DPA 2018: Guide to the UK Data Protection Act
Learn what the DPA 2018 is, how it works alongside UK GDPR, who it applies to, and what your business must do to comply with the Data Protection Act 2018.
The DPA 2018 is the United Kingdom's main data protection law, formally titled the Data Protection Act 2018. If you operate a website, run a business, or handle personal data in the UK, the DPA 2018 is one of two statutes you need to understand, the other being the UK GDPR.
This guide explains what the DPA 2018 covers, how it interacts with the UK GDPR, what obligations it creates, and what penalties apply for non-compliance. The content here is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is the DPA 2018?
The Data Protection Act 2018, commonly referred to as the DPA 2018, is an Act of Parliament that received Royal Assent on May 23, 2018. It replaced the earlier Data Protection Act 1998 and serves as the UK's comprehensive data protection statute.
The DPA 2018 was originally designed to implement the EU General Data Protection Regulation (Regulation 2016/679) into UK law. When the UK left the European Union on January 31, 2020, the EU GDPR was retained in domestic law as the "UK GDPR" through the European Union (Withdrawal) Act 2018. The DPA 2018 continued to serve as its companion legislation.
Unlike the UK GDPR, which is a retained regulation setting out broad principles and rights, the DPA 2018 fills in the details. It covers areas where the GDPR expressly permits or requires member states to legislate further. This includes law enforcement data processing, intelligence services data processing, specific exemptions, criminal offences, and the establishment and powers of the Information Commissioner's Office (ICO).
Structure of the DPA 2018
The Act is organized into seven parts and 18 schedules:
- Part 1 (Sections 1 to 3): Preliminary provisions, definitions, and the relationship between the Act and the UK GDPR
- Part 2 (Sections 4 to 28): General processing under the UK GDPR, including lawful bases, conditions for special category data, and exemptions
- Part 3 (Sections 29 to 81): Law enforcement processing, implementing the EU Law Enforcement Directive (LED)
- Part 4 (Sections 82 to 91): Intelligence services processing
- Part 5 (Sections 92 to 141): The Information Commissioner, including appointment, duties, powers, and enforcement mechanisms
- Part 6 (Sections 142 to 181): Enforcement, including information notices, assessment notices, enforcement notices, penalty notices, and criminal offences
- Part 7 (Sections 182 to 215): Supplementary provisions, including amendments to other legislation and transitional provisions
The schedules contain detailed conditions for lawful processing, exemptions, and transitional arrangements. Schedule 1, for example, lists the conditions for processing special category data and criminal offence data under Part 2.
How the DPA 2018 Works with the UK GDPR
Understanding the relationship between the DPA 2018 and the UK GDPR is essential because they form a single data protection framework. Neither law is complete without the other.
The UK GDPR sets out the core rules for general data processing. It defines the principles (Article 5), the lawful bases for processing (Article 6), data subject rights (Articles 12 to 23), controller and processor obligations (Articles 24 to 43), and the penalty framework (Article 83). These rules apply to most organizations processing personal data in connection with activities in the UK.
The DPA 2018 then supplements the UK GDPR in several specific ways:
- Conditions for special category data: Article 9 of the UK GDPR requires a condition from national law for processing sensitive data such as health information, biometric data, or data revealing racial origin. Schedule 1 of the DPA 2018 lists these conditions, including employment purposes, public health, and archiving in the public interest.
- Conditions for criminal offence data: Article 10 of the UK GDPR similarly requires national authorization. Schedule 1, Part 2 of the DPA 2018 provides these conditions.
- Age of consent for children: Article 8 of the UK GDPR allows member states to set the age of digital consent between 13 and 16. Section 9 of the DPA 2018 sets this at 13 years in the UK.
- Exemptions: Schedule 2 of the DPA 2018 creates exemptions from certain UK GDPR provisions for journalism, research, legal proceedings, and other specified purposes.
