What is the Data Protection Act 2018?

A padlock on a circuit board in a dark room

Designed to modernise data protection laws, the Data Protection Act (DPA) 2018 came into force on 23 May 2018 as the third generation of the UK’s data protection regime.

Based on the EU’s General Data Protection Regulation (GDPR), the DPA 2018 is designed to take into account advancements in the way data is used in the modern age and the way that personal information is collected by online platforms for various legitimate and illegitimate uses.

The DPA 2018 was brought in to take the place of the earlier Data Protection Act 1998, to outline the legal extent to which data can be collected, processed and used within the UK. In line with this, it also lays out a number of penalties for those who break these laws. More specifically, the framework laid out by the DPA 2018 governs what steps businesses and citizens are required to take when handling data, and hands individuals a clear guideline for their rights and protections when it comes to personal information.

To ensure data adequacy with the EU in the wake of Brexit, the DPA 2018 also supplements and exceeds the guidelines set out by GDPR. The DPA 2018 didn’t so much implement GDPR into UK law as it implemented the EU Law Enforcement Directive, which offers data protection rights whenever data is used for law enforcement purposes.

Why do we need DPA 2018 when we have GDPR?

Although there are similarities between the two, the DPA 2018 and the EU’s GDPR differ in a few key areas.

GDPR applied to all EU member states automatically when it came into force, but gave room for individual nations to create their own provisions that extend the reach of GDPR. This allowed member states to implement the data protection laws more smoothly in a way that complemented existing regulations.

Most of the UK’s data processing was governed by GDPR until Brexit, although a handful of regulatory issues were specific to the UK and only processed by domestic laws. Examples include immigration issues or the processing of freedom of information (FOI) data. The DPA 2018 also includes a handful of national security exemptions.


Just enough data governance

Building program momentum and scale with agility


For example, under the DPA 2018, the Home Office, and other organisations that involve the processing of immigration data, are allowed to reject access requests to personal data if the organisation believes such action could prejudice “effective immigration control”.

However, this exemption has been challenged by human and digital rights campaigners, with the Open Rights Group and the3million launching a joint legal challenge in January 2019. That challenge, which argued that the exemption relating to immigration data was unlawful, was ultimately rejected by the High Court in October 2019.

The DPA 2018 also sets out provisions that are within GDPR, but not applied from the latter in UK law. One example for this is the legal age at which individuals can provide consent for their personal data to be processed: the GDPR sets this at 16, while in the UK it is 13. Additionally, the DPA 2018 states that automated decision making or profiling may be carried out on legitimate grounds, and with appropriate safeguards to protect the rights and freedoms of individuals, whereas GDPR guarantees data subjects a right to not have such processes carried out on them.

Despite having voted to leave the EU in 2016, the UK was bound to any EU legislation enacted until 31 January 2020, including GDPR — this was signed into UK law as part of the European Union (Withdrawal) Act 2018. The DPA 2018 is also required to ensure the smooth flow of data from the EU to the UK now that we have left the bloc. Once the UK left the EU on January 31 2020, it entered into a transition period in which a number of agreements were to be formally recognised, including one confirming that the UK’s laws ensure adequate rights and controls for data handling.

Any organisation that has customers within the EU is required to adhere to the rules of the GDPR — this is a fact independent of the UK’s EU membership status. With this in mind, having domestic policy that closely lines up with the GDPR is a strategic benefit, allowing companies to be both UK and EU compliant without having to run incompatible data handling systems.

The EU ruling on UK data adequacy 19 February 2021, with the publishing of the EU Commission’s draft adequacy decision for EU-UK data flow, in which it confirmed that UK law was adequate without the need for additional safeguards to be negotiated. Later that year, on 28 June 2021, the EU Commission published its decision that the UK officially “ensures an adequate level of protection for personal data” transferred within the framework of GDPR from the EU to the UK.

