The Data Protection Act of 2018

The Data Protection Act 2018 is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR) and controls how personal information is used by organizations, businesses, or the UK government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles.’ They must make sure the information is:

  • used fairly, lawfully, and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant, and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction, or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political beliefs
  • religious beliefs
  • trade union membership (referred to as unions in the US)
  • genetics
  • biometrics (where used for identification)
  • health
  • sexual orientation
  • There are separate safeguards for personal data relating to criminal convictions and offenses.

People rights

Under the Data Protection Act 2018, people have the right to find out what information the government and other organizations store about them. These include the right to:

  • be informed about how the data is being used
  • have access to personal data
  • have incorrect data updated
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances

People also have rights when an organization is using their personal data for:

automated decision-making processes (without human involvement)
profiling, for example, to predict your behavior or interests.