The UK GDPR is the most important piece of data protection legislation in the UK and establishes the rules and principles of data protection. In some respects, the DPA18 functions as supplementary legislation to the UK GDPR, expanding on the UK GDPR and providing further detail, clarity, and exceptions. But in addition, the DPA18 extends data protection laws to activities that are expressly excluded from the UK GDPR.
The two pieces of British legislation are intended to be read in conjunction with each other. This blog, prompted by several questions from our customers, explains at a high level the relationship between them and attempts to map out which articles of UK GDPR are expanded upon by which sections of the DPA18.
Background to the GDPR
The GDPR is a regulation enacted by the European Parliament and the European Council. When it became applicable on 25th May 2018 the UK was a Member State of the EU. EU Regulations take immediate effect on all Member States in the same way when they become applicable and do not need any enabling legislation in each Member State. This is different from EU Directives which do need to be implemented through domestic legislation and was the case with the previous EU Data Protection Directive which required implementing through the Data Protection Act 1998.
On 1st January 2021, the Brexit transition period ended and EU laws no longer held any sway in the UK. Parliament enacted a version of the GDPR known as the UK GDPR which became the primary statutory instrument setting out the legal framework for the processing of personal data in the UK. In it’s the current version, it is essentially a copy of the GDPR with revisions that make it relevant to the UK. For example, the phrase “Member State or Union Law” is replaced with “domestic or UK law”. The UK GDPR is available on the UK legislation website and is currently a “redlined” version of the GDPR. It is understandable that anyone picking it up would think it was still in its draft form.
Background to the DPA18
The DPA18 was enacted prior to Brexit when the UK was a Member State of the EU and it was designed to perform several roles. If we think of its primary role as implementing the EU Law Enforcement Directive it perhaps helps to figure it out.. Part 3 provides the data protection legal framework for law enforcement processing and part 4 for intelligence services. These areas are expressly excluded from both the EU and UK GDPR in Article 2(2)b and 2(2)c. So, unless you are law enforcement or intelligence organization, parts 3 and 4 of DPA18 will not apply to your processing activities.
Parts 1 and 2 of the DPA18 expand various aspects of the GDPR where Member States were given a degree of latitude, defining some concepts, creating additional criteria that must be complied with in certain circumstances, and providing exceptions to the GDPR.
Part 5 of the DPA18 establishes the role of the Information Commissioner, something that Article 51 of the EU GDPR required.
Relating the UK GDPR and the DPA18
The Outsourced DPO was recently asked a question by a commercial company about records of processing activities. They referred to section 61 of the DPA18 and wondered why the requirements of s61 were different to those in Article 30. They asked which one took precedence.
The answer is of course that s61 is in Part 3 of the DPA18; processing for law enforcement purposes and is therefore of no relevance to a commercial company. It is the UK GDPR that is applicable to commercial organisations, and the responsibilities of controllers and processors is set out in Article 30. But it’s easy to see why folks can get confused as Part 3 DPA18 is the only place where RoPAs are referred to at all.If you were to believe the DPA18 implemented the GDPR, one can see why you might search the DPA for information about RoPAs and end up at s61.
So how does one know that the UK GDPR is the statutory instrument setting out the legal framework for processing personal data from non-law enforcement agencies? To be honest, it is probably easier now working with the UK GDPR and Keeling revised DPA18, but this relationship has always been set out in section 1 subsections (2) and (3) which states, that, “most processing of personal data is subject to the UK GDPR” and “Part 2 supplements the UK GDPR”. There are a few other references too – but as a package of measures, they are easy to miss.
Mapping the UK GDPR and DPA18
Given the way in which the two pieces of legislation interrelate, the two do not directly map one on to the other. As mentioned previously, however, some sections of the DPA18 are concerned with the same topics as sections of the UK GDPR. In these circumstances, the DPA18 provides either clarity, further detail, or exceptions to the provision in UK GDPR. These are summarized below and graphically in the illustration..
Diagram illustrating the relationship between the GDPR/UK GDPR and DPA18.
Article 2: Material Scope
- Article 2(b) states that UK GDPR does not apply to the processing of personal data by a competent authority for law enforcement purposes. DPA18 Part 3, ss29-81 apply to this sort of processing.
- Article 2(c) states that the UK GDPR does not apply to intelligence services processing. DPA18 Part 4, ssS82-113 apply to this sort of processing.
Article 6: Lawfulness of Processing
- Article 6(1)e refers to processing that is necessary for the performance of a task carried out in the public interest. DPA18 Part 2, s8 provides a list of such tasks.
Article 9: Processing of Special Categories of Personal Data
- Article 9(2) gives a list of exceptions to the rule prohibiting the processing of special category data. DPA18 Part 2, s10 states that the exceptions in points b, h, I or j of UK GDPR Article 9(2) will only apply if the processing meets one of the conditions in DPA18 Schedule 1, Part 1.
- Article 9(2)h allows the processing of health data for a series of medical reasons. Article 9(3) states that data of this type may be processed when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy. DPA18 Part 2, s11(1) gives further detail on when the requirement for an obligation of secrecy is met.
- DPA18 Schedule 1 lists several situations in which special category data may be processed, along with the requirements that must be met in each situation.
Article 10: Processing of Personal Data Relating to Criminal Convictions and Offences
- Article 10(1) requires that processing of personal data relating to criminal convictions and offences is authorised by domestic law. DPA18 Part 2, s10(5) states that the requirements for authorisation are met if the processing meets a condition in Part 1, 2 or 3 of Schedule 1.
- DPA Part 2, s11(2) expands on the meaning of personal data relating to criminal convictions or offences.
Articles 12-23: Rights of the Data Subject
- DPA18 Part 2, s15 identifies the exemptions from, and restrictions and adaptations of the application of the rules in UK GDPR. The exemptions themselves are listed in Schedules 2, 3 and 4 of DPA18.
Article 40: Codes of Conduct
- Article 40 states that the Commissioner will encourage the drawing up of codes of conduct. DPA18 Part 5, SS121-124 expands upon this.
Article 49: Derogations for Specific Situations
- Article 49(1)d allows for international transfers for important reasons of public interest. DPA18 Part 2, s18 grants the Secretary of State the power to define important reasons of public interest by regulations.
Articles 51-59: Independent Supervisory Authorities
- DPA18 Part 5, s115 applies the provisions in Articles 51-59 of EU GDPR.
Article 84: Penalties
- DPA18 Part 5, SS155-159, SS170-173 and SS196-199 expand upon Article 84 and set out offences and penalties.
In summary, the UK GDPR is the primary statutory instrument setting out the responsibilities of data controllers and processors. All of the answers should be in there apart from as highlighted above, in particular, permissible grounds for processing special category personal data and personal data relating to criminal convictions and offences, as well as setting out exemptions to the rights of data subjects and how these should be accessed by controllers. Schedules 1 to 4 are probably the most useful sections of the DPA18 for most organisations.
This blog presents a high-level overview of the relationship between the two pieces of legislation. If you require more detail or have further questions, please get in touch with Data Protection People.
By Matthew Worswick