New UK Data Protection Act launched before GDPR

Data Protection

On the 23rd May 2018, the long-awaited replacement to the United Kingdom’s data protection legislation received Royal Assent and completed its journey through Parliament.  The Data Protection Act 2018 as it is now known, will be formally implemented on the 25th May 2018 – coinciding with the Europe-wide implementation of the General Data Protection Regulation (GDPR).

The UK specific Data Protection Act 2018 aims to modernise data protection laws to ensure that they remain effective in the coming years as technology continues to evolve in differing directions. Whilst the new document mirrors the incoming GDPR legislation to a large degree, there are important derogations that the UK has secured, meaning that the GDPR and DPA 2018 should be read side by side.

Of primary interest to the pre-employment screening sector is Section 10 and Schedule 1; Parts 1 – 4 which not only outline employment as a permitted purpose, but also other conditions such as the issue of a data subjects consent, and the requirement for the employer to have a robust policy on the processing of criminal data and its retention.

Aside from the previously announced derogations from the GDPR, the DPA 2018 also contains other points that are either not covered under GDPR or that transposes other EU directives into domestic UK law. A summary of these differences is as follows:

  • The DPA 2018 contains a section dealing with the processing of data that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
  • The DPA 2018 transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the new legislation sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.
  • As national security is not within the scope of EU law, The DPA 2018 contains provisions based on the Council of Europe Data Protection Convention 108 that applies to the intelligence services, requiring them to comply with internationally recognised data protection standards.

To view the complete legislation as published, please click here.