GDPR, UK GDPR and DPA 2018 — UK Data Privacy Laws Explained

European countries are investing significantly to protect personal data.

Most European countries are very advanced when it comes to passing legislations that protect individual data from corporate use. Since 2018, the European Union and the United Kingdom have maintained data privacy laws that require companies to take specific actions to keep online users’ data safe.

Businesses from other regions that are interested in conducting business in Europe need to be compliant with those data privacy laws, and maintaining compliance with data privacy laws first requires an understanding of those laws. Whether you are interested in expanding operations overseas or are engaged in building a data monetization strategy for your organization that involves capturing data from European users, you might take the time to learn more about the methods of personal data protection employed in Europe.

Many business leaders tend to confuse three key regulations: the GDPR, the UK GDPR and the DPA, all of which were passed in 2018. Here is a comparison of all three of these critical regulations, so business leaders can begin developing strategies for legal data practices across Europe.

GDPR

The General Data Protection Regulation (GDPR) was passed and put into effect by the European Union in 2018, before the U.K. left the E.U. Highly regarded as the world’s toughest privacy and security law,

Importantly, the GDPR applies to any company that strives to process the personal data of residents or citizens of the E.U., even if that company does not operate in Europe. According to the GDPR, personal data includes any directly or indirectly identifiable information, to include names and email addresses as well as ethnicity, gender, religious beliefs, political opinions and, critically, web cookies. Processing data involves both automated and manual action performed on data, such as collecting, storing or using data. The GDPR mandates that data processors must uphold seven key principles:

• Lawfulness, fairness and transparency, or adherence to laws and commitment to transparent data practices

• Purpose limitation, or limiting data processing to specified legitimate purposes

• Data minimization, or processing only as much data as necessary for specified purposes

• Accuracy, or acting only on data that is up to date

• Storage limitation, or storing data for only as long as necessary for specified purposes

• Integrity and confidentiality, or applying appropriate security measures to protect data

• Accountability, or accepting full responsibility for GDPR compliance

There are strict rules for informing and accepting consent from web users to collect data, and there are additional rules regarding how data can be stored or organized. Violation of the GDPR is not in any organization’s best interest. GDPR fines are exceedingly steep, maxing out at €20 million or 4 percent of the company’s global revenues, whichever is higher.

UK GDPR

The United Kingdom separated from the European Union in 2020 in a political move famously dubbed Brexit. In doing so, the U.K. freed itself from many of the obligations of operating under E.U. laws — which meant that the GDPR no longer applied to citizens and residents of the U.K. To maintain data privacy protections in the U.K., British lawmakers passed their own version of the General Data Privacy Regulation in 2021. Organizations processing data from both the U.K. and the E.U. need to be in compliance with both forms of the GDPR.

DPA

In 1998, U.K. lawmakers created the Data Protection Act (DPA) to regulate how individuals and organizations could process data, both in paper filing systems and in relatively newfangled digital systems. In 2018, the U.K, replaced the 1998 version of the law with an updated law to complement the E.U. GDPR.

When the U.K. passed its own version of the GDPR, much of the regulations outlined the DPA became less important to business operations. In addition to applying to substantially fewer web users, the DPR tends to be less specific and have much lower penalties than the GDPR. Still, the DPR does cover areas of data processing that are left out of the GDPR, such as law enforcement processing and intelligence services processing, so organizations engaging in these activities will need to put time into understanding the DPA.

The GDPR is unlikely to be the last legislation passed on data privacy and protection, but at present, it is easily the most influential. Still, the U.K. has additional data processing laws that businesses must respect.