPA is not just a legal requirement but a testament to your commitment to data protection and customer trust. To guide you on this compliance journey, let’s cover some practical steps, guidelines, and important considerations for small businesses.

1. Understand Your Business’ Data Processing

First and foremost, you need to comprehensively understand the activities within your business. This involves mapping out the entire data lifecycle, from the initial collection of data to its eventual disposal.

By doing so, you can identify potential compliance gaps and ensure that your processing activities align with the principles of the DPA.

Regularly auditing your data handling and processing practices also helps. This includes assessing whether data access controls are effective, data encryption is in place, and data handling aligns with your documented policies and procedures. Auditing helps ensure ongoing compliance and data security.

2. Implement Consent Mechanisms

Implement clear and transparent consent mechanisms when collecting personal data. Ensure your consent requests are easily understood and provide individuals with the option to withdraw their consent.

The DPA places a high standard on consent. For consent to be considered valid, it must meet the following criteria:

  • Freely Given: Individuals have the genuine choice and control to decide whether to allow their personal data to be processed. They should be able to refuse or withdraw consent without facing any negative consequences.
  • Informed: Individuals need to be well-informed about certain key details. This includes knowing who is responsible for handling their data (the data controller), the reasons behind processing data, and the specific types of activities. All this information should be presented in a clear, easy-to-understand, and user-friendly way.
  • Specific: Consent must be obtained for particular purposes and should not be bundled with other terms or conditions. It should relate specifically to the intended use of the data.
  • Unambiguous: To secure consent, it must be acquired through a clear and affirmative action, typically an opt-in. The use of pre-selected checkboxes, where consent is assumed, is not allowed.

Keeping clear records to demonstrate consent is also a requirement. The DPA grants individuals the specific right to withdraw their consent at any time. Organizations must inform individuals about this right and provide them with easy means to withdraw their consent.

3. Respond to Data Subject Rights

Be prepared to respond to data subject requests promptly and efficiently. Efficiency in responding to these requests is essential not only to maintain compliance but also to demonstrate your commitment to data protection and respect for individuals’ rights.

Establishing clear and well-documented procedures for handling data subject requests ensures that your organization can navigate this aspect of DPA compliance with confidence and effectiveness.

4. Prioritize Data Security and Report Data Breach

Data breaches can have far-reaching consequences, both legally and in terms of reputation.

Additionally, if a data breach is likely to result in a high risk to the rights and freedoms of individuals, you may also be required to notify the affected data subjects. This notification allows individuals to take steps to protect themselves in the wake of a breach.

That’s why it’s important to prioritize data security by implementing robust measures to protect personal data from breaches and unauthorized access. This includes encryption, access controls, regular security updates, and employee training to recognize and prevent potential security threats.

When engaging in high-risk data processing activities, it’s advisable to conduct Data Protection Impact Assessments (DPIAs). These assessments help you identify and mitigate potential privacy risks.

By evaluating the impact of your activities on individuals’ privacy, you can take proactive steps to ensure compliance and minimize data-related risks.

Here’s what your DPIA must include:

  • Describe the project’s scope, purpose, and context.
  • Evaluate whether processing user data is necessary, proportionate, and compliant with data protection regulations.
  • Identify and assess potential risks to individuals.
  • Propose additional measures to mitigate these risks.

To assess risk, consider both the likelihood and the severity of potential harm to individuals. If there’s a high risk you can’t mitigate, consult the Information Commissioner’s Office before proceeding.

5. International Data Sharing

The DPA primarily applies to organizations and data processors within the United Kingdom, offering strong data protection safeguards. However, it’s essential to understand the rules governing the transfer of personal data beyond the UK’s borders.

When personal data moves outside the UK, individuals should not lose the protection of UK data privacy laws. To ensure this, the DPA establishes specific regulations for transferring personal data to recipients located outside the UK.

To ensure the protection of an individual’s data privacy rights, one of the following criteria must be met:

  • Adequacy Decision: Data can be transferred to a country that has received an “adequacy decision,” meaning it meets the UK GDPR’s data protection standards.
  • Binding Corporate Rules: If your organization has established binding corporate rules governing data protection, these can enable cross-border transfers.
  • Standard Contractual Clauses: Approved standard contractual clauses can be in place between the sender and receiver to ensure data protection during transfers.
  • Certification Scheme: Data transfers can occur if the recipient country holds certifications related to data protection and security endorsed by the Information Commissioner’s Office.
  • Code of Conduct: The recipient organization may have adopted a code of conduct approved by the ICO, enabling data transfers.
  • Administrative Arrangements: In cases where public authorities or bodies are involved, administrative arrangements can facilitate cross-border data transfers.

In cases where these mechanisms are not applicable, exceptions can be considered, but only in exceptional circumstances, not as a routine practice. These exceptions include:

  • Explicit Consent: Data subjects have provided explicit consent for the transfer.
  • Contractual Performance: The transfer is necessary for fulfilling a contract with the data subject.
  • Third-Party Benefits: The transfer benefits another individual when it’s necessary to perform a contract with one individual.
  • Public Interest: Transfers can occur for reasons of public interest.
  • Legal Defense: Transfers may be necessary to defend against legal claims.
  • Vital Interests: Data transfers can be made to protect the vital interests of an individual.
  • Public Register: When the data comes from a public register, its transfer is allowed.
  • Legitimate Interests: In cases where the controller’s legitimate interests are at play, data transfers can be considered, but this should be assessed carefully to ensure compliance.

6. Assign Compliance Oversight

Depending on the size and nature of your activities, you should consider appointing a Data Protection Officer (DPO) or assigning a responsible person to this role.

DPOs serve important roles by assisting in monitoring internal compliance, offering guidance on data protection obligations, advising on Data Protection Impact Assessments, and acting as contact points for both data subjects and the Information Commissioner’s Office.

The DPA introduces a specific duty to appoint a DPO under certain circumstances. If your organization is a public authority or body, or if it engages in particular types of processing activities, appointing a DPO becomes mandatory.

A DPO must possess independence, and expertise in data protection, receive adequate resources, and report to the highest management level within the organization. Importantly, a DPO can be an existing employee or appointed externally.

Even if your organization isn’t strictly obligated to appoint a DPO, you have the option to do so voluntarily.

However, whether you have a DPO or not, it’s imperative to ensure that your organization has the necessary staff and resources to fulfill its obligations under the DPA. A DPO can significantly aid in this effort by providing guidance and helping monitor compliance.

7. Staff Training and Awareness

An integral aspect of ensuring DPA compliance within your organization is to invest in staff training and raise awareness regarding data protection principles. It’s important to educate your employees about the fundamental principles of data protection, their roles and responsibilities in upholding these principles, and the significance of safeguarding personal data.

This ensures that your employees are well-prepared to handle personal data in a manner that complies with the DPA.

By creating a workforce that understands the importance of data protection and compliance, you create a strong line of defense against potential data breaches and violations.

8. Conduct Regular Audits and Reviews

To maintain robust DPA compliance, it’s essential to establish a system of continuous monitoring and review for your data protection practices. This means regularly examining how you collect, use, and protect the personal information your organization handles.

One way to do that is by conducting compliance audits. These audits serve as thorough examinations of your data protection processes to ensure they align with the DPA requirements.

By doing so, you can promptly identify and address any issues or vulnerabilities, minimizing the risk of non-compliance.

Regular audits and reviews are like routine health check-ups for your data protection framework. They help you stay proactive, ensuring that your organization remains on the right path to compliance.

9. Embrace the DPA Principles 

Incorporating the fundamental principles of data protection outlined in the Data Protection Act 2018 is at the heart of ensuring compliance. These principles serve as guiding lights for responsible data handling and safeguarding individuals’ rights and privacy.

Ensure that your data handling practices adhere to principles of lawfulness, fairness, transparency, purpose limitation, data minimization principle, accuracy, storage limitation, and integrity and confidentiality

What is the Data Protection Fee?

The Data Protection Fee is essentially a contribution every organization handling personal data must make to support the work of the Information Commissioner’s Office, which is the UK’s independent regulatory authority for data protection.

If your entity processes personal data — whether you’re a data controller or processor — you are likely obligated to pay the fee. However, there are certain exemptions and the ICO offers a self-assessment checklist designed to assist businesses in assessing whether they are required to make a payment for the data protection fee.

The fee amount varies depending on the size and turnover of your organization.

Under the Data Protection Fee structure, there are three different tiers, each with its corresponding fee ranging from £40 to £2,900. These fees are determined by Parliament, taking into account the perceived risks associated with how controllers handle personal data.

The tier your organization belongs to depends on factors like the number of employees, annual turnover, and whether you’re a public authority, charity, or a small pension scheme. It’s worth noting that not all controllers are required to pay a fee, as some may qualify for exemptions.

Here’s a breakdown of the tiers and their respective fees:

  • Tier 1 – Micro Organizations: This tier applies if your organization has a maximum turnover of £632,000 in its financial year or employs no more than 10 staff members. The fee for tier 1 is £40.
  • Tier 2 – Small and Medium Organizations: If your organization’s turnover doesn’t exceed £36 million annually, or you have fewer than 250 employees, you fall into this category. The fee for tier 2 is £60.
  • Tier 3 – Large Organizations: If your organization doesn’t meet the criteria for tier 1 or tier 2, you are required to pay the tier 3 fee, which amounts to £2,900. In essence, all controllers are initially considered eligible for tier 3 fees unless they declare otherwise.

