What is the Data Protection Act 1998?

A blue digital shield made from encrypted strings with a keyhole in the middle

The European Union's General Data Protection Regulation (GDPR) has been the biggest shake-up of data protection laws the world has ever seen. Since its introduction in May 2018, the way businesses across Europe collect, store and use data has come under greater scrutiny.

However, its introduction also came amid the UK's prolonged exit from the EU. This led to uncertainty around the UK adopting the legislation as its main purpose was to harmonise data transfers throughout member states. However, GDPR has and will continue to exist in the UK in the form of the Data Protection Act (DPA) 2018, as will the Data Protection Act (DPA) 1998.

The DPA 2018 is often referred to as 'UK GDPR' but is actually an update to the DPA1998. It was changed to translate the majority of the GDPR's principles so that they fit into existing UK laws.

The 1998 law is still in use for cases of data misuse or theft that happened before 23 May 2018 (the implementation date of DPA 2018). Although this law has been in play for some time, it's important businesses understand how both work since they can still be found in breach of the older one for legacy incidents.

It's also important to understand that data laws have had to evolve, which may have changed some articles of the Data Protection Act 1998. Organisations must understand how much the law has changed and its current scope in terms of compliance, as well as how it can still make an impact on your business.

What does the Data Protection Act 1998 mean?

The Data Protection Act 1998 was the law governing the processing of personal data by all organisations, be they public or private, including charities.

All data breaches in the UK are investigated by the Information Commissioner's Office (ICO) and the same was true then, although the act provided guidelines for the type of penalty that could be applied if someone was found to have been in contravention of the rules.

Data Protection Act 1998: Summary

The Data Protection Act 1998 regulated the use and protection of personal data, and outlined the responsibilities a business had to protect that data. It superseded the Data Protection Act 1984 and Access to Personal Files Act 1987.

It was amended in 2003 to give individuals more control over digital marketing communications they receive, meaning they must opt-in to receive emails, SMS text messages etc from an organisation if they've never had contact with it before.

What was personal data defined as?


Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation


According to data protection principles, and previous regulations, personal data is defined as information related to an individual that can be used either in isolation or in tandem with other data sources, to reveal that individual's identity. If there is such pre-existing data held by a data controller, then personal data also encompasses information that may come under this entity's possession.

This also included expressions of opinion about that person and any intention the data controller or another individual may have in regards to them.

The DPA 1998 also provided protection for sensitive personal data, which was defined as information relating to a person's racial or ethnic origin, political and religious or similar beliefs, membership of a trade union, physical and mental health, sex life, any criminal charges or allegations against them, and any proceedings against them (such as a court case or a prison sentence).

What data formats were covered?

The DPA defined possession of data as that which resided in a machine or on paper in a readable, accessible way. Regarding paper forms of information, the ICO classified paper filing systems as individuals' records being held in a "systematic, structured way" that provided easy access to those individuals' information.

Data was also classified as "accessible records" covering health or education. While this information wasn't necessarily held in a structured, easily accessible way, it was important enough that the DPA stipulated it should still be protected.

Data controllers' "data processing" activities were also subject to the DPA's rules. Processing was a very broad term covering plenty of things, but was thought of as relating to every interaction had with personal data. As the ICO noted, almost any activity concerning data would constitute processing.

What were the penalties for a data breach?

There were a number of penalties and processes available to the ICO when it came to taking action on data protection.

The most material impact was perhaps the possibility of a fine. As of April 2010, the ICO was able to issue penalties of up to £500,000 for offences taking place on or after that date, although the maximum fine was only ever imposed once (against Facebook during the 2018 Cambridge Analytica scandal).

It was also able to lay out processes an organisation should have undertaken in order to improve its data protection posture, and was able to conduct audits to ensure compliance (these could have been consensual or, if necessary, compulsory).

If a breach occurred, in addition to the possibility of a £500,000 fine, the ICO was able to prosecute anyone it believed had committed a criminal offence under the act.

What is the Data Protection Act 2018?

After 20 years, UK data protection regulations received an overhaul following Royal Assent on 23 May. The Data Protection Act 2018 updates the UK's data protection legislation to make it more relevant to the way technology is used today and harmonises laws with that of GDPR.

The act mirrors GDPR in many aspects, including tougher sanctions for data breaches (up to £17 million or 4% of global turnover).

The new Data Protection Act 2018 modernises the UK's data protection framework to account for the value of people's personal data today, offering people stronger rights over what others can do with their data, and requiring companies to gain people's consent to use their information.

Generally, most provisions under the 1998 act have been strengthened, requiring far more from organisations when it comes to seeking consent and holding data for longer than necessary.

When it comes to processing data, companies are now required to make efforts to be transparent, which was not necessarily required under the 1998 act. It's also far more difficult to collect data under the 2018 act, as it needs to have an explicit purpose.

What specific data could be collected was also up for interpretation under the 1998 act, as organisations could use it provided it wasn't deemed "excessive" compared to its original purpose. Under the 2018 act, the processing is limited to only that data considered relevant.

For more information on the new Data Protection Act 2018, and how it works alongside GDPR, head here.

Data Protection Act 1998: Important terms and further reading

Data subject: Data subject is a term used in both the GDPR and DPA. It refers to an individual who is the subject of personal data.

Data controller: As with data subject, data controller is used in the GDPR and DPA. It means a person who individually or with a group of other people decides how and why any personal data is or will be processed.

For more information on the DPA, you can visit the ICO's guide to data protection, and click here for more information on the GDPR.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.