Having Difficulties with the Data Protection Act 2018? Author – Andrew Harvey, AMIRMS, Information Governance Consultant

There is no Data Protection Act (DPA) anymore, right? Well “Yes” and “No”.  

On 23 May a new piece of Data Protection legislation hit the statute book, right? “Yes”.
So that’s this weird thing called the EU General Data Protection Regulation (GDPR), you know that one we got all those irritating emails about, asking us to say they could still email us? “Sort of”.

Confusing isn’t it?

Well I’m confused and I work in and am qualified in the field of work, so what does everyone else make of it? We need to give it all some clarity and simplicity.
How many times have you read in the media and elsewhere things like ‘the GDPR, as enacted in the UK by the new DPA? Well let me lay that myth to rest. The GDPR was not passed into law by a new DPA. The GDPR is a piece of EU legislation that, as we are (currently) a member of the EU is directly law in the UK. The DPA 2018, the Act mentioned above that received Royal Assent (a slightly archaic term for ‘became law’) on 23 May, and became active on 25 May, the same day as the GDPR. Its purpose, among others is to:

• Bring into law derogations from the GDPR. There you go I said it. Derogations. Does anyone apart from a select (and ever so slightly geeky) few know what derogation is? And there’s another of our problems. The ever-so slightly (or one could say extremely) exclusive and alienating language of this Data Protection malarkey. Probably the best way of explaining it is those few bits of the GDPR that EU have said each individual country can decide upon itself. One of the most commonly quoted examples is that children can in the UK make their own decisions about using information society services from the age of 13.

Implement the EU Law Enforcement Directive. Now, confusingly, an EU Directive is not directly law in EU member countries, where as an EU Regulation (such as the GDPR) is. As a result, a Directive needs to be made law in each country. Even more confusingly the old Data Protection Act 1998 was based on an EU Directive, whereas the new legislation is a collectively made up of combination of an EU Regulation (the GDPR) and an EU Directive.

Harrumph! So what other difficulties are there? Probably the most obvious is the language and style of the DPA. If you want to read the whole thing it’s on the UK Legislation Website. But I wouldn’t recommend it, not unless you’re either far more nerdy than me, or an extreme insomniac. There are three problems that DPA creates:

• The language, like a lot of legislation, is highly exclusive, using words, sentence structure and a general document structure that just does not knit well together to the average person.

• Complete confusion for Data Protection professionals and the general public alike as to whether they are seeing the whole picture – where does the GDPR actually interrelate with the DPA. Or indeed does it interrelate? Do you need to know both inside out?

This blog isn’t a place to answer those questions, but it is a place to pose them.

What can we do to resolve it? Someone needs to write a damn good book or website totally aligning all of the GDPR to the DPA (oh... if only I had the time!). Or those that need to know can attend a sensitively structured course, pulling together the salient and most important areas for consideration.

Still confused and want to find out more, book on our, All you need to know; Data Protection Road Map 

London                 18 January 2019 (SOLD OUT) and  1 March 2019 
Manchester         22 February 2019 
Cardiff                  25 April 2019 

Bookings taken via the website or email for a booking form