The act has seven parts. These are outlined in Section 1: • This act makes provision about the processing of
personal data. • Most processing of personal data is subject to
GDPR. • Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see chapter 3). • Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive. • Part 4 makes provision about the processing of personal data by the intelligence services. • Part 5 makes provision about the
Information Commissioner. • Part 6 makes provision about the enforcement of the data protection legislation. • Part 7 makes supplementary provision, including provision about the application of this act to the Crown and to Parliament. The act introduces new offences that include knowingly or recklessly obtaining or disclosing personal data without the consent-giving of the data controller, procuring such disclosure, or retaining the data obtained without
consent. Selling, or offering to sell, personal data knowingly or
recklessly obtained or disclosed would also be an offence. Essentially, the act implements the EU Law Enforcement Directive, it implements those parts of the GDPR which "are to be determined by Member State law" and it creates a framework similar to the GDPR for the processing of personal data which is outside the scope of the GDPR. This includes intelligence services processing, immigration services processing and the processing of personal data held in unstructured form by public authorities. Under section 3 of the
European Union (Withdrawal) Act 2018, the GDPR will be incorporated directly into domestic law immediately after the
UK exits the European Union. The enforcement of the act by the
Information Commissioner's Office is supported by a data protection charge on UK data controllers under the Data Protection (Charges and Information) Regulations 2018. Exemptions from the charge were left broadly the same as for 1998 act: largely some businesses and non-profits internal core purposes (staff or members, marketing and accounting), household affairs, some public purposes, and non-automated processing. Under the 2018 act, the enforcement regime
for registration changed from criminal to civil monetary penalties. The act introduces a new public interest test applicable to the research processing of personal health data. The act gave people the right to apply to courts and tribunals for different orders, including: in the tribunal by ordering the Information Commissioner to conduct an investigation (section 166); in the court for compliance orders against the Commissioner or controllers or processors (section 167); in the tribunal against penalty notices and other enforcement decisions (section 162). The jurisdiction of these sections and their extent and limits have been the subject of a campaign of litigation arguing their different extent and limits, including as high as the Court of Appeal. == Additions ==