TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. What Data Is Protected by the Data Protection Act
Legal Compliance

What Data Is Protected by the Data Protection Act

Learn what data is protected by the Data Protection Act, including personal data categories, special category data, and your obligations as a website owner.

TermsBox Team|April 3, 202613 min read

Understanding what data is protected by the Data Protection Act is essential for any business that collects information through a website, app, or online service. The scope of protection is broader than many website owners realise, covering not just names and email addresses but a wide range of data types that can identify a living person.

This guide explains the categories of data the Act protects, the heightened rules around sensitive data, and what this means for your obligations as a website operator. This is educational content and not legal advice. For guidance specific to your circumstances, consult a qualified solicitor or data protection specialist.

What the Data Protection Act Actually Covers

The Data Protection Act 2018 (DPA 2018) is the United Kingdom's primary data protection legislation. It works alongside the UK GDPR (the retained EU GDPR as incorporated into UK law after Brexit) to form a comprehensive framework governing how personal data is collected, processed, stored, and shared.

The Act applies to any organisation that processes personal data of individuals in the United Kingdom, regardless of where the organisation is based. If your website collects data from UK visitors, the DPA 2018 is relevant to you.

At its core, the Act protects personal data, which Section 3(2) defines as any information relating to an identified or identifiable living individual. The definition is intentionally broad. It does not matter whether the data is factual or opinion-based, digital or paper-based, or collected directly from the individual or obtained from a third party.

Personal Data: The Foundation of What Is Protected

Personal data is the broadest category of data protected by the Data Protection Act. It encompasses any information that, either on its own or combined with other available information, can identify a specific living person.

Common examples of personal data include:

  • Names and contact details. Full names, email addresses, phone numbers, postal addresses.
  • Identification numbers. National Insurance numbers, passport numbers, driving licence numbers.
  • Online identifiers. IP addresses, cookie IDs, device fingerprints, advertising identifiers.
  • Location data. GPS coordinates, postcode-level data, cell tower data, Wi-Fi access point information.
  • Financial information. Bank account numbers, payment card details, salary information, transaction records.
  • Employment data. Job titles, employer details, work history, performance records.
  • Visual and audio data. Photographs, CCTV footage, voice recordings, video call recordings.

The critical test is identifiability. Data that seems anonymous on its own may become personal data when combined with other information you hold or could reasonably obtain. A customer number means nothing in isolation, but combined with your customer database, it identifies a specific person.

Pseudonymised Data Is Still Personal Data

A common misunderstanding is that pseudonymised data (data where identifying fields are replaced with artificial identifiers) falls outside the scope of the Act. It does not. Under Recital 26 of the UK GDPR, pseudonymised data remains personal data because it can be re-identified by the data controller who holds the key. Only truly anonymous data, where re-identification is no longer reasonably possible, falls outside the Act's scope.

Special Category Data: Enhanced Protection

The Data Protection Act identifies certain types of personal data as requiring additional safeguards because of their particularly sensitive nature. Article 9 of the UK GDPR defines these as special category data.

The exhaustive list of special categories includes:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic data
  6. Biometric data (when used for uniquely identifying a person)
  7. Health data (physical or mental health conditions, medical history, healthcare provision)
  8. Data concerning a person's sex life or sexual orientation

Processing special category data is prohibited by default under Article 9(1) of the UK GDPR unless you can rely on one of the specific conditions listed in Article 9(2) and, where applicable, the additional conditions in Schedule 1 of the DPA 2018.

The most relevant lawful bases for processing special category data are:

  • Explicit consent. The individual has given clear, affirmative, and specific consent to the processing.
  • Employment, social security, and social protection. Where processing is necessary for fulfilling employment law obligations.
  • Vital interests. Where processing is necessary to protect someone's life and the individual cannot give consent.
  • Substantial public interest. Where processing meets one of the conditions in Schedule 1, Part 2 of the DPA 2018.

For most website operators, explicit consent is the primary route if any special category data is collected, for example through health-related forms or diversity monitoring surveys.

