The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is: used fairly, lawfully and transparently. It is a legal milestone, superseding the Act from 1998. However, the foundational principles remain consistent, several new components cater to the evolving technological landscape. For those immersed in the world of face recognition and biometrics, understanding this Act's nuances is crucial.
Here are some noteworthy aspects of the Data Protection Act 2018:
Expansion of Personal Data Definition
- The Act classifies "location data or online identifiers" as personal data, which is a notable deviation from the previous understanding.
- It provides a comprehensive definition of 'personal data,' which pertains to information related to an identified or identifiable living individual. This includes a direct or indirect reference to identifiers like name, ID number, location data, online identifiers, or factors tied to the physical, physiological, genetic, mental, economic, cultural, or social identity of a person.
Inclusion of References
- An intriguing addition is that references to personal data now fall under the ambit of personal data and its processing. This implies a more inclusive view of what constitutes personal information, making it essential for biometric systems and related technologies to ensure a broader scope of compliance.
Clear Definition of Processing
- The Act provides a comprehensive understanding of 'processing'. Processing encompasses a range of operations on information or sets of information. This includes collection, recording, structuring, storing, adaptation, alteration, retrieval, consultation, usage, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. Such a detailed delineation is vital for companies employing face recognition technologies, ensuring they remain compliant across all data processing stages.
Relationship with GDPR
- The Data Protection Act 2018 complements and expands upon the General Data Protection Regulation (GDPR). It indicates that the Act is not just a replica but an enhancement of the GDPR tailored to the UK context.
- For biometric projects in the UK, this signifies that legal intricacies will be manifold, potentially leading to higher project costs and challenges. The intertwined nature of this Act with the GDPR necessitates rigorous adherence to both regulations.
P.S.: Special thanks to Mikhaylo Pavlyuk, the CCO of 3DiVi Inc., for assistance in preparing the information for this article.