What happens if you aren’t able to pay the necessary fees? Well, that would mean you will have to pay a maximum of £4,350 fine as a penalty.

Who Enforces DPA?

The effective enforcement of the Data Protection Act 2018 is essential to uphold data protection standards and ensure compliance. In the UK government, the responsibility for enforcing the DPA lies primarily with the Information Commissioner’s Office (ICO).

The ICO is the UK’s independent regulator for data protection and privacy. Its mission is to safeguard individuals’ rights and promote transparency and accountability in the handling of personal data.

The ICO plays a key role in enforcing the DPA by:

  • Investigating Complaints: The ICO investigates complaints related to data protection breaches and violations of the DPA. Individuals and organizations can report concerns about data handling to the ICO for assessment.
  • Imposing Penalties: The ICO has the authority to impose fines and penalties on organizations that breach existing laws, including the DPA. These penalties can be substantial, serving as a deterrent against non-compliance.
  • Issuing Enforcement Notices: The ICO can issue enforcement notices requiring organizations to take specific actions to rectify compliance issues or prevent further breaches.
  • Providing Guidance: The ICO offers guidance, resources, and best practices to help organizations understand and comply with data protection regulations, including the DPA.

In addition to the ICO’s enforcement efforts, individuals affected by data breaches or violations of the DPA have the right to seek legal remedies through the courts. Legal proceedings can result in compensation for individuals or further sanctions against organizations found in breach of data protection laws.

The multi-faceted approach to DPA enforcement ensures that laws are upheld, and individuals’ rights are protected.

The ICO, as the primary regulator, works diligently to investigate and address breaches while also providing guidance to help organizations navigate the complexities of data protection regulations.

Ultimately, a collaborative effort between regulators, the legal system, and responsible organizations contributes to a data protection landscape that respects individuals’ privacy and data security.

What Are the Penalties for Violating DPA?

Compliance with the Data Protection Act 2018 is not merely a matter of best practice; it carries legal weight, and violations can result in significant penalties. Here, we explore the potential consequences of breaching the DPA:

1. Monetary Penalties

The DPA grants the Information Commissioner’s Office the authority to impose monetary penalties for serious breaches. These penalties can be substantial and are designed to act as a deterrent.

The amount of the fine can vary depending on the severity of the violation.

The maximum fine for serious violations of the DPA is £17.5 million or 4% of the organization’s global annual turnover, whichever is higher. These fines can be imposed by the ICO for particularly severe breaches of data protection laws.

2. Reputational Damage

Beyond financial penalties, a breach can have lasting reputational damage. News of a data breach can erode trust among customers, partners, and stakeholders. Rebuilding that trust can be a long and challenging process.

3. Legal Action by Data Subjects

Data subjects affected by a breach may take legal action against your business to seek compensation for any harm or distress they’ve suffered as a result of the breach. This can lead to further financial liabilities.

4. Regulatory Enforcement Notices

The ICO has the authority to issue enforcement notices requiring organizations to take specific actions to address compliance issues. Failure to comply with such notices can result in additional penalties.

5. Criminal Sanctions

In cases of deliberate or negligent data breaches, individuals within your organization may face criminal sanctions. This can include fines and, in some cases, imprisonment.

6. Damage to Business Relationships

Data breaches can damage relationships with partners, suppliers, and clients, affecting your business’s ability to operate effectively.

7. Remediation Costs

Rectifying the consequences of a breach, such as investigating the breach, notifying affected data subjects, and improving data security measures, can be costly.

8. Regulatory Investigations

A data breach may trigger investigations by regulatory authorities, which can consume time and resources.

It’s important to recognize that the penalties for DPA violations are not only financial but also encompass legal, operational, and reputational risks.

To avoid these penalties, small businesses must prioritize compliance, implement robust data protection measures, and maintain a strong commitment to safeguarding personal data.

Remember, prevention is often the most effective way to protect your business and its stakeholders from the consequences of breaches and DPA violations.

Examples of DPA Penalties

The Information Commissioner’s Office imposed a fine of £7,552,800 on Clearview AI Inc. for its actions involving the use of people’s images collected from the internet and social media. The company amassed over 20 billion facial images and associated data without informing individuals or obtaining their consent, creating a global online database for facial recognition purposes.

Clearview AI Inc.’s database allowed users, including law enforcement agencies, to upload a person’s photo and find matching images within their extensive collection, all without the knowledge or consent of the individuals involved.

The ICO investigation, conducted in collaboration with the Australian Information Commissioner, scrutinized Clearview AI Inc’s practices related to data scraping, biometric data handling, and internet image collection.

