GDPR – it’s not the whole story

28 June, 2018

By now hopefully the excitement of 25th May 2018 (or “GDPR Day”) has subsided. But the GDPR isn’t the only legislation that came into force then. The Data Protection Act (DPA) 2018, after some last minute wrangling and compromise, was given Royal Assent on 23rd May 2018, and much of it came into force just two days later.


You might wonder why we need another Data Protection Act when we already have GDPR to worry about. Well, despite it’s billing as a “one stop shop” that would make data protection law consistent across Europe, the GDPR does need national law to fill in the gaps in some areas. So each member of the EU needs to pass national implementing law to deal with those areas. At the date of writing, the majority of member states’ are still at the draft stage when it comes to their local implementing law. The UK managed to squeeze theirs in just before GDPR Day.

So What?

So what does the DPA 2018 do? Well, lots of things. It’s a hefty 353 pages (compared to the GDPR’s paltry 88) but many of the changes will only be relevant to public authorities, or activities like law enforcement or anti-terrorism measures. Much has been made about the minimum age of giving consent for data processing being lowered to 13 (from 16), but this only applies in relation to online services directed at children.

The key provisions of the DPA 2018, which will affect almost every business, relate to the use of “special categories of data”, i.e. particularly sensitive data. This includes information concerning an individual’s health. While many organisations won’t use any information relating to outside individual’s health, they almost certainly will in relation to any employees, when dealing with sickness absence, or accommodating any health-related requirements. The GDPR allows organisations to use this data as necessary to comply with employment law obligations, or exercise employment law rights, but only if local law authorises this use and provides appropriate safeguards.

Without the DPA 2018 then, it’s likely most organisations wouldn’t be able to use data about their employees’ health. The DPA 2018 sets out that organisations can use health data as necessary to carry out obligations or exercise rights in connection employment law, but requires them to have an “appropriate policy document” in place.

The appropriate policy document needs to explain the employer’s procedures for complying with the data protection principles in relation to that use of health data. It also needs to explain the employer’s policies around retention and erasure of that data, and indicate how long it is likely to be retained.

Without that policy document, any use of employee health data is likely to be in breach of the GDPR and DPA 2018. Any organisation which engages employees and uses any health data should review its policy documents to ensure they comply with the DPA 2018 requirements.

What next?

At Cripps Pemberton Greenish we have prepared a Data Protection Toolkit which contains questionnaires, customisable template documents and related guidance (including a template “appropriate policy document” as part of an internal privacy notice) and we are offering half day and full day workshops to help our clients get up to speed with the data protection law – if you’d like more information on the toolkit or workshops you can contact us using the details on the right. You can see a list of the documents (and a description of some “GDPR Essentials”) here.

For more information on data protection, please contact Elliot Fry at or on +44 (0)1732 224 034

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw