Skip to content
Privacy Regulations

UK Data Protection Act 2018

What is the UK Data Protection Act 2018?

One result of Brexit is that the UK is no longer subject to the EU General Data Protection Regulation (GDPR). Instead, legislation known as the UK Data Protection Act 2018 defines the data protection framework in the United Kingdom.

Designed to protect individual privacy and rights about their personal data and regulate the processing of personal data by organizations, the Act is the UK’s implementation of the GDPR. Among other things, it provides individuals with rights such as:

  • Access to their data.
  • Requesting rectification or erasure of their data.
  • Data process restrictions.
  • Data portability.
  • Objection to processing.

The UK Data Protection Act extends GDPR standards, creating distinct areas of processing that include:

  1. Within the scope of GDPR (UK GDPR).
  2. Outside the GDPR’s scope.
  3. Processing by competent authorities for law enforcement purposes and by intelligence services.

Which Data Protection Laws Apply in the UK?

Primary UK data privacy laws include:

  • UK General Data Protection Regulation (UK GDPR). Adapted from the EU GDPR, the UK GDPR includes seven key principles (listed below), rights, and obligations regarding the processing of personal data in the UK.
  • Data Protection Act 2018 (DPA 2018). This Act complements the UK GDPR, providing additional details and specific provisions for processing personal data, including law enforcement and intelligence services processing. It also outlines the functions and powers of the Information Commissioner’s Office (ICO), the UK’s data protection authority.
  • Privacy and Electronic Communications Regulations (PECR). Along with the UK GDPR and DPA 2018, these regulations provide specific rules for privacy in electronic communications, including marketing calls, emails, and cookies.

Other regulations and sector-specific laws might apply to certain types of data processing or industries, such as the Financial Services and Markets Act for the financial sector or the Health and Social Care Act for healthcare data.

What Does UK DPA 2018 Mean for Businesses?

DPA 2018 has significant implications for businesses operating in the UK:

  • Compliance with data protection principles. Organizations must ensure they comply with DPA 2018’s principles, including lawfully, fairly, and transparently processing data.
  • Lawful basis for processing. Enterprises must have a lawful basis for processing personal data, such as obtaining consumer consent, fulfilling contracts, and pursuing legitimate interests.
  • Data Subject Rights. Businesses must respect an individual’s rights, including the rights of access, rectification, erasure (also known as the “right to be forgotten”), restriction, data portability, and objection.

All “data subjects” can exercise their rights under the UK GDPR under certain circumstances and within some exemptions, including in situations where the data is needed to prevent or detect a crime, prosecute offenders, or impose a duty or tax on an individual. Other exemptions include data required to maintain effective immigration processes and policies, safeguard national security or defense, and any other function designed to protect the public.

  1. The right to be informed about the collection and usage of their personal data, including precise, unambiguous information about what organizations do with their personal data in easily accessible and plain language.
  2. The right of access allows users to know exactly what personal information a company collects and for what purpose. They must also be informed of how long the data will be stored and if their information has been shared with or sold to any third parties, including other countries or international organizations. Some exemptions include data processed for taxation or crime-related purposes and data that relates to legal professional privilege.
  3. The right of rectification allows data subjects to request modification or correction of any data that is outdated, obsolete, or incorrect, following collection.
  4. The right of erasure allows users to request that any collected personal data be deleted and further processing be stopped.
  5. The right of data portability allows data subjects to receive any data collected on them. The data must be in a commonly used and machine-readable format that the user can easily access.
  6. The right to object permits individuals to request a data processor or controller to halt all data processing activities on their data, including for marketing, research, and statistical purposes.
  7. The right to restriction of processing is used when a data subject challenges the data’s accuracy or the processor or controller no longer needs to process it. The same right applies if the data was unlawfully processed or the data subject objected to it being processed.

Other ways the UK GDPR can affect a business include:

  • Data Protection Officer (DPO). Some businesses (including those that process large amounts of special category data or carry out regular and systematic monitoring of individuals) might need to appoint a DPO to oversee compliance.
  • Data Breach Notification. Organizations must implement procedures for detecting, reporting, and investigating personal data breaches. If a breach is likely to result in a risk to individual rights and freedoms, they must report it to the ICO within 72 hours and, in some cases, to the affected individuals.
  • Data Protection Impact Assessments (DPIAs). Businesses must carry out DPIAs to identify and mitigate risks associated with processing that’s likely to result in a high risk to individual rights and freedoms.
  • Cross-Border Data Transfers. Enterprises must ensure that any transfer of personal data outside the UK is done in compliance with the DPA 2018 and the UK GDPR. This could involve using mechanisms like the Standard Contractual Clauses (SCCs) or ensuring the receiving country has adequate data protection laws.
  • Accountability. Companies must demonstrate compliance by maintaining records of data processing activities, implementing data protection policies, and conducting regular staff training.

Non-Compliance Consequences

Businesses that fail to comply with DPA 2018 regulations face significant fines, reputational damage, and legal challenges. In cases of infringement and non-compliance with information, assessment, or enforcement notices, organizations or individuals might be hit with administrative fines based on considerations such as:

  • Negligence.
  • The categories of the personal data that was infringed on.
  • Responsibilities of the processor or controller.
  • Actions taken to mitigate harm.
  • Past infringements.
  • Adherence to approved codes of conduct or certification methods.