This case underscores the significance of transparency and consent in data processing, particularly when biometric data is involved. It also serves as a clear illustration of the importance of robust data protection practices, even in a global context.

Another violation of DPA includes that of the Cabinet Office’s failure to provide technical measures to prevent a breach of personal data.

The ICO fined the Cabinet Office £500,000 for a breach involving the accidental disclosure of postal addresses of over 1,000 individuals in the 2020 New Year Honours list.

The ICO found that the Cabinet Office had failed to implement adequate technical and organizational safeguards to prevent this unauthorized data exposure, violating data protection laws.

On December 27, 2019, the Cabinet Office published a file on the gov.uk website containing the names and unredacted addresses of those honored on the New Year Honours list. While the Cabinet Office removed the weblink after discovering the breach, the file remained accessible online to those with the direct webpage address.

The exposed personal data was available for two hours and 21 minutes, leading to 3,872 accesses. This breach caused significant distress to affected individuals and raised concerns about personal safety, leading to complaints.

The ICO’s actions serve as a reminder to organizations of the critical importance of safeguarding personal information and maintaining vigilance in data security efforts.

These instances underscore the real-world consequences of data breaches, affecting individuals’ privacy and safety.

How Does DPA 2018 Compare to Other Data Privacy Laws?

In an era of escalating concerns about data privacy, several data privacy laws, aside from the UK’s DPA are in effect across the globe. To further appreciate the impact of DPA, it’s essential to understand its differences and similarities to these laws.

In terms of scope, the DPA governs the processing of data within the United Kingdom, while the EU’s General Data Protection Regulation extends its reach to all European Union member states and organizations outside the EU handling data of EU residents.

PIPEDA, on the other hand, is Canada’s federal privacy law, applying to private-sector organizations nationwide, and the California Consumer Privacy Act is for protecting the data privacy of Californian residents.

Regarding legal bases for processing, the DPA and EU GDPR share similarities, offering options like consent and legitimate interests while PIPEDA mandates consent for personal data collection and use, with exceptions.

Data subject rights are a common thread, with the DPA granting access, rectification, erasure, and objection rights. The GDPR extends these to include data portability and the right to be forgotten.

PIPEDA affords rights like access and correction, while the CCPA gives Californians control over their data, including deletion.

Data breach notifications are essential in all legislation. The DPA and EU GDPR require reporting to data protection authorities and, sometimes, affected individuals.

PIPEDA necessitates notification to the Privacy Commissioner and affected individuals if significant harm is likely. Meanwhile, the CCPA focuses on consumers’ data rights but lacks specific breach notification requirements.

Finally, fines and penalties vary widely. The DPA allows for fines of up to £17.5 million or 4% of global turnover.

The EU’s legislation permits fines of up to €20 million or 4% of global turnover. PIPEDA imposes fines of up to CAD 100,000.

The CCPA enforces penalties of up to $7,500 per intentional violation and $2,500 per unintentional violation.

Compliance entails navigating these nuances based on your organization’s location and data practices.

Frequently Asked Questions

What is the United Kingdom’s Data Protection Act of 2018?

The UK’s Data Protection Act 2018 regulates the processing of personal data, aligning with the EU’s GDPR, and ensuring privacy and data rights.

Who does DPA apply to?

The DPA 2018 applies to organizations and individuals who process personal data in the UK. This includes businesses, charities, and public authorities, regardless of size or sector.

Does the DPA apply to businesses outside of the UK?

Yes, the DPA 2018 applies to businesses outside the UK if they process the personal data of individuals in the UK, regardless of where the business is based.

What are the key principles and provisions of the DPA?

The DPA outlines key principles and provisions which are lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.

Who enforces compliance with the DPA?

Compliance with the DPA is overseen by the Information Commissioner’s Office (ICO) in the United Kingdom.

What penalties for violating the DPA?

Violations of the DPA 2018 can lead to significant fines. The ICO can impose fines up to £17 million or 4% of global annual turnover, whichever is higher, depending on the severity of the breach.

How can businesses comply with the GDPR?

To comply with the DPA, businesses must conduct data audits, implement consent mechanisms, respond to data subject rights, prioritize data security and report data breaches, and assign a data protection officer.

Joao Vitor Sales
CIPP/E, CIPM, GRCP, OneTrust Fellow
Joao is a privacy professional with a unique skill set and certifications that encompass legal, cybersecurity, and technical expertise. Having worked with companies of all sizes, from startups to Fortune 500 corporations, he’s dedicated to helping individuals and businesses navigate the ever-changing landscape of technology and privacy laws including HIPAA, PIPEDA, GDPR, CCPA, POPIA, LGPD, ePrivacy Directive, and more.