GDPR Blog Week 10: GDPR or Data Protection Act 2018?

The UK Data Protection Act 2018 (“the new Act”) received royal assent on 23 May, and its provisions commenced 2 days later, at the same time as the GDPR.

Why do we need both? With Brexit looming ahead it will be necessary for the government to entrench the GDPR provisions into UK law. When we leave the EU, we will be designated by the EU Commission as a “third country” and it will be even more important in this brave new world to demonstrate that our data protection legislation is as robust as that of our European counterparts. In doing so, we will avoid infringements and maintain the confidence of our trading partners in the region that our (and their) personal data will be secure. We can’t have a situation where there are fears that the UK’s data laws won’t offer similar levels of protection as the GDPR, which will continue to operate across Europe.

The new Act covers some other areas on which the GDPR is silent. These are provisions relating to national security and there are some lengthy exemptions relating to data subject rights in sectors such as law enforcement and processing by the intelligence services. There is a general exemption against data subjects exercising their rights in areas of health, social work, education and child abuse data and the new Act also addresses situations of legal professional privilege and where personal data may contain personal information of others which, unless protected, would cause a breach in making a disclosure.

One important change between the GDPR and the new Act is the age of consent for children to provide their personal information in the area of Information Society Services (ISS), which has been reduced to age 13.  ISS are online services, often games, purchased and downloaded onto a child’s device. So, for example, a software company marketing directly to a child for on-line gaming products must seek parental consent for any child under the age of 13. This overrides the GDPR, which lists the age of consent for ISS as 16 years. For all other processing of children’s personal data, parental consent must be sought for all children under the age of 18. So the GDPR and new Act will work together for the time being.

The new Act also introduces new criminal offences, such as knowingly or recklessly re-identifying information that was previously made anonymous or obtaining or disclosing personal data without the consent of the controller. It is also an offence to deliberately alter or conceal information which should be provided in response to a subject access request. These are backed up with enforcement powers given to the Information Commissioner which allow her to serve enforcement or assessment notices on businesses and to exercise the right to enter premises for inspection where certain conditions prevail. Any efforts to sweep documents or other evidence under the proverbial mat will also be met with criminal sanctions.

Let’s not forget that the GDPR also significantly raises the penalties for non-compliance from £500,000 up to €20 million (or 4% of group annual turnover). One thing is for sure, the new Act has teeth, and the Information Commissioner isn’t afraid to use them.

I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

Contact Us

    You can always change your mind by unsubscribing here.

    We will only use your information to handle your enquiry and won’t share it with any third parties without your permission.