ECSH10500 - Data Protection Act 2018/General Data Protection Regulation: introduction

The EU General Data Protection Regulation (EU GDPR) came into effect on 25 May 2018 and replaced the Data Protection Act 1998.  It was introduced to modernise and harmonise data protection laws across Europe, particularly with the increased use of social media platforms that were not around in 1998.  Though the UK has left the EU, its provisions were retained in UK law as the UK GDPR, even so the UK has the independence to keep the framework under review.  The provisions have not been substantially amended, and as of October 2024, the obligations in the UK GDPR remain principally the same as they did under the EU GDPR.

In the UK we also follow the requirements set out in an amended version of the Data Protection Act 2018 (DPA 2018).  The DPA 2018 supplements the UK GDPR and incorporates specific rules applying to law enforcement processing, with a set of rules on how we can process information about criminal offending data.   

Section 16(1)(a), DPA 2018 affects the application of UK GDPR where processing is necessary for compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of official authority. This applies to the information that EC-S collects and processes as part of ensuring a business complies with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

The DPA 2018 is principally about:

  • Control – giving individuals much more control over what happens with their data and why they share it with
  • Transparency – making HMRC more open about what they do with personally identifiable data and who they share it wit
  • Accountability – making HMRC accountable if something goes wrong

Data Protection is the process of safeguarding important information that can identify living individuals from corruption, compromise or loss. HMRC is a Data Controller because we collect data and decide how we process that data.


Data Breaches

If there is a suspected data breach, it must be reported as soon as possible within two working days of the occurrence.


Additional information

HMRC guidance in relation to GDPR and the DPA 2018 which includes points of contact, can be found on the HMRC sharepoint site.

 

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017)

MLR 2017 places obligations on both HMRC, as a supervisor, and businesses in relation to GDPR and the DPA 2018.


Obligations for HMRC

Personal data may be collected by HMRC in the course of undertaking its supervisory functions. This will include but is not limited to:

  • Registration data collected under Regulations 54 and 55.
  • Customer due diligence (CDD) and transaction data viewed and/or obtained as part of a compliance intervention.

It is therefore important that HMRC follows data protection legislation and ensures its practises conform with that legislation. Further guidance about data protection and retention periods can be found at ECSH34106.

Officers should ensure they undertake all mandatory and relevant GDPR training.

Regulation 106 MLR 2017 does not authorise or require a disclosure of personal information in contravention of data protection legislation, which means HMRC must not disclose personal information which is subject to 2018 DPA. However, Regulation 52 (1) MLR 2017 does allow a supervisor to disclose information relating to its supervisory functions to another relevant authority. As a safeguard, Regulation 52A  MLR 2017 protects the confidentiality of this disclosed information as follows:

  • Regulation 52A(1) specifies that no person working for or on behalf of a supervisory authority can disclose any confidential information in the course of their duties, other than information specified in Regulation 52(1).
  • Regulation 52A(5) obligates the receiving relevant authority to keep the disclosed information confidential.

 

Obligations for businesses

Regulation 41 MLR 2017 sets out the obligation on businesses in relation to any personal data it obtains: a business can only process the data for the purposes of preventing money laundering, terrorist financing or proliferation financing. In addition to this, the business must inform its customers of this. For further guidance see ECSH33575.

Under most circumstances businesses cannot use GDPR as reason not to provide information to HMRC for the purposes of supervision. Regulations 72(2) and 72(3) MLR 2017 provide that a business's compliance in providing information when HMRC exercises its powers under regulations 66, 69 and 70 MLR 2017, do not carry a civil liability for breaching GDPR obligations. Nor does that provision of information automatically breach restrictions on the disclosure of information. If a business fails to provide information as required under regulation 66, 69 or 70 MLR 2017 then it is liable to sanctions. See ECSH82805.