- National security: The DPA 2018 provides a national security exemption (Section 26) that can override most UK GDPR provisions when a certificate is issued by a Minister of the Crown.
For website operators and online businesses, the practical effect is straightforward. Your privacy policy should reference both the UK GDPR and the DPA 2018 when describing your legal framework for UK users.
Who Must Comply with the DPA 2018
The DPA 2018 applies to any data controller or data processor that processes personal data in connection with activities taking place in the United Kingdom. This covers three broad categories of processing, each governed by a different part of the Act.
General processing (Part 2)
Part 2 of the DPA 2018 applies alongside the UK GDPR to all general data processing. If you run a website that collects email addresses from UK visitors, use cookies to track behavior, or store customer records, Part 2 applies to your activities.
The territorial scope mirrors the UK GDPR. You are subject to the DPA 2018 if:
- You are established in the UK and process personal data in the context of that establishment
- You are not established in the UK but offer goods or services to individuals in the UK
- You are not established in the UK but monitor the behavior of individuals in the UK
This means a business based in the United States, Australia, or anywhere else falls under the DPA 2018 if it targets UK consumers or tracks their online activity.
Law enforcement processing (Part 3)
Part 3 applies to competent authorities processing personal data for law enforcement purposes. This includes police forces, the National Crime Agency, HMRC (for certain functions), and other bodies listed in Schedule 7. Part 3 implements the EU Law Enforcement Directive (Directive 2016/680) and applies separately from the UK GDPR.
Intelligence services processing (Part 4)
Part 4 applies to MI5, MI6, and GCHQ. It sets out a distinct data protection regime tailored to national security functions.
Most website operators and businesses only need to concern themselves with Part 2 and the UK GDPR.
Key Obligations Under the DPA 2018
While the UK GDPR establishes the primary obligations for data controllers and processors, the DPA 2018 creates additional requirements and clarifications that businesses must understand.
Data Protection Officer requirements
Under Article 37 of the UK GDPR, certain organizations must appoint a Data Protection Officer (DPO). This includes public authorities, organizations whose core activities involve large-scale systematic monitoring, and those processing special category data at scale. Section 69 of the DPA 2018 extends DPO requirements to law enforcement processing under Part 3.
Appropriate policy document
When relying on Schedule 1 conditions to process special category data or criminal offence data, Section 42 of the DPA 2018 requires the controller to have an "appropriate policy document" in place. This document must explain your procedures for complying with the data protection principles and your policies for retaining and erasing such data.
Impact assessments for law enforcement
Section 64 of the DPA 2018 requires law enforcement bodies to carry out data protection impact assessments when processing is likely to result in a high risk to individuals. This mirrors the DPIA requirement in Article 35 of the UK GDPR but applies specifically to Part 3 processing.
Record keeping
Section 61 of the DPA 2018 requires law enforcement controllers to maintain logs of certain automated processing operations, including collection, alteration, consultation, disclosure, combination, and erasure. These logs must be available to the ICO on request.
Subject access and other rights
Part 3 of the DPA 2018 provides its own set of data subject rights for law enforcement processing (Sections 44 to 54), which differ in scope from the UK GDPR rights. For example, the right to erasure under Part 3 is more restricted than under Article 17 of the UK GDPR.
DPA 2018 Exemptions
Schedule 2 of the DPA 2018 provides exemptions from certain provisions of the UK GDPR. These exemptions do not remove the obligation to process data lawfully. They remove or restrict specific rights or obligations in defined circumstances.
