Table of Contents
In Short
- The Data Protection Act 2018 (DPA 2018) complements the UK GDPR, forming a key framework for managing personal data in the UK.
- Small businesses must comply with rules for processing sensitive data, managing exemptions, and cooperating with the ICO.
- Compliance helps mitigate legal and reputational risks while fostering trust and accountability.
Tips for Businesses
Start with a data audit: identify the personal data you collect, why you need it, and how you protect it. Draft clear privacy notices for employees and customers. If you process sensitive data, check you meet stricter DPA 2018 conditions. Legal advice can help you ensure full compliance and avoid penalties.
As a small business owner, you might handle personal data daily during everyday business tasks, such as managing customer details, sending promotional offers, and processing employee information. Many small business owners are unaware of the full extent of their responsibilities under UK data protection law. However, compliance is mandatory. Whether you are launching your first startup or growing your small business operations, complying with the UK’s Data Protection Act 2018 (DPA 2018) is critical. This law sits alongside the UK General Data Protection Regulation (UK GDPR) to regulate how businesses use personal data. This article explores the DPA 2018 and some essential considerations for small businesses that process personal data.
What is the Data Protection Act 2018?
The DPA 2018 became law on 25 May 2018, replacing the previous Data Protection Act 1998. It introduced updated rules alongside the GDPR to address technological developments and the increasing complexity of data processing. The DPA 2018 supplements the UK GDPR by addressing areas not directly covered by it (such as national security and law enforcement processing). It also establishes frameworks for processing personal data in these contexts.
Organisations processing personal data must follow the DPA 2018 as it adds detailed provisions and exemptions to the broader UK GDPR, defines specific exemptions and clarifies the powers of the Information Commissioner’s Office (ICO), the regulator who enforces data protection laws.
What Should Small Businesses Know About the DPA 2018?
Understanding various data protection laws and how they work can be challenging for a small business. However, you must invest in knowledge in this area and your compliance, as breaching the rules can be costly and cause many problems.
In short, the UK GDPR provides the primary rules for processing personal data. It set out broad principles (such as lawfulness, fairness, transparency, and accountability when processing personal data). The DPA 2018 supplements these principles with a range of additional rules.
For example, the DPA 2018 includes provisions regarding the following key areas:
Exemptions
The DPA 2018 allows certain exemptions to UK GDPR principles. However, exemptions are narrow, and businesses must apply them correctly to avoid non-compliance. Legal advice is advisable when you seek to rely on an exemption.
Law Enforcement and Intelligence Processing
The DPA 2018 introduces additional rules for law enforcement agencies and intelligence services that extend beyond the UK GDPR.
ICO Powers
The DPA 2018 enhances the ICO’s authority to investigate breaches, enforce compliance, and issue penalties.
Key Aspects of the Data Protection Act 2018
The DPA 2018 divides its rules into various parts, and small businesses should pay attention to the following key provisions:
Data Processing Rules
The DPA 2018 supplements how businesses must process personal data in line with UK GDPR principles, such as lawfulness, fairness, and transparency. If you handle special category data, such as health or biometric data, you must follow stricter conditions under the DPA 2018.
For instance, if your small business collects data about your customers’ health conditions, which constitute special category data, you must comply with these rules.
Exemptions for Specific Processing Activities
The DPA 2018 provides exemptions for specific scenarios – such as processing data for crime prevention. Businesses must interpret and apply these exemptions cautiously to avoid penalties. This could be relevant when you seek to rely on an exemption as a small business.
ICO Enforcement Powers
The ICO has extensive authority to investigate breaches, audit compliance, and issue enforcement notices.
Penalties and Offences
The DPA 2018 sets out penalties for breaches, including criminal offences such as unlawfully obtaining personal data or re-identifying anonymised data. Again, these are vital for a small business to understand and comply with.
This factsheet sets out how your business can become GDPR compliant.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What are the Challenges and Risks for Small Businesses?
Your small business must comply with the DPA 2018 and the UK GDPR. This will help protect your business from legal and reputational risks, establish good data practices from an early stage, and build on them as your business grows.
However, certain rules under the DPA 2018 might be tricky for a small business to grasp fully. For instance, where your small business seeks to rely on an exemption under the DPA 2018‘s rules.
For example, you will need to comply with these requirements when you use biometric data, such as fingerprint scanners, for security.
The DPA 2018 also sets rules regarding criminal convictions and offence data. Your small business must comply with such rules where relevant, e.g., if it conducts criminal background checks.
Key Takeaways
The Data Protection Act 2018 works alongside the UK GDPR to form the key framework for UK data protection law. Small businesses must understand how this legislation applies to their daily trading and operations. By complying with these laws, you will be in a far better position to help protect your business from legal risks, maintain trust, and demonstrate a commitment to data protection and accountability (a key data protection law principle). If you need clarification about which legal rules apply to your business or need help navigating them, seek legal advice to ensure compliance and avoid costly mistakes.
If you need help with your data protection compliance as a small business, our experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Your small business must understand the DPA 2018, a key and mandatory law governing personal data use alongside the UK GDPR rules.
The DPA 2018 is a UK law that regulates how businesses and organisations process personal data. It works alongside the UK GDPR to provide a detailed framework for data protection (including specific UK rules for exemptions, law enforcement, and national security).
We appreciate your feedback – your submission has been successfully received.
