As of May 2018 we all have to comply with the GDPR right? Wrong. Kinda….

Because the GDPR is a European regulation, we can’t directly use it as law, so the UK have added to our own legislation in the form of the updated Data Protection Act 2018 (DPA). The DPA updates a 20 year old law (definitely not our oldest but still very outdated) to include modern technology and other best practice processes for handling your data. The update to our domestic law also helps when it comes to implementing Brexit fully, meaning that there will be no retraction of the more onerous GDPR laws in favour of our own previous domestic law, so there won’t be any changes any time soon.


If the DPA incorporates the GDPR, then they are the same – why are you telling me this?

Firstly, in your contracts you need to be referencing the correct law, particularly in preparation for Brexit, but also as best practice. One way to ensure you are keeping your contracts in line with current law is to define statutes, we often add “a statute is a reference to that statute or provision as amended or re-enacted at the relevant time” within our standard definitions to ensure you are protected against changes, but where possible you should refer to the correct versions.

Secondly, the two laws aren’t the same! There are some subtle differences between the two, allowing certain business types to take additional liabilities with personal data. The DPA is also more comprehensive than the GDPR, adding further provisions surrounding processing that may not happen in other member states’ countries, or to clarify where the GDPR was only brief regarding the absolute minimum data protection standards.


So what are the differences?

  • The DPA allows children the ability to give consent to their data processing from the age of 13, while the GDPR sets this at 16
  • The GDPR includes within the definition of personal data identifiers such as IP addresses, internet cookies and DNA, whereas the DPA leaves this out of their definition.
  • GDPR states that any criminal data must be processed by an official regulated authority, whilst DPA does not have this requirement
  • The GDPR allows for individuals to opt out of their data being used to make automated decisions, whereas the DPA allows it where there are legitimate grounds for such and subject to safeguards being in place
  • The DPA allows the rights of data subjects to be ignored where this would impact an organisations ability to carry out functions relating to scientific, historical, statistical and archiving purposes
  • The DPA provides an exemption from certain requirements in respect of personal data processed for publication in the public interest
  • The DPA also allows refusal of subject access requests (SARs) in certain scenarios including crime and taxation, immigration control, information in connection with legal proceedings, functions designed to protect the public, regulatory functions relating to legal, health, and children’s services


Can I ignore the GDPR altogether then?

Aside from the changes above, the GDPR is still fully in force and we recommend that you speak to an expert to help ensure your compliance if you have not done so already. Additionally, if your business uses EU member states’ personal data, you must comply with the GDPR in all respects when it comes to their data. This requirement will also continue after the completion of Brexit, despite any changes to the DPA. EU law requires our Data Protection laws to be at least ‘adequate’ as defined by article 45 of the GDPR in order to continue smooth transactions to continue between us and member states.


How do I comply with GDPR?

We recommend speaking to an expert who will be able to go through your business processes with you, assess your level of risk and explain any changes you need to implement before you will be compliant. Look into the GDPR and what practices you need to start using in your business. We wrote a handy guide here and would be happy to arrange a no obligation call to discuss your needs.