Strike Graph security compliance blog

Has the Data Protection Act of 1988 been repealed?

Written by Michelle Strickler | Jul 4, 2023 7:00:00 AM

With the landscape of privacy and security constantly evolving, it can be a challenge to know when legislation has changed with it – especially older, foundational laws like the Data Protection Act of 1988. And if an older law like this is no longer active, are organizations still subject to its requirements? For any company that stores personal data, the answer is often yes. But, the requirements typically are mandated by a modernized version of the original law.

This is the case with the Data Protection Act (DPA) of 1988. Most of its foundational ideas still exist in some form, so it's important for organizations to know exactly which portions of the law they’re still required to adhere to.

The Data Protection Act (DPA) of 2018 is a UK law which updated the way that organizations handle and protect people’s personal data. This law is the way that the UK specifically implements the General Data Protection Regulation (read our quick Guide to GDPR here) and the ways those regulations are enforced.

People might wonder: with the new DPA of 2018 in place, has the DPA of 1988 been repealed? A better way to frame this is that the 2018 version of the DPA now supersedes the 1988 version (and the versions that have been established since then, like the 1998 version) because of its updated procedures for the modern digital world. 

The reality is that it would be hard to repeal any law that set the stage for security and privacy in the way that this historic act did. The following are major concepts in the security landscape that the DPA of 1988 helped to establish:

  • Best practices for security storage, which created a lasting, ethical framework for organizations who store people’s personal data — These practices are now also referred to as the 7 GDPR principles
  • A groundwork for consumer rights (now also referred to as the 8 GDPR Rights) — Consumers finally were given specifically defined ways to control their information that was stored by businesses or organizations.
  • Legal requirements to follow the DPA framework and ensure its consumer rights — There were heavy fines for organizations that were not in compliance.

The DPA of 1988 established foundational concepts that will continue to guide security legislation. But, those concepts have evolved to better meet the needs of the current day with updated versions like the current 2018 Act in the UK.

The Data Protection Act and General Data Protection Regulation are in many ways connected as forms of data legislation. The GDPR is the data privacy and security standard in the EU, and it is widely considered one of the strongest collections of data protection regulations in the world. The DPA of 2018 is the UK’s complete set of data protection systems, which includes data represented by the GDPR, but also other generalized data, like that of national security and law enforcement interest. 

There are, however, some nuanced differences between the two and areas where the DPA makes slight changes to GDPR measures to better suit the UK’s context. The following are some examples of the differences between the two:

  • Differences in the processing of criminal data – the DPA allows a larger scope of organizations to process this data, largely for the purpose of supporting investigations.
  • The GDPR has a broader definition of “identifier” as it applies to personal data, including internet cookies and IP addresses.
  • The two laws vary on the age at which a child can consent to data processing – the DPA says 13 while the GDPR says 16.
  • The DPA allows automated decision-making in select circumstances (those with justifiable cause and appropriate safeguards in place) while the GDPR generally says that personal data should not be subjected to this.
  • When considered in the public interest, the DPA allows for certain exemptions from the personal data protections that are enforced by the GDPR.

Overall, the GDPR is the security standard for working with European customers or businesses. But knowing that the DPA is the way that the UK administers and enforces this standard, while  allowing for some of its own changes, is important for anyone doing business in either region. 

For anyone doing business in Europe or with European customers – OR with the UK – GDPR compliance is a must.  No matter what region you’re working with, Strike Graph’s comprehensive platform will streamline your road to compliance with GDPR-mapped controls, automatic evidence collection, cross-team task distribution and more.