#EDPS: How the UK DPA impacts your GDPR programme

Speaking at the European Data Protection Summit, Ian Evans, managing director of OneTrust focuses on the 2018 Data Protection Act and GDPR,  what the legislation means and, most importantly, what has changed.

Evans said:

“Privacy in an ever-changing world means that we’re looking at the DPA 2018 for the UK in line with GDPR across the EEA. But we’re also thinking about how global companies are thinking about, maybe the California Consumer Privacy Act, what we’re doing in South America and so on. So this is an ever changing landscape.”

Evans went on to explain the 2018 DPA stating that from a business, functional perspective the act covers six major areas:


  1. Repeals and replaces Data Protection Act 1998
  2. Incorporates the GDPR into UK Law
  3. Extends the GDPR standards to areas not covered by EU Data Protection Law
  4. Transposes EU Data Protection Directive 2016/680 into domestic UK law
  5. Data protection framework for Intelligence Services
  6. Broadens UK ICO duties and powers

Evans went on to discuss in depth the five main areas of the 20 schedule addendum; special categories of personal data and criminal convictions data, exceptions from GDPR, health, social work education and child abuse data, disclosure prohibited or restricted by an enactment and penalties.

His colleague Linda discussed the changes in more detail, describing the Data Protection Act as “a bit of a beast.”

She went on to say that after Brexit the UK will be facing a situation where there will be “two GDPRs up against each other; there will be the British one, the European one, and they all have obligations in relation to what happens when you’re transferring data in and outside these territories.”

Linda highlighted the nuances and additional layers of obligations that the UK DPA actually “breaks fold”.

Linda further discussed exceptions to situations in regards to complying with data subject requests, stating that there are extra layers than what everyone is used to under the EU’s GDPR. The exceptions being: crime prevention & taxation, immigration control, legal proceeding disclosures, researching & archiving and public interest publications.

Linda praised the efforts of the ICO and its enforcement of the DPA and its plan to provide a lot of guidance saying:

“They are actually entitled, by the law itself, to provide codes of practice on these particular issues or topics”.

The topics being data sharing, direct marketing, age-appropriate design, journalism and data protection

The codes of practice will be different to the code of conduct, and will set out standards or operating modes for these particular areas dealing with personal data.

Evans concluded:

“We need to think about the supervisory authority and the regulators that we appoint and the ones already in place.

“We need to think about PCR policies and our cookie policies and also the privacy notices of whether they will uphold whatever decision is made from Brexit as well”.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.