GDPR, Applied GDPR and the Data Protection Act
For the more geeky amongst us, May was an exciting month, with GDPR finally coming in to force, the Law Enforcement Directive, the repeal of the Data Protection Act 1998, getting the Data Protection Act 2018 at the last moment and myriad small changes hidden in the depths of the Byzantium complexity of the new law.
The Data Protection Act 2018 picks up the mantle of the Data Protection Act 1998 by being one of the worst constructed pieces of legislation on the statute books. To start to untangle the mess, it’s easier to split the privacy law elements into:
- GDPR: what is in EU General Data Protection Regulation (EU16/679)
- Applied GDPR: the permitted derogations into UK domestic law
- Data Protection Act 2018: specific requirements which are not captured within GDPR or Applied GDPR components, for example the Law Enforcement Directive, which must have a state law to implement, including processing, Intelligence Services processing, further legal bases, exemptions and specific requirements.
Applied GDPR is where the UK has varied GDPR, for example where GDPR states that the Controller or Processor must do X, but the UK has decided to adopt another definition, meaning or method. The law should be read as in GDPR but qualified by the modified terms and meaning under Data Protection Act 2018.
Example: GDPR Article 8(1) states ‘…..where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.’
Data Protection Act 2018 (Part 2, Chapter 2, Section 9) the UK adopts its own standard: ‘In Article 8(1) of the GDPR (conditions applicable to child’s consent in relation to information society services)—
(a)references to “16 years” are to be read as references to “13 years”.…’
The main elements of Applied GDPR appear in the definitions in Part 2, Chapter 1, and explain where Applied GDPR occurs (primarily within Part 2, Chapter 2 and Part 2, Chapter 3). There are also provisions in relation to Applied GDPR in DPA2018 Schedule 6. Applied GDPR also needs to be read with the Keeling schedule, as this makes clear what has been changed or amended and the intention of lawmakers, useful when trying to interpret the law!
It is important to be clear under which law you will be processing and for what purpose, whether it is GDPR or under the Data Protection Act 2018. This will make is easier to determine which principles apply, legal basis and applicable exemptions.
Example B: CCTV monitoring: if you are using CCTV to monitor your premises (for the safety of your premises, staff), you will be processing under GDPR. If you are using CCTV to monitor for enforcement purposes e.g. ‘control room to monitor public streets for public safety and support the Police with the prevention and detection of crime’, you will be processing under the Data Protection Act 2018 (Law Enforcement). Data Protection Act 2018, especially for law enforcement, will have different principles, requirements and exemptions than what you would have under GDPR.
If you are processing under GDPR, you may then wish to reflect back to the Applied GDPR component of Data Protection Act 2018, to see whether you need to apply any UK definitions/meaning/exemptions for that particular purpose. There are some elements of the Data Protection Act 2018 that reverts back to comply with GDPR.
Example C: Schedule 1, Part 4 DPA 2018 is a requirement if you are processing specified special personal data/Category of data under DPA 2018, for a policy document to be completed. The policy document must demonstrate what you are processing under DPA 2018 to be compliant with the Article 5 GDPR principles.
So, it is important when determining purpose and processing means, all components of these legislation (GDPR, Applied GDPR and ‘catch all’ Data Protection Act 2018) should be read and applied in conjunction with one another. Utilising the Keeling Schedule will help you navigate how to apply and interpret applied GDPR.
On the plus side, if you are a data protection, you are pretty much assured a job for the next 20 years, and can look forward to the Data Protection Act 2038.