Back in the far-off days before the start of the long hot, and lazy summer that was 2018, we introduced you to the General Data Protection Regulation (GDPR). By now, you will have well and truly heard of this new Regulation from every source imaginable (but hopefully not the Information Commissioner!).
Over the winter months from October 2017 until March 2018, we published in Bar Talk some 11 different blogs for you, each one on a different aspect of the GDPR. The purpose was to provide a light-hearted introduction to data protection, pointing out the different players in the data protection theatre, their responsibilities and the penalties that could be visited on those players if they failed to comply with the GDPR.
We also promised that we would be back when the GDPR became the new Data Protection Act 2018 (DPA18). We said that we would explain what our UK legislators had done with the GDPR. Our best brains have spent the summer trying to fathom this out. As you will come to appreciate, this was a bit of a tricky task, particularly as Member States were, unusually for a EU Regulation, allowed a certain amount of leeway in their national implementation drafting.
DPA18, in its 353 pages of PDF, is not the easiest statute in the world to read and understand. In fact, it is a bit of a dog's breakfast with an awful lot of cross referencing to and from different schedules and references to an "applied GDPR" - see below. In an ideal world, the new data protection legislation might have simply set out the GDPR drafting and expanded and restricted this as permitted.
However, we don't live in an ideal world. For starters, the "data protection legislation" is now defined (s.3(9)) as (a) the GDPR, (b) the applied GDPR - see the DPA18 s.21 for what that means, (c) the DPA18, (d) regulations made under the DPA18, (e) regulations made under the European Communities Act 1972 which related to GDPR or the Law Enforcement Directive.
Just to add to the interest and amusement, the opening section on definitions provides that terms in Part 2 Chapter 2 have the same meaning in the GDPR; but, the term might have a modified meaning and it might have a different meaning in the DPA18. So, we start off with a modicum of uncertainty as to what means what and where! But don't let that put you off. Your IT Panel has tried its hardest to sort the relevant wheat from the irrelevant chaff and make the minimum amendments to the original blogs.
Overall, the DPA18 is divided into 7 Parts. Each Part has a series of Chapters. Chapters which give the impression that they might apply to data protection generally, actually only apply to the particular Part. So, for example, the data protection Principles are enunciated at least twice in the statute - but in each case where they are stated, they apply only to the Part in which they are located. You will see the Principles stated both under Law Enforcement Processing (Part 3) and Intelligence Services Processing (Part 4). But the Principles set out in these Parts don't apply to the ordinary work of a barrister.
General processing, which is what the Bar is mostly involved in, remains largely unaltered from GDPR, unless we clearly state this in the revised blogs. Part 1 makes clear that "most processing of personal data is subject to the GDPR" (s.1(2)).The Data Protection Principles which apply to the ordinary work of a barrister are set out in the GDPR itself at Article 5.
So, in summary, what you have in the DPA18 is a multi-layered Christmas cake consisting of (a) a thick layer of original GDPR, (b) several thin layers of expansion permitted by the terms of GDPR (e.g. for details supporting the work of the Information Commissioner and Enforcement provisions), (c) a couple of thin layers which probably don't concern you too much and relate to Parts 3 and 4 mentioned above, (d) the icing covering the cake consisting of transitional provisions and amendments, all supported by 20 different schedules. If you want to find out more about it without printing out 353 pages, you can find a bird's-eye view of its contents at www.gdpr-dpa.co.uk/dpa.html.
We are not, incidentally, going to give you the headache of scrolling between what we said originally and what we are about to say about DPA18, and ask you to make comparisons. Rather, we have decided to republish the original blogs with DPA18 text added in. Then you will have the whole benefit; a reminder of what we wrote plus DPA 18 overlaid. And, of course, for those (now, of course, very) few souls who have not read the blogs, you have a second opportunity to do so!
So, we will start off with the first blog - a general warning about what is going on in the world today and how you could be affected. Join us on the second journey and we hope what we will be saying is useful.
Bar Council IT Panel