UK Data Protection Act receives Royal Assent and enters into force

The UK Data Protection Bill received Royal Assent on 23 May and it came into force on 25th May. We know… all these data protection legislation, regulations and guidelines are getting confusing.

The new Bill works alongside the GDPR (which is an EU Regulation). In essence it assists with the adoption of the GDPR and means that, regardless of Brexit, the UK is committed to the privacy principles set out in the GDPR. However, the Bill isn’t limited to data protection measures - it also covers other matters such as national security issues.

As a result of this we now have a new Data Protection Act (the Data Protection Act 2018).

Importantly, this new Act adds clarity to how the UK will apply many of the statutory controls set out in the GDPR. And, when the UK leaves the EU it will replace the GDPR.

Examples of this include the Act stipulating that the age for a child’s consent, in relation to information society services, will be 13, instead of the 16 set out in the GDPR.  Similarly, whilst the GDPR does not require organisations to notify to the supervisory authority, the UK Act imposes a notification fee to be paid to the ICO. The Act also creates a new criminal offence in cases where anyone uses anonymised data, knowingly or recklessly, to re-identify information that is de-identified personal data. The UK regulator is also granted more effective powers of entry and inspection.

To help with this the ICO has announced that it plans to issue a Data-Sharing Code, a Direct Marketing Code, an Age-Appropriate Design Code and a Data Protection and Journalism Code… although these haven’t yet been approved.

Information Commissioner, Elizabeth Denham, said, of this new Act: ‘The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.

‘And although the ICO will be able to impose much larger fines - this law is not about fines. It’s about putting the consumer and citizen first… we can’t lose sight of that.

‘The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.’