The Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR) are two important pieces of legislation that regulate the processing of personal data in the European Union (EU) and the United Kingdom (UK). While both of these laws share many similarities, there are some key differences between them that are important to understand.
Scope of application:
The GDPR applies to all EU member states, as well as to any organization that processes the personal data of EU citizens, regardless of where that organization is located. The DPA 2018, on the other hand, applies only to the UK and organizations that process personal data in the UK.
The GDPR has an extraterritorial scope, meaning that it applies to organizations outside of the EU if they process the personal data of EU residents. In contrast, the DPA 2018 does not have an extraterritorial scope, meaning that it only applies to organizations based in the UK.
Definition of Personal Data:
The GDPR and the DPA 2018 both define personal data as any information that relates to an identified or identifiable natural person. However, the GDPR has a broader definition of personal data than the DPA 2018. The GDPR also includes online identifiers such as IP addresses, cookies, and other similar identifiers, while the DPA 2018 does not.
Legal Basis for Processing Personal Data:
Under the GDPR, organizations must have a lawful basis for processing personal data, such as obtaining the data subject’s consent, fulfilling a contractual obligation, or pursuing the legitimate interests of the organization. The DPA 2018 also requires organizations to have a lawful basis for processing personal data, but it provides additional lawful bases, such as processing for the performance of a task carried out in the public interest or for the purposes of complying with a legal obligation.
Data Protection Officer (DPO):
The GDPR requires organizations to appoint a Data Protection Officer if they process large amounts of personal data, if they process sensitive personal data, or if they are a public authority. The DPA 2018 does not require organizations to appoint a DPO, although they may choose to do so.
The GDPR has significantly higher maximum fines for non-compliance than the DPA 2018. The GDPR allows for fines of up to 4% of an organization’s global annual revenue or €20 million, whichever is higher. In contrast, the DPA 2018 allows for fines of up to £17.5 million or 4% of an organization’s global annual turnover, whichever is higher.
Age of Consent:
The GDPR sets the age of consent for the processing of personal data at 16 years old, although individual EU member states can choose to lower this age to 13. The DPA 2018 sets the age of consent at 13 years old for the processing of personal data.
After the UK left the EU, GDPR was incorporated into UK law through the European Union (Withdrawal) Act 2018, and its provisions continued to apply in the UK. The DPA 2018 was also introduced to supplement GDPR and provide additional provisions to the UK’s data protection framework.
In conclusion, the DPA 2018 and the GDPR share many similarities, but there are some important differences between them. While the GDPR has a broader scope and higher penalties for non-compliance, the DPA 2018 provides additional lawful bases for processing personal data and does not require organizations to appoint a DPO. Organizations that process personal data in the UK and EU must comply with both laws to ensure that they are processing personal data lawfully and protecting the rights of data subjects.