Criminal Offence Data

Separately from special category data, Article 10 of the UK GDPR and Part 2, Chapter 2 of the DPA 2018 provide additional protections for data relating to criminal convictions and offences. This includes:

  • Criminal conviction records
  • Allegations of criminal activity
  • Details of criminal proceedings
  • Cautions, warnings, and reprimands

Processing criminal offence data requires either official authority (such as being a law enforcement body) or meeting a specific condition under Schedule 1, Part 1 or Part 2 of the DPA 2018. Most commercial websites have no legitimate reason to process this type of data, but if your platform involves background checks, trust and safety decisions, or user reporting systems, you need to be aware of these restrictions.

What Is Protected by the Data Protection Act in a Website Context

For website owners specifically, the data protected by the Data Protection Act typically falls into several practical categories based on how it is collected.

Data collected through forms

Contact forms, registration pages, checkout processes, and newsletter signups all collect personal data directly from users. Names, email addresses, phone numbers, billing addresses, and payment information are all protected. Every form on your website that collects information about an identifiable person triggers obligations under the Act.

Data collected automatically

Modern websites collect significant amounts of personal data without users actively submitting it:

  • Cookies and tracking technologies. First-party analytics cookies, third-party advertising cookies, and session cookies can all generate personal data when they create or use identifiers linked to individual users or devices.
  • Server logs. IP addresses, browser user-agent strings, referring URLs, and timestamps recorded in access logs are personal data when they can be linked to an individual.
  • Analytics data. Tools like Google Analytics collect device information, browsing patterns, geographic location, and session data that can constitute personal data.

If your website uses cookies or analytics tools, you are processing personal data that falls under the Act's protection. A privacy policy generator can help you document what data you collect and why, which is a requirement under Articles 13 and 14 of the UK GDPR.

Data from third-party integrations

Embedding third-party services on your website, such as social media widgets, payment processors, live chat tools, or advertising pixels, often means sharing your visitors' data with those third parties. You remain a data controller (or joint controller) for this processing, even though the third party performs the actual data collection. Your privacy policy must disclose these data sharing arrangements.

The Seven Data Protection Principles

The Data Protection Act does not just define what data is protected. It establishes seven principles governing how that data must be handled. Under Article 5 of the UK GDPR, all personal data processing must comply with these principles:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  1. Lawfulness, fairness, and transparency. You must have a valid legal basis for processing, treat data subjects fairly, and be open about how you use their data.
  2. Purpose limitation. Data must be collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes.
  3. Data minimisation. You must only collect and retain data that is adequate, relevant, and limited to what is necessary for your stated purposes.
  4. Accuracy. Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be corrected or erased without delay.
  5. Storage limitation. Data must not be kept in an identifiable form for longer than is necessary for the purposes for which it is processed.
  6. Integrity and confidentiality. Data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
  7. Accountability. The data controller must be able to demonstrate compliance with all of the above principles.

These principles apply to every piece of personal data your website handles. Violating any principle can result in enforcement action by the Information Commissioner's Office (ICO), with fines of up to 17.5 million GBP or 4% of annual global turnover under the higher tier of penalties.

Individual Rights Under the Act

The Data Protection Act grants individuals specific rights over their protected data. As a website owner processing personal data, you must be prepared to respond to these rights:

  • Right of access (Subject Access Request). Individuals can request a copy of all personal data you hold about them. You must respond within one calendar month.
  • Right to rectification. Individuals can ask you to correct inaccurate personal data or complete incomplete data.
  • Right to erasure. Also called the "right to be forgotten," this allows individuals to request deletion of their data in certain circumstances, such as when the data is no longer necessary for its original purpose.
  • Right to restrict processing. Individuals can ask you to limit how you use their data while a dispute or request is being resolved.
  • Right to data portability. Where processing is based on consent or contract and carried out by automated means, individuals can request their data in a commonly used, machine-readable format.
  • Right to object. Individuals can object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, the objection is absolute.
  • Rights related to automated decision-making. Individuals have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

Failing to honour these rights within the required timeframes is a breach of the Act and can lead to complaints to the ICO.

Practical Steps for Website Compliance

Knowing what data is protected by the Data Protection Act is only useful if you translate that knowledge into action. Here are the steps most website owners need to take.

Audit your data collection

Map every point where your website collects personal data. This includes forms, cookies, analytics tools, third-party scripts, email marketing integrations, and any embedded content. You cannot protect data you do not know you are collecting.