The most commonly relevant exemptions include:
- Crime and taxation (Paragraph 2): Exemption from data subject rights provisions where compliance would prejudice the prevention or detection of crime or the collection of taxes
- Legal professional privilege (Paragraph 19): Exemption from subject access rights for data covered by legal privilege
- Journalism, academia, art, and literature (Paragraph 26): Exemption from several UK GDPR provisions where processing is for these purposes, the controller believes publication would be in the public interest, and compliance with the relevant provision would be incompatible with the special purpose
- Research and statistics (Paragraph 27): Exemption from certain data subject rights when processing personal data for research purposes or statistical purposes, subject to appropriate safeguards
- Archiving in the public interest (Paragraph 28): Similar exemption for public interest archiving
- Management forecasting (Paragraph 22): Exemption from subject access rights for personal data processed for management planning purposes
These exemptions are not blanket permissions. Each one has specific conditions that must be met, and the underlying obligation to process data fairly and lawfully remains. Organizations claiming an exemption should document their reasoning and ensure the conditions are satisfied on a case-by-case basis.
Penalties and Enforcement Under the DPA 2018
The ICO has a range of enforcement tools under the DPA 2018, from warnings and reprimands through to substantial financial penalties.
Administrative fines
The penalty framework aligns with the UK GDPR. Article 83 of the UK GDPR, as supplemented by Section 157 of the DPA 2018, establishes two tiers:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Standard maximum: Up to 8.7 million GBP or 2% of annual global turnover, whichever is higher. This applies to breaches of controller and processor obligations, certification body obligations, and monitoring body obligations.
- Higher maximum: Up to 17.5 million GBP or 4% of annual global turnover, whichever is higher. This applies to breaches of data processing principles, lawful basis requirements, consent conditions, data subject rights, and international transfer restrictions.
These amounts were converted from EUR to GBP following Brexit and are periodically reviewed.
Criminal offences
The DPA 2018 creates several criminal offences not found in the UK GDPR:
- Unlawfully obtaining personal data (Section 170): Obtaining, disclosing, or procuring the disclosure of personal data without the controller's consent. Maximum penalty is an unlimited fine.
- Re-identification of de-identified data (Section 171): Knowingly or recklessly re-identifying individuals from anonymized or pseudonymized data. Maximum penalty is an unlimited fine.
- Altering records to prevent disclosure (Section 173): Altering, defacing, blocking, erasing, or destroying data to prevent its disclosure under a subject access request. Maximum penalty is an unlimited fine.
- Obstructing the Commissioner (Section 177): Obstructing an ICO inspection or assessment. Maximum penalty is a contempt of court finding.
Enforcement notices
The ICO can issue information notices (Section 142) requiring organizations to provide information, assessment notices (Section 146) for compulsory audits, and enforcement notices (Section 149) ordering organizations to take or stop specific actions. Failure to comply with these notices is itself an offence.
DPA 2018 and International Data Transfers
The rules on international transfers of personal data under the DPA 2018 framework have evolved significantly since Brexit. Under the UK GDPR (Articles 44 to 49), personal data can only be transferred to countries outside the UK if an adequate level of protection is ensured.
The UK has its own adequacy decision process, managed by the Secretary of State rather than the European Commission. As of the date of this guide, the UK maintains adequacy decisions for the EEA, and the EU has granted the UK a time-limited adequacy decision (initially until June 2025, with reviews ongoing).
Section 17A of the DPA 2018 (inserted by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) empowers the Secretary of State to make adequacy regulations for countries, territories, sectors, or international organizations. Transfer mechanisms available under the UK framework include:
- Adequacy regulations (the UK equivalent of EU adequacy decisions)
- Standard contractual clauses (the UK International Data Transfer Agreement and UK Addendum to EU SCCs)
- Binding corporate rules approved by the ICO
- Derogations under Article 49 of the UK GDPR for specific situations
If your website serves both UK and EU audiences, your privacy policy should address transfers under both the UK GDPR/DPA 2018 framework and the EU GDPR separately. A compliance tool like TermsBox can help you generate a privacy policy that covers both jurisdictions.
How to Comply with the DPA 2018
Compliance with the DPA 2018 in practice means complying with both the DPA 2018 and the UK GDPR as a unified framework. Here are the essential steps for website operators and online businesses.
