Plain English Data Protection Act 2018 – Part 1

Anonymous Japanese Warriors
Anonymous Japanese Warriors

Part 1 – Preliminary

Oh Boy, oh boy! More legislation to work through. If I could make millions out of doing this as a YouTube channel I totally would. (I’d probably do it for hundreds even). The Data Protection Act of 2018, so this is British legislation it generally uses the same hierarchical names but in a different order. We shall see things laid out in Part, Chapter, Section and Subsection order.

7 Parts will give us 7 blog posts working through the document. It’s not rocket science but just wanted to give you a heads up.

Now there is a preamble for this document and in it we get this gem, “Be it enacted by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same as follows: -“

I’m going to take a stab that this or something of this note is found at the beginning of all legislation. Already it seems a bit over the top, but the funny thing is that here in this particular legislation which is going to rely on some fairly technical nuance we are relying on the authority of the Queen, the Lords Spiritual, the Lords Temporal and the Common. Unless one of the hereditary lords has a hobby dabbling in digital privacy that has been kept away from the limelight I’m going to go out on a limb here and say that not one of these authorities has the expertise to weigh in on data protection.

Not taking away the vast array of experience this very noble panel do possess, just I’d rather have a Tim Berners-Lee sign their name for the authority, or even Kim Dotcom for that matter. Not the Archbishop of Canterbury or the Earl Marshal.

Section 1 – Overview

Now it is not going to come as a shock, but I am not a lawyer. However, the first article is laying out what each part throughout the document is focusing on. This comes hard after the Contents section. Nobody would have thought that I’d harken back to the good ol’ days of GDPR, but at least they didn’t cover the first page in redundant and completely useless information. Perhaps there is a legal requirement and or precedent for this?

Section 2 – Protection of personal data

This seems like the first real bit of something new. And we immediately start off with a conundrum: “The GDPR, the applied GDPR, and this Act…” why is there a differentiation between the GDPR and the applied GDPR? I couldn’t find a quick answer, so I’m open to hearing thoughts.

Then we get the all-important three key aspects of this legislation:

  • Requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis.
  • Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified.
  • Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

Unlike the shadowy Commission from GDPR, I believe they are referring here to the Information Commissioner, the post currently being held by Elizabeth Denham who coincidently was listed as the number one data-driven business influencer in DataIQ’s top 100.

Now as an aside here looking at this list I’m a bit dubious. There are three main criteria for selecting the people on this list, one is leadership vaguely defined, then engagement vaguely defined. This does not seem like a publication dedicated to data-driven anything. Although the third item is they look for people who support DataIQ and that just makes me shiver and feel dirty all over. I love what DataIQ stand for and where they are going, I just wish they could be a little less commercial about picking candidates they believe are leading the industry.

Section 3 – Terms relating to the processing of personal data

This is as you’d probably guess a list of what terms are being used in this document and what they mean. Reading it though does cause some déjà vu as I remember doing this with GDPR. Like word for word remember it.

What is interesting is what they choose to call out and those items they don’t, so pseudonymisation doesn’t make an appearance, but filing system does? Not sure why. Then a whole series of definitions about types of data are not included. Section 15 says that section 206 contains a list of defined expression and skipping ahead in the document (spoiler alert) we see that instead of taking the time to define terms Section 206 goes through and lists fifty-five terms and links to their definitions in random sections throughout the document. Like object orientate programming this is a clever way of maintaining definitions, but someone should teach them about readability.

Although we get confirmation here in Section 8 that ‘The Commissioner’ does, in fact, refer to the Information Commissioner and also in Section 11 that ‘the applied GDPR’ means the GDPR as applied by Chapter 3 of part 2. So it looks like we’ll come up to that in more detail in 2 weeks.


Now I’ve only just begun my journey down the dark path of legislation translation, but we’ve already got off on the wrong foot. This document (even more so than the GDPR) is difficult to read, tried to reference itself all over the place building a tangled web of definitions and ideas such that it would be rendered useless by anyone other than a trained constitutional lawyer. I actually feel a bit let down by the government for writing this garbage which now governs my and every other citizen’s life in the UK. I’ll leave you with Section 14:

(14) In Parts 5 to 7, except where otherwise provided—
(a) references to the GDPR are to the GDPR read with Chapter 2 of Part 2 and include the applied GDPR read with Chapter 3 of Part 2;
(b) references to Chapter 2 of Part 2, or to a provision of that Chapter, include that Chapter or that provision as applied by Chapter 3 of Part 2;
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.

In the wise, wise words of Kimberly ‘Sweet Brown’ Wilkins, “Ain’t nobody got time for that!”

Previous articleData Protection Act 2018 – Introduction in English
Next articleSeptember – Don’t Forget Pirate Day
Born into the wilds of mid-western America, Matthew has lived his life creating. The kind of kid that bought a tarp, some PVC pipe and a skate board; fashioned himself a windsurfing set-up and then saw an opportunity in a local tornado. "Sorry Mom." Undergraduate in Art and Design, Doctorate in Scottish History, Matthew came late to the realisation that if he's going to use his diverse skill set he'd have to employ himself.