Establish lawful bases

For each type of data processing, identify your lawful basis under Article 6 of the UK GDPR. The six available bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most commercial websites rely on consent (for marketing and cookies) and contract (for fulfilling orders or providing services).

Write a clear privacy policy

Article 13 of the UK GDPR requires you to provide detailed information about your data processing at the point of collection. Your privacy policy must explain what data you collect, why you collect it, the lawful basis for each processing activity, who you share data with, how long you retain data, and how individuals can exercise their rights.

Implement appropriate security

Article 5(1)(f) and Article 32 of the UK GDPR require you to implement security measures appropriate to the risk. At a minimum, this means:

  • HTTPS encryption across your entire site
  • Secure storage of passwords using strong hashing algorithms
  • Access controls limiting who can view personal data
  • Regular software updates and security patches
  • Backup procedures for data recovery

Manage cookies and tracking

Under the Privacy and Electronic Communications Regulations 2003 (PECR), which work alongside the DPA 2018, you must obtain consent before setting non-essential cookies. This means implementing a cookie consent mechanism that allows visitors to accept or reject cookie categories before tracking begins. Tools like TermsBox provide a cookie policy generator alongside a consent management platform to handle both the policy documentation and the technical consent collection.

Prepare for data subject requests

Have a process in place for responding to access requests, erasure requests, and other rights under the Act. Designate a responsible person, document your procedures, and ensure you can locate and export an individual's data within the one-month response deadline.

Penalties for Failing to Protect Data

The ICO has the power to impose significant penalties for breaches of the Data Protection Act and UK GDPR. The penalty framework operates on two tiers:

  • Lower tier (Article 83(4) equivalent). Up to 8.7 million GBP or 2% of annual global turnover, whichever is higher. Applies to breaches of obligations regarding data protection by design, data protection impact assessments, and record-keeping.
  • Higher tier (Article 83(5) equivalent). Up to 17.5 million GBP or 4% of annual global turnover, whichever is higher. Applies to breaches of the data protection principles, lawful basis requirements, consent conditions, and individual rights.

Beyond fines, the ICO can issue enforcement notices requiring specific actions, reprimands, and orders to suspend data processing. Individuals also have the right to claim compensation for material or non-material damage resulting from data protection breaches under Section 168 of the DPA 2018.

Frequently Asked Questions

What types of data does the Data Protection Act cover?

The Data Protection Act 2018 covers all personal data, which means any information that identifies or could identify a living individual. This includes obvious identifiers like names and email addresses, as well as less obvious ones such as IP addresses, cookie identifiers, location data, and online browsing behaviour. If the data relates to an identifiable person, it falls within the scope of the Act.

What is special category data under the Data Protection Act?

Special category data is a subset of personal data that receives extra legal protection because of its sensitive nature. It includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data about a person's sex life or sexual orientation. Processing this data requires meeting one of the specific conditions set out in Article 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018.

Does the Data Protection Act apply to website cookies and tracking data?

Yes. Cookie identifiers and tracking data that can be linked back to a specific user or device qualify as personal data under the Act. This means websites must provide clear information about what cookies they use, obtain consent where required under the Privacy and Electronic Communications Regulations, and include cookie tracking in their data protection practices.

Are business contact details protected by the Data Protection Act?

Business contact details for individuals, such as a named employee's work email or direct phone number, are personal data and are protected by the Act. Generic company information like a general enquiries email address or a company registration number is not personal data. The key test is whether the information relates to an identifiable living individual, regardless of whether it is used in a business context.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: Complete Guide to privacy.apple.com

Learn how to use Apple's data & privacy website to download, manage, and delete your personal data. Step-by-step guide to privacy.apple.com.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What the Data Protection Act Actually Covers
  • Personal Data: The Foundation of What Is Protected
  • Pseudonymised Data Is Still Personal Data
  • Special Category Data: Enhanced Protection
  • Criminal Offence Data
  • What Is Protected by the Data Protection Act in a Website Context
  • Data collected through forms
  • Data collected automatically
  • Data from third-party integrations
  • The Seven Data Protection Principles
  • Individual Rights Under the Act
  • Practical Steps for Website Compliance
  • Audit your data collection
  • Establish lawful bases
  • Write a clear privacy policy
  • Implement appropriate security
  • Manage cookies and tracking
  • Prepare for data subject requests
  • Penalties for Failing to Protect Data
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.