GDPR & DPA: What you need to know

Regulation ¦ October 27th, 2020, 11:00 pm

With the United Kingdom by all appearances leaving the European Union at the end of this year, we wanted to give a quick breakdown of UK data protection law and the implications that Brexit will have on data transfers between the EU and the UK.

The Data Protection Act (DPA), the United Kingdom’s first privacy law, was passed in 1988 and recently updated in 2018. It controls how personal or customer information is used by organizations and government bodies in the UK. The DPA and General Data Protection Regulation (GDPR) work alongside one another and should be read together. Under Article 23 of the GDPR, Member State law may restrict the scope of the obligations and rights, if its provisions correspond to the rights and obligations provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22. Any restriction must respect the essence of the fundamental rights and freedoms of the right that is being restricted. Thus, the DPA tailors how the GDPR applies in the UK and codifies the regulation into UK law. 

What are some of the key differences between the GDPR and the DPA?

  • The DPA extends the GDPR and applies it beyond the scope of the GDPR.

  • There are a higher number of bases under which data can be processed under the DPA. These bases include (1) employment, social security and social protection purposes, (2) health and social care purposes, (3) archiving, research and statistics purposes, (4) public interest purposes (5) and criminal convictions data.

  • Organizations processing data for the prevention and detection of crime are exempt from the GDPR’s provisions around the right to be informed or the purpose limitation principle if it would prejudice the purposes of processing.

  • The DPA adds exceptions to data subject rights. Companies can refuse data subject access requests in scenarios related to (1) crime and taxation, (2) immigration control, (3) information in connection with legal proceedings, (4) functions designed to protect the public, (5) regulatory functions relating to health and children’s services, (6) price sensitive corporate finance, (6) journalistic, academic, artistic and literary purposes, (7) scientific or historical research, (8) statistical purposes, (9) archival in the public interest, (10) and when in negotiations with the data subject where the negotiations might be prejudiced.

  • The DPA allows for automated decision making when there are legitimate grounds for doing so and safeguards and in place to protect individual rights and freedoms. 

  • The minimum age of consent in the GDPR is 16. The DPA lowers this age to 13 in the UK. 

  • The DPA requires the ICO to release guidelines on how companies can stay compliant when processing data in certain situations and industries. 

But what does this all mean in practice?

Understand that the GDPR isn’t the whole story and that you need to keep the extra layers provided by the DPA in mind when processing data in the UK or of UK citizens. Before automatically complying with DSARs, check additional DPA exemptions. 

Is Brexit going to have an impact on these regulations and how they are applied?

Being an EU Member State means that data can be transferred across borders to other Member States. This makes business easier. When the UK concludes its Brexit transition period, the nation will fall outside of the GDPR zone. Under Article 45 of the GDPR, the data protection laws in the UK will need to be deemed “adequate” in order for such data transfers to occur. The European Commission has the power to determine whether an outside country has an adequate level of data protection in place. If the UK’s data protection laws are deemed adequate, then there will be an all-encompassing and clear agreement that data can transfer between the EU and the UK. As of now, the European Commission has not decided whether the UK will be fit for adequacy. 

For further information don’t hesitate to contact us at

Get the Data Digest in your inbox