The ruling is expected to last until June 2025, and the EU Commission will decide in 2024 whether to extend this for another four years. It does not apply for data transferred to the UK for issues relating to immigration, as data of this kind carries different transfer requirements.

Recently, the government has indicated that UK GDPR may be partially scrapped in favour of new data protection legislation. This was originally proposed as the Data Reform Bill, reported to reduce the “red tape and pointless paperwork” by relaxing the extent to which organisations need to seek consent for data processing, and proposing hierarchical reform to the Information Commissioner’s Office (ICO). This has since been scrapped in favour of a ‘bespoke, British’ replacement to the GDPR, which the government states will be designed to reduce workload for businesses while retaining data adequacy.

For more information on the various ways in which leaving the EU effects GDPR, head to our GDPR and Brexit in-depth guide.

Definition of personal data under DPA 2018

Any information that relates to an identified or an identifiable living person, in that an individual can be identified directly or indirectly through this, is classified as personal data. The information that falls under this category includes names, any identification numbers, location data, online identifiers or any one or more pieces of information specific to them. These would include any information that’s physical, physiological, mental, genetic, economic, cultural, or any other data that might be associated with their social identity.

Personal data, in effect, comprises anything that may be used to identify an individual, and in modern times has even extended to include details such as a person’s IP address.

What has changed since the DPA 1998

The latest piece of legislation is designed to bring data protection to modern standards, in light of the growth of massive internet companies as well as the way data is collected, processed and monetised in gigantic quantities. The DPA 2018 introduced far more protections for citizens and improved the protections and rights as initially outlined in the previous legislation

Under the new regime, organisations are required to be more transparent about how and why they handle, collect and process the data they do. The collation of data must also be for explicitly stated and legitimate reasons.


A five step blueprint for master data management success

How to create a strategic plan for deploying your MDM initiative


There are a number of conditions that businesses must also bear in mind when processing data, including the consent of the data subject, legal obligation, the public interest, vital interest, legitimate interests, among others. One of the greatest changes has been in the way consent is seen in the eyes of the law, with the threshold for consent raised significantly. Under the DPA 2018, user consent must be explicit for the processing of data in relation to specifically outlined purposes, as opposed to blanket consent, as was sought previously.

Greater requirements have also been put on organisations to keep data accurate and up-to-date, but also to immediately remove anything from systems that is inaccurate, on request when such issues are flagged.

Processing data, meanwhile, is now limited entirely to the specific purposes for which it was collected, which differs from how organisations interpreted provisions in the 1998 DPA. Previously, companies could process data in any which way provided it wasn't "excessive" to the original purpose.

How the Data Protection Act structured?

The DPA 2018 enforces four distinct data protection frameworks, with each relating to a specific category of data processing.

  • Within the scope of GDPR
  • Outside the scope of GDPR
  • By competent authorities for law enforcement purposes
  • By the intelligence services

The act is also split into seven parts, each containing multiple schedules. Following an introductory section and key terms, Part 2 covers various aspects of general processing of personal data, Part 3 covers law enforcement, Part 4 relates to intelligence service processing, Part 5 covers the powers of the Information Commissioner's Office (ICO), Part 6 outlines the scope of enforcement powers, and Part 7 covers additional provisions that do not fall under the previous categories.

Special provisions are set out for law enforcement processing, including the processing of personal data by the police, prosecutors and similar criminal justice bodies. Similar provisions exist for processing by intelligence services, which aim to bring UK standards in line with international standards. The frameworks also ensure the smooth flow of data internationally for the purpose of tackling crime, while ensuring data protection is upheld.

Fines for breaching the Data Protection Act 2018

Like GDPR, the DPA 2018 gives the ICO the power to levy far tougher fines than anything seen in the past. Under the 1998 act, the maximum possible fine was £500,000.

Under the DPA 2018, failing to report a data breach within a 72 hour period can result in a fine of 2% of a company's annual global turnover, or €10 million (£9 million), whichever is highest. For the data breach itself, the maximum fine doubles to 4% or €20 million (£17 million).

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.