TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. What Is the Data Protection Act? A Complete Guide
Legal Compliance

What Is the Data Protection Act? A Complete Guide

Learn what the Data Protection Act is, what it protects, how it works alongside the GDPR, and what businesses must do to comply.

TermsBox Team|April 4, 202613 min read

Understanding what the Data Protection Act is starts with a straightforward fact: it is the United Kingdom's primary law governing how personal information is handled. Whether you run a small online shop or a large enterprise, the Data Protection Act sets the legal framework for collecting, storing, and using the personal data of anyone in the UK.

This article is educational content and does not constitute legal advice. Data protection requirements depend on your specific circumstances, the type of data you handle, and where your users are located. Consult a qualified solicitor or privacy professional for advice tailored to your situation.

What the Data Protection Act Is and Where It Comes From

The Data Protection Act 2018 (DPA 2018) is the UK's implementation of data protection principles that align with the EU's General Data Protection Regulation (GDPR). It replaced the earlier Data Protection Act 1998, which had governed personal data in the UK for two decades.

When the UK was an EU member state, the GDPR applied directly. After Brexit, the UK retained the GDPR's substance through the UK GDPR, which sits alongside the DPA 2018. Together, these two instruments form the UK's data protection regime.

The DPA 2018 does three key things:

  1. Supplements the UK GDPR by filling in areas where the regulation allows member states to make specific choices, such as the age of consent for children's data (set at 13 in the UK).
  2. Covers law enforcement processing under Part 3, implementing the EU Law Enforcement Directive for police, prosecutors, and other authorities.
  3. Addresses intelligence services processing under Part 4, setting separate rules for organizations like MI5 and GCHQ.

For most businesses, Part 2 of the DPA 2018 (the general processing provisions that work alongside the UK GDPR) is what matters day to day.

What Does the Data Protection Act Do for Individuals

The central question people ask is what does the Data Protection Act do in practical terms. At its core, the Act gives individuals control over their personal information and places obligations on anyone who handles it.

Rights Granted to Individuals

The DPA 2018, working with the UK GDPR, establishes eight individual rights:

  • Right of access (Article 15 UK GDPR). Individuals can request a copy of all personal data an organization holds about them. Organizations must respond within one month.
  • Right to rectification (Article 16). Individuals can ask for inaccurate data to be corrected or incomplete data to be completed.
  • Right to erasure (Article 17). Also known as the "right to be forgotten," this allows individuals to request deletion of their data when it is no longer necessary for its original purpose, or when consent is withdrawn.
  • Right to restrict processing (Article 18). Individuals can ask an organization to limit how it uses their data while a dispute is resolved.
  • Right to data portability (Article 20). Individuals can receive their data in a structured, commonly used, machine-readable format and transfer it to another organization.
  • Right to object (Article 21). Individuals can object to processing based on legitimate interests or for direct marketing purposes. Organizations must stop processing unless they demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making (Article 22). Individuals can challenge decisions made solely by automated means that have legal or similarly significant effects.
  • Right to be informed (Articles 13 and 14). Organizations must explain what data they collect, why, and how individuals can exercise their rights.

These rights are not absolute. Exemptions exist for purposes such as national security, crime prevention, and regulatory functions. But for standard business operations, these rights apply fully.

Transparency Requirements

The DPA 2018 requires organizations to be upfront about their data practices. This means providing clear privacy notices that explain what data is collected, the lawful basis for processing, who receives the data, how long it is kept, and how to exercise rights. A privacy policy generator can help you build a notice that covers these requirements for your website.

What Does the Data Protection Act Protect

Understanding what does the Data Protection Act protect requires knowing what counts as "personal data" under the law. The definition is broad.

Personal Data

Personal data is any information relating to an identified or identifiable living individual. This includes obvious identifiers and less obvious ones:

  • Names, email addresses, phone numbers
  • Postal addresses and location data
  • IP addresses and cookie identifiers
  • Financial information such as bank account or credit card details
  • Employment records and education history
  • Online identifiers and device fingerprints
  • Photographs and video recordings where a person is identifiable

Special Category Data

The Act provides heightened protections for sensitive personal data, referred to as "special category data" under Article 9 of the UK GDPR:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data used for identification
  • Health data
  • Data concerning sex life or sexual orientation

Processing special category data requires meeting one of the specific conditions in Article 9(2), such as explicit consent or a substantial public interest condition listed in Schedule 1 of the DPA 2018. Standard legitimate interests are not sufficient.

