Ah, how quiet it is on the GDPR front, as the guns have fallen silent after the momentous May 25th deadline and those last-minute ‘can I keep spamming you emails’ – nearly all of which were completely unnecessary! See: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/05/blog-raising-the-bar-consent-under-gdpr/ and https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing
Now GDPR is enshrined in law, we need to see what the ICO will do in practice with it – but more importantly, we need to work out how we move forward in a different data regime.
The frenzy over the EU’s GDPR obscured the fact that the UK has its own, separate data protection activity taking place in the shape of the freshly-minted Data Protection Act 2018.
But why exactly did we need a new Data Protection Act as we had one in place already? There’s a lot going on in the new DPA that you need to know about if you are involved in the information and content business, and as a business owner.
Here are the key reasons why we need a Data Protection Act (2018):
We needed a DPA in order for GDPR to work
Though an EU Regulation like GDPR is enforceable in national law the GDPR allows member states (we still are!) to make variations and modifications to work with our own national laws. We didn’t just copy-paste the legislation. The UK chose to implement the Regulation in its own way – for example, we decided to change the legal age you can set up your own online identity (Facebook account, etc.) from the EU’s standard 16 to 13. We introduced some local criminal offences such as re-identifying personal data made anonymous. There is also the controversial Immigration exemption, which removes data privacy rights for immigration purposes.
We needed a new DPA for more than GDPR
It turns out there are other UK and EU laws that the new DPA has to cover, too. There’s a Law Enforcement Directive, which effectively complements the GDPR. The DPA rings in a second regime to cover data protection issues for the police and other investigative bodies. EU law also can’t govern our national security, so the DPA brings in a third privacy regime for the intelligence services. In addition, other exemptions and modifications are made for special use cases such as in parliament, insurance and child preventative services.
We needed a new DPA anyway
The last DPA was passed in 1998. Life and company use of data has moved on since then. After all, in 2018, we have mobile phones, social media, the Internet of Things, cloud computing, online advertising and tracking – none of which existed in 1998. Quite rightly, government, the security services and law enforcement felt it needed to be updated.
We needed a new DPA for Brexit
Once we are formally not part of the European Union (EU), we will still need a way for EU nations to know we are at GDPR-level standard. Otherwise, this could lead to all sorts of issues when it comes to sharing data across borders and trading with us. The plan is that if we leave the EU, we can use the DPA 2018 to apply for an “adequacy” decision to ensure that data transfer can continue seamlessly.
But there are still unresolved data issues
Most observers agree the 1998 Act needed updating, but there’s a lot of controversy about some of the things the government slipped into the Act. There’s some contentious areas like Paragraph 185, which covers a proposed new government framework for digital practice that many feel is too intrusive and may involve state-sponsored surveillance. Other proposals are also seen as going against some key privacy safeguards, such as the immigration issue and a wide variety of exemptions, alluded to above.
More regulation in 2019
So you not only need to properly deliver GDPR, and our local Data Protection Act 2018 – you need to start preparing now for the next wave of data protection stuff. 2019 will see even more EU data privacy legislation, namely the ePrivacy regulation which will come into play, and will have a big impact on all things marketing, online advertising and geolocation.
The new DPA 2018 and GDPR were big challenges, but the reality is that work on data protection needs to continue, and not end now May 25th has happened.
To help, keep abreast of the issues: https://ico.org.uk/for-organisations/. And for some serious bedtime reading, the law itself: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
Ralph T O’Brien is Principal at REINBO Consulting, a management consultancy specialised in privacy, GDPR and information security management services
A fellow of Information Privacy, CIPP/E, CIPM, CiISMP, Ralph has spent nearly two decades working at the intersection of privacy, security and risk management. Ralph is an experienced consultant, speaker, trainer, auditor, negotiator and manager. His key passion is in using his knowledge of privacy laws and information governance standards to help businesses develop and grow, engaging stakeholders, and delivering complex projects within the information governance sphere.