Step 1: Understand your data processing activities
Map what personal data you collect, why you collect it, where it is stored, who has access, and how long you keep it. This includes data collected through website forms, cookies, analytics tools, payment processors, and third-party integrations.
Step 2: Establish lawful bases
For each processing activity, identify your lawful basis under Article 6 of the UK GDPR. The six lawful bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. For special category data, identify an additional condition from Schedule 1 of the DPA 2018.
Step 3: Implement data subject rights
Build processes to handle data subject requests. Under the UK GDPR, individuals have the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20), objection (Article 21), and rights related to automated decision-making (Article 22). You must respond within one calendar month.
Step 4: Publish a compliant privacy policy
Your privacy policy must contain all the information required by Articles 13 and 14 of the UK GDPR, including your identity, purposes of processing, lawful bases, data retention periods, data subject rights, and details of any international transfers.
Step 5: Implement appropriate security
Article 32 of the UK GDPR requires you to implement technical and organizational measures appropriate to the risk. This includes encryption, access controls, regular testing, and staff training.
Step 6: Register with the ICO (if required)
Most organizations processing personal data must pay a data protection fee to the ICO under the Data Protection (Charges and Information) Regulations 2018. There are limited exemptions for organizations that only process personal data for core business purposes such as staff administration and accounts. The fee tiers are 40 GBP (micro organizations), 60 GBP (small and medium organizations), and 2,900 GBP (large organizations) per year.
Step 7: Maintain records of processing
Article 30 of the UK GDPR requires controllers processing personal data regularly, processing special categories, or employing 250 or more persons to maintain records of processing activities. In practice, the ICO recommends all organizations maintain these records.
DPA 2018 After Brexit
The DPA 2018 has been amended several times since the UK left the EU to ensure it functions as a standalone domestic framework. The most significant changes were made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which created the UK GDPR from the retained EU GDPR and updated the DPA 2018 accordingly.
Key post-Brexit changes include:
- References to "member state law" in the GDPR were replaced with "domestic law" in the UK GDPR
- The European Data Protection Board's role was replaced by the ICO for UK purposes
- The UK established its own adequacy assessment process
- Penalty amounts were converted from EUR to GBP
- The UK retained the ability to make its own data protection regulations without EU legislative processes
The Data Protection and Digital Information Act 2024 introduced further amendments, modifying certain provisions of the UK GDPR and DPA 2018 to reduce compliance burdens for businesses, particularly around legitimate interests processing, subject access requests, and international transfers. These changes are being implemented in phases.
For businesses operating across both the UK and the EU, the practical effect is that you may need to comply with two overlapping but not identical data protection frameworks. A cookie policy and privacy policy that addresses both regimes helps demonstrate compliance to regulators on both sides.
Frequently Asked Questions
What is the DPA 2018?
The DPA 2018 is the Data Protection Act 2018, the United Kingdom's primary data protection legislation. It supplements the UK GDPR by filling in areas where the regulation allows member states to set their own rules, such as law enforcement processing, intelligence services processing, and specific exemptions. It received Royal Assent on May 23, 2018.
How does the DPA 2018 relate to the UK GDPR?
The DPA 2018 and UK GDPR work together as a single data protection framework. The UK GDPR sets out the core principles, rights, and obligations for general data processing, while the DPA 2018 provides supplementary provisions including exemptions, the role of the ICO, offences, and rules for law enforcement and intelligence services processing.
Who enforces the DPA 2018?
The Information Commissioner's Office (ICO) enforces the DPA 2018 and the UK GDPR. The ICO has powers to issue enforcement notices, conduct audits, impose fines of up to 17.5 million GBP or 4% of annual global turnover (whichever is higher) for the most serious violations, and prosecute criminal offences under the Act.
Does the DPA 2018 apply to small businesses?
Yes. The DPA 2018 applies to any organization that processes personal data, regardless of size. There is no small business exemption. However, the ICO takes a proportionate approach to enforcement and provides guidance specifically for small and medium enterprises to help them understand their obligations.