Criminal Conviction Data

Data about criminal convictions and offenses receives separate treatment under Article 10 of the UK GDPR and Part 2, Chapter 2 of the DPA 2018. Organizations can only process this data under the control of official authority or when authorized by domestic law.

The Seven Data Protection Principles

The Data Protection Act enforces seven principles that govern all processing of personal data. These principles, set out in Article 5 of the UK GDPR, are the foundation of compliance.

  1. Lawfulness, fairness, and transparency. Processing must have a legal basis, must not be deceptive, and must be clearly communicated to the individual.
  2. Purpose limitation. Data must be collected for specified, explicit, and legitimate purposes. You cannot repurpose data for something incompatible with the original reason you collected it.
  3. Data minimization. Only collect data that is adequate, relevant, and limited to what is necessary. Asking for a date of birth on a newsletter signup form, for example, is difficult to justify.
  4. Accuracy. Personal data must be accurate and kept up to date. Inaccurate data must be rectified or erased without delay.
  5. Storage limitation. Data should not be kept longer than necessary for its stated purpose. Define retention periods and enforce them.
  6. Integrity and confidentiality. Appropriate technical and organizational security measures must protect personal data against unauthorized access, loss, or destruction.
  7. Accountability. Organizations must demonstrate compliance, not merely claim it. This means maintaining records, conducting assessments, and being able to show regulators what you have done.

Who Must Comply with the Data Protection Act

The DPA 2018 applies to two categories of organizations:

  • Data controllers decide why and how personal data is processed. If you determine the purposes and means of processing, you are a controller.
  • Data processors handle personal data on behalf of a controller. Email service providers, cloud hosting companies, and payment processors typically act as processors.

Both controllers and processors have obligations under the Act, though controllers bear the primary responsibility for compliance.

Territorial Scope

The law applies to:

  • Organizations established in the UK that process personal data in the context of that establishment
  • Organizations not established in the UK that process personal data of individuals in the UK in connection with offering goods or services to them, or monitoring their behavior within the UK

This means a business based in the United States, Australia, or anywhere else must comply with the DPA 2018 if it targets UK customers or tracks UK visitors on its website.

What Businesses Must Do to Comply

Compliance is not a single action. It requires ongoing practices across your organization.

Create and Publish a Privacy Notice

Your website needs a clear, accessible privacy notice that covers all the information required by Articles 13 and 14 of the UK GDPR. This includes your identity, the data you collect, the purposes and legal bases, recipients, retention periods, individual rights, and how to lodge a complaint with the Information Commissioner's Office (ICO).

Use a privacy policy generator to build a comprehensive notice, then customize it with your specific processing activities and vendor details.

Establish a Lawful Basis for Processing

Before you collect any personal data, identify which of the six lawful bases in Article 6(1) of the UK GDPR applies:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Document your chosen basis for each processing activity. If you rely on consent, ensure it meets the standard in Article 7: freely given, specific, informed, and unambiguous.

Implement Appropriate Security Measures

Article 32 of the UK GDPR requires security measures appropriate to the risk. This includes:

  • Encryption of personal data in transit and at rest
  • Access controls limiting who can view or modify data
  • Regular testing and assessment of security effectiveness
  • Incident response procedures for data breaches
  • Staff training on data handling and security practices

Maintain Records of Processing Activities

Under Article 30, organizations with 250 or more employees must maintain a Record of Processing Activities (ROPA). Smaller organizations must also keep records if their processing is not occasional, involves special category data, or poses a risk to individuals' rights. In practice, every organization should maintain a ROPA.

Manage Cookies and Tracking

The Privacy and Electronic Communications Regulations 2003 (PECR) works alongside the DPA 2018 to regulate cookies and similar technologies. Non-essential cookies require prior consent. Your cookie banner must clearly explain what cookies you use and allow visitors to accept or reject them before non-essential tracking begins. A cookie policy generator can help you create the supporting documentation.

Respond to Data Subject Requests

When someone exercises their rights, you generally have one calendar month to respond. Have a process in place to verify the requester's identity, locate relevant data, and provide or action the response within the deadline. Complex or numerous requests may justify an extension of up to two additional months, but you must inform the requester within the first month.

Penalties and Enforcement by the ICO

The Information Commissioner's Office (ICO) is the UK's independent authority for data protection. It has a range of enforcement powers under the DPA 2018.