The current standard maximum penalty is £8,700,000 or 2% of the undertaking’s total annual worldwide turnover in the prior financial year, whichever is higher. A penalty of £17,500,000 or 4% of the total annual worldwide turnover in the prior financial year, whichever is higher, is typically imposed when an organization fails to adhere to the Act’s basic processing principles, including conditions for consent, data subject rights, and the transfer of personal information to a third-country recipient or international organization.

To adquately protect their users and themselves, businesses need to understand their obligations under the Act and implement robust data protection practices.

The 7 Principles of the UK Data Protection Act 2018

The key principles of the UK General Data Protection Regulation 2018 include:

  1. Lawfulness, fairness, and transparency. Personal data must be processed lawfully, fairly, and transparently.
  2. Purpose limitation. Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that’s incompatible with those purposes.
  3. Data minimization. Only the necessary amount of personal data should be collected and processed for the intended purpose.
  4. Accuracy. Personal data must be accurate and kept up-to-date.
  5. Storage limitation. Data must be kept for no longer than is necessary for the purposes for which it is processed.
  6. Integrity and confidentiality. Personal data must be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  7. Accountability. Data controllers and processors are responsible for complying with these principles and must be able to demonstrate their compliance.


The UK DPA and GDPR are each crucial pieces of legislation for data protection; however, they do differ:

  • Geographical scope. GDPR applies to the processing of personal data by organizations within the European Union (EU) and the European Economic Area (EEA), as well as to organizations outside the EU/EEA that offer goods or services to, or monitor the behavior of, individuals within the EU/EEA. UK DPA applies specifically to personal data processing within the United Kingdom; it is the UK’s implementation of the GDPR, adapted to fit the UK’s legal system post-Brexit.
  • Legal framework. GDPR is directly applicable and enforceable in all EU/EEA member states. UK DPA incorporates the GDPR into UK law with some modifications and additional provisions, making it the primary data protection legislation in the UK.
  • Additional provisions. GDPR focuses primarily on personal data protection and individual rights. UK DPA includes additional provisions not covered by the GDPR, such as the processing of personal data for law enforcement purposes, intelligence services, etc.
  • Brexit considerations. Pre-Brexit, the GDPR was directly applicable in the UK. Post-Brexit, it is retained in UK law as the UK GDPR, with modifications to make it work in a UK context. Post-Brexit, the UK DPA and UK GDPR form the core of the UK’s data protection policy, providing continuity and ensuring the UK’s data protection laws are aligned with the GDPR.
  • Regulatory authority. With GDPR, each EU/EEA member state has its own data protection authority responsible for enforcing the GDPR within its jurisdiction. The ICO is the independent regulatory authority responsible for enforcing the DPA 2018 and the GDPR in the UK.

The Role of the ICO

The Information Commissioner’s Office is the primary regulatory authority responsible for enforcing the UK GDPR and DPA 2018 within the British territories. It holds investigative, corrective, and advisory powers and its responsibilities include advising Parliament and other institutions on matters related to data rights legislation and the personal data processing.

The ICO is also responsible for creating and presenting to Parliament an annual report setting out information on the types of infringements that occurred in the previous year and the measures taken. It also:

  • Promotes public awareness of data processing’s rules, risks, and safeguards and handles data subject complaints.
  • Has the authority to issue opinions related to personal data protection.
  • Is responsible for preparing a code of practice that conforms to legislative requirements.
  • How to Comply with the UK Data Protection Act 2018

Compliance with UK DPA 2018 involves organizations understanding their obligations, implementing the data protection principles, and establishing a lawful basis for processing personal data.

With its many strict and detailed requirements, many organizations regard the UK GDPR as intimidating, particularly when they must also consider the DPA at the same time. However, a systematic approach to compliance reduces complications and helps businesses ensure they adhere to all necessary regulations.

  1. Ensure your data privacy policy is easy to understand and clearly communicates your business’s obligations and data subject rights.
  2. Engage a DPO well-versed in both legislations, ensuring your compliance initiatives are up-to-speed.
  3. Invest in continual training that ensures organization-wide awareness of data protection responsibilities under the law.
  4. Conduct routine DPIAs for high-risk data processing activities. Performing data-mapping exercises ensures maximum compliance efficiency.
  5. Implement robust vendor due diligence process for third parties.
  6. Promptly notify regulatory authorities and impacted data subjects when a breach occurs.
  7. Ensure fulfillment of data subject rights.
  8. Obtain consent in a manner consistent with applicable requirements and maintain consent records.

Who Needs to Comply with the Law

DPA 2018 outlines the principles and obligations entities must follow when processing personal information to ensure the protection of individual privacy and data rights. It applies to any and all organizations or individuals that process personal data relating to individuals in the UK, including:

  1. Organizations and companies operating within the UK, regardless of size or sector.
  2. Organizations outside the UK if they process personal data of individuals in the UK in relation to offering goods or services or monitoring their behavior.
  3. Public authorities and government bodies.
  4. Charities and non-profit organizations.
  5. Individuals who process personal data for purposes other than purely personal, family, or household activities, such as self-employed individuals, freelancers, and sole traders.

Keep in mind that the DPA 2018 is the UK’s implementation of the EU’s GDPR, which applies across the European Union. Therefore, organizations simultaneously operating in the UK and EU might need to comply with DPA 2018 and the EU GDPR.