The Data Protection Act 2018 – A five year reflection
Published: May 31, 2023
Author: admin

In the wake of TikTok being fined £12.7m by the Information Commissioner’s Office (“ICO”), we look at some of the key data protection issues in the UK. We consider what you should be doing in your business as we approach the fifth anniversary of the General Data Protection Regulation 2016/679 (“GDPR”).

What is data protection?

In the UK, data protection is governed by the Data Protection Act 2018, which implements the GDPR. The GDPR came effect on 25 May 2018 and strengthened the rights of data subjects in the EU (of which the UK was still part). It also increased enforcement of breaches of data protection principles. The GDPR was a pivotal moment in the commitment of the EU to data privacy.

The Data Protection Act 2018 sets out the rules for collecting and processing personal data. The definition of personal data is now much wider than the previous definition of personal data. It now includes any data which can identify a living person, such as name, address, date of birth, IP address, picture, social media handles, bank details, medical records etc.

What are the key principles of data protection in the UK?

Data protection is taken very seriously in the UK. The Data Protection Act 2018 requires that all personal data be processed fairly, lawfully, transparently and for a specific purpose. There must also be a legitimate basis upon which you have the right to collect and process the data. It includes consent and other reasons, such as fulfilling a contractual obligation. It also requires that an individual be informed about how their data is being used and their right to access, correct and remove their data.

The ICO, the independent regulator for enforcing data protection in the UK, suggests organisations should adopt a privacy-by-design model. It means any business idea, concept, and product should be designed with the right to privacy in mind. For example, any software should be designed with key technological safeguards to ensure that personal data is not vulnerable to being stolen.

Some recent fines that the ICO has imposed besides the TikTok fine in April 2023 include British Airways in 2019 – £20m; Marriott International in 2019 – £18.4m; Facebook in 2018 – £500,000.

What does it mean for my business?

It is imperative that your business demonstrates that it is compliant with the Data Protection Act 2018. There are several things you should have in place, such as:

  • Comprehensive data protection policies that work for your business.
  • A privacy policy clearly displayed on a website or to third parties who send you personal data where this is not via a website. It must specify what personal data you will be collecting, how it will be collected, what you will be using it for and on what basis you have the right to collect and process this information.
  • Proper privacy provisions for dealing with staff personal data and the storage and retention of personal data.

As we approach the fifth anniversary of GDPR, we are auditing clients to check compliance and to ensure that documents remain up-to-date and relevant to their business. We believe the ICO would be less tolerant of total non-compliance than it may have been in the immediate aftermath of GDPR. In the rush of many organisations to get documents in place in anticipation of GDPR in 2018, many of those documents have either not been properly updated, simply do not work, or have never worked for the organisation.

The power of the ICO and its expectations, now five years post-GDPR, should serve as a wake-up call to businesses to reprioritise data protection. It is time to review existing policies, retrain new staff and check that all new products and changes remain compliant.

Key contacts

Karen Holden
Founder & MD

Click to view profile

Jackie Watts
Director & Head of Commercial Team

Click to view profile

Services

Articles

Silenced by Fear: A Guide to Addressing Sexual Harassment from Those in Power

Introduction Sexual harassment can occur in many contexts, not just in the workplace. When the harasser is in a position of power—be it a manager, investor, joint venture partner, or any influential figure—it can create a climate of fear that discourages victims from...

From partners to rivals | Protecting your company using restrictive covenants

If a founder or shareholders or senior managers relationship sours, things can go wrong very quickly causing the company distraction and financial losses. This is compounded if on exit the departing individual seeks to poach clients or staff seeks to work with a...

Navigating Fashion’s Legal Landscape: Essential Guidance for Designers and Entrepreneurs

Introduction: Fashion Week is more than just runways and glamorous designs it's also a pivotal time for designers, entrepreneurs, and brands to reassess their legal strategies. As the fashion industry faces unique challenges heading into 2025, including new...

From Partners to Rivals: Protecting Your Company through restrictive covenants

Today, we’re tackling an issue that can make or break your business—restrictive covenants and their role in protecting your company during shareholder, director or staff disputes. We will touch on their importance, how these should be incorporated into your documents...

Protecting AI Innovations: Strategies and Guidelines – Part 2

As Artificial intelligence (AI) continues to evolve, its intersection with Intellectual Property (IP) law has become a crucial consideration for innovators. The UK Intellectual Property Office (IPO) has a set of detailed guidelines to evaluate if AI inventions are...

The Life of a Disruptive Lawyer: Innovating Legal Practice in Emerging Technologies ran by a Mum & Female Founder

In the staid and often stolid world of law, disruption is not a term often associated with the legal profession. Yet, at A City Law Firm , disruption is our modus operandi. From pioneering payment plans to engaging with cutting-edge technology, we have redefined what...

Protecting AI Innovations: Strategies and Guidelines – Part 1

As Artificial intelligence (AI) continues to evolve, its intersection with Intellectual Property (IP) law has become a crucial consideration for innovators. The UK Intellectual Property Office (IPO) has a set of detailed guidelines to evaluate if AI inventions are...

Tackling workplace toxicity

In today’s interconnected work environment, whether through face-to-face interactions, virtual meetings on Teams, or other communication platforms, issues such as derogatory comments, bad-mouthing employers and management, bullying and discrimination are prevalent....

Navigating the metaverse | Potential challenges for employers and employees in the UK

With the rapid advancement of technology, the concept of the metaverse is no longer confined to the realm of science fiction it is here. As virtual reality, augmented reality, and other immersive technologies converge, the metaverse is becoming increasingly tangible....

IP Licenses: When do you need one and what are the essential terms it must have?

As technology lawyers working in emerging technology, our biggest value is protecting and commercialising the founders IP The why ? In the fast-paced world of intellectual property (IP), safeguarding your creations is paramount. Whether you’re an inventor, artist, or...