Fines

The ICO can impose two tiers of administrative fines:

  • Higher tier: Up to 17.5 million GBP or 4% of annual global turnover, whichever is greater. This applies to violations of the data protection principles, conditions for consent, data subject rights, and international transfer rules.
  • Lower tier: Up to 8.7 million GBP or 2% of annual global turnover. This applies to violations of obligations on controllers and processors, such as record-keeping, security, and breach notification requirements.

Other Enforcement Actions

Beyond fines, the ICO can:

  • Issue information notices requiring an organization to provide specific information
  • Issue assessment notices to audit an organization's processing
  • Issue enforcement notices requiring an organization to take or stop specific actions
  • Issue penalty notices for failure to comply with information or enforcement notices
  • Pursue criminal prosecution for certain offenses, such as unlawfully obtaining personal data

Notable Enforcement Examples

The ICO has taken significant action against organizations of all sizes. British Airways received a fine of 20 million GBP in 2020 for a data breach affecting approximately 400,000 customers. Marriott International was fined 18.4 million GBP for a breach that exposed records of roughly 339 million guests. These cases demonstrate that the ICO uses its enforcement powers in practice, not just in theory.

How the Data Protection Act Relates to Other Privacy Laws

The DPA 2018 does not exist in isolation. Several other regulations interact with it, and organizations often need to comply with multiple frameworks simultaneously.

UK GDPR

The UK GDPR and DPA 2018 work as a pair. The UK GDPR provides the core framework, and the DPA 2018 supplements it with UK-specific provisions. You cannot comply with one while ignoring the other.

EU GDPR

If you serve customers in both the UK and the EU, you must comply with both the UK GDPR (plus DPA 2018) and the EU GDPR. The substantive requirements are very similar, but there are differences in supervisory authorities, transfer mechanisms, and some specific provisions.

PECR

The Privacy and Electronic Communications Regulations 2003 sit alongside the DPA 2018 and govern electronic marketing, cookies, and communications security. PECR has its own consent requirements for cookies and direct marketing that supplement the DPA 2018.

International Frameworks

Organizations with a global audience may also need to consider the California Consumer Privacy Act (CCPA), Brazil's LGPD, Canada's PIPEDA, or Australia's Privacy Act 1988. While the specifics differ, the underlying principles of transparency, purpose limitation, and individual rights are broadly consistent.

For websites that need to comply with multiple frameworks, generating baseline legal documents through tools like TermsBox and then customizing for each jurisdiction is a practical starting approach. The platform's compliance scanner can identify which trackers and cookies your site uses, helping you understand what your privacy documents need to cover.

Frequently Asked Questions

What is the Data Protection Act in simple terms?

The Data Protection Act is a UK law that controls how organizations collect, store, use, and share personal information. It sets rules that protect individuals from having their data misused and gives them rights to access, correct, and delete their personal data.

What does the Data Protection Act protect?

The Data Protection Act protects personal data, which is any information that can identify a living individual. This includes names, email addresses, phone numbers, IP addresses, financial records, health information, and biometric data. It provides extra protections for sensitive categories like racial origin, political opinions, and medical records.

Does the Data Protection Act apply outside the UK?

The UK Data Protection Act 2018 applies to any organization that processes the personal data of individuals in the United Kingdom, regardless of where that organization is based. If your website serves UK customers or monitors their behavior, you are subject to its requirements.

What are the penalties for breaking the Data Protection Act?

The Information Commissioner's Office can impose fines of up to 17.5 million GBP or 4% of annual global turnover for the most serious violations. Lower-tier offenses can attract fines up to 8.7 million GBP or 2% of turnover. The ICO can also issue enforcement notices, reprimands, and orders to stop processing data.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What the Data Protection Act Is and Where It Comes From
  • What Does the Data Protection Act Do for Individuals
  • Rights Granted to Individuals
  • Transparency Requirements
  • What Does the Data Protection Act Protect
  • Personal Data
  • Special Category Data
  • Criminal Conviction Data
  • The Seven Data Protection Principles
  • Who Must Comply with the Data Protection Act
  • Territorial Scope
  • What Businesses Must Do to Comply
  • Create and Publish a Privacy Notice
  • Establish a Lawful Basis for Processing
  • Implement Appropriate Security Measures
  • Maintain Records of Processing Activities
  • Manage Cookies and Tracking
  • Respond to Data Subject Requests
  • Penalties and Enforcement by the ICO
  • Fines
  • Other Enforcement Actions
  • Notable Enforcement Examples
  • How the Data Protection Act Relates to Other Privacy Laws
  • UK GDPR
  • EU GDPR
  • PECR
  • International Frameworks
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.