The UK Data Protection Act 2018

What is the Data Protection Act (DPA) 2018?

The UK Data Protection Act (DPA) 2018 is a comprehensive, modern data protection law for the UK, which came into force on 25 May 2018 – the same day as the EU GDPR (General Data Protection Regulation). The DPA 2018 enacts the GDPR into UK law.

Read the full text of the DPA 2018

Book onto a DPA training course

Important differences between the DPA 2018 and the GDPR

Child consent age

  • GDPR: A child can consent to data processing at age 16.
  • DPA 2018: A child can consent at age 13

Definition of personal data

  • GDPR: Personal data can include IP addresses, internet cookies and DNA.
  • DPA 2018: More limited definition.

Processing of criminal data

  • GDPR: Processors of criminal data must have official authority to do so.
  • DPA 2018: Processors of criminal data do not require official authority.

Automated decision making/processing

  • GDPR: Data subjects have rights to refuse automated decision making or profiling
  • DPA 2018: Permits automated profiling subject to legitimate grounds for doing so.

Data subject rights

  • GDPR: Protects data subjects to personal data processing.
  • DPA 2018: Data subject rights can be waived if it significantly inhibits an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.

Privacy vs Freedom of Expression

  • DPA 2018: An exemption exists in relation to the processing of personal data if it is in the public interest to do so.

Key modifications to the GDPR introduced by the DPA

  • Part 2, Chapter 2 supplements the EU GDPR by filling certain gaps that the Regulation leaves for individual member states to interpret and implement, and should be read alongside the EU GDPR by every UK organisation that processes personal data.
  • Part 2, Chapter 3 applies a broadly equivalent regime – known as ‘the applied GDPR’ – to certain types of processing that are outside the EU GDPR’s scope, such as processing by public authorities.
  • Part 3 implements the EU Law Enforcement Directive and sets out the regime for processing personal data for law enforcement purposes.
  • Part 4 sets out the regime for processing personal data by the UK’s intelligence services.

(Part 1 contains preliminary information, Part 5 deals with the powers of the Information Commissioner, Part 6 covers enforcement and Part 7 provides supplementary information.)

This page provides an overview of each of the four data protection regimes. Identifying which one applies to the processing you carry out is essential to ensuring UK DPA 2018 compliance.

Brexit and the UK GDPR

At the end of the Brexit transition period, the EU GDPR will no longer directly apply in the UK. However, its requirements will still be part of UK law.

Find out what will happen to data protection law in the UK after Brexit

UK DPA (Data Protection Act) 2018 overview

Part 2, Chapter 2: UK derogations and exemptions from the EU GDPR

Although the EU GDPR applies directly in member states with all the force of a domestic law, it contains certain exemptions and derogations for individual member states to interpret and implement.

In the UK, this is done via Chapter 2 of Part 2 of the DPA 2018, which must be read alongside the Regulation.

It modifies the EU GDPR in the following ways:

  • Meaning of certain terms in the EU GDPR

    Sections 6 and 7 of the DPA 2018 clarify the meaning of the terms ‘controller’, ‘public authority’ and ‘public body’ as used in the EU GDPR.

  • Lawfulness of processing

    Section 8 clarifies what constitutes a task carried out in the public interest or the exercise of official authority.

  • Child’s consent in relation to information society services

    Section 9 sets the minimum age for being able to give consent at 13 years.

  • Special categories of personal data and data relating to criminal convictions etc.

    Section 10 and Schedule 1 provide additional circumstances in which processing special category data and data relating to criminal offences is lawful, and set out conditions that should be met and safeguards that must be implemented. Section 11 provides supplementary information.

  • Limits on fees that may be charged by data controllers

    Section 12 grants the secretary of state powers to set limits on the “reasonable fees” that a data controller may charge in the case of manifestly unfounded or excessive DSARs (data subject access requests), or for further copies of information.

  • Obligations of credit reference agencies

    Section 13 limits the extent to which the EU GDPR’s right of access applies to credit reference agencies.

  • Safeguards for automated decision-making authorised by law

    Section 14 explains the safeguards that should be implemented when making “significant decisions based solely on automated processing”.

  • Exemptions and power to make further exemptions

    Section 15, and Schedules 2, 3 and 4 set out exemptions to the following articles of the EU GDPR:

    • Article 13: Information to be provided where personal data are collected from the data subject
    • Article 14: Information to be provided where personal data have not been obtained from the data subject
    • Article 15: Right of access by the data subject
    • Article 16: Right to rectification
    • Article 17: Right to erasure (‘right to be forgotten’)
    • Article 18: Right to restriction of processing
    • Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
    • Article 20: Right to data portability
    • Article 21: Right to object
    • Article 34: Communication of a personal data breach to the data subject
  • Accreditation of certification providers

    Section 17 clarifies that the Information Commissioner and the national accreditation body, UKAS (United Kingdom Accreditation Service), are the only bodies that can accredit UK certification providers, and makes provisions relating to accreditation.

  • Transfers of personal data to third countries or international organisations

    Section 18 allows the secretary of state to specify the circumstances in which transferring personal data to a third country or international organisation is or is not necessary for “important reasons of public interest”.

  • Safeguards when processing for archiving, research or statistical purposes

    Section 19 clarifies that processing will not satisfy the requirement for safeguards in Article 89(1) of the EU GDPR if it “is likely to cause substantial damage or substantial distress to a data subject” or if it “is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research”.

(These amendments also affect the applied GDPR as described in Part 2, Chapter 3, in the context of which they are known as ‘the applied Chapter 2’. This is discussed below.)

For the vast majority of data controllers and processors in the UK, the EU GDPR as amended by this chapter will apply. However, some organisations will be bound by the data processing regimes set out in Part 2, Chapter 3; Part 3; and Part 4.

Part 2, Chapter 3: The applied GDPR

Part 2, Chapter 3 extends the scope of the EU GDPR (as modified by the applied Chapter 2) by applying a broadly equivalent regime, known as ‘the applied GDPR’, to:

  • Automated or structured processing of personal data in the course of activities that are outside the material scope of the EU GDPR, as set out in Article 2(2):
    • Activities that are outside the scope of EU law; or
    • Common foreign and security policy activities, as set out in Chapter 2 of Title V of the Treaty on European Union; and
  • Manual unstructured processing of personal data held by a public authority as defined by the Freedom of Information Act 2000 or the Freedom of Information Act (Scotland) 2002 (asp 13).

This does not apply to processing covered by Parts 3 (law enforcement) or 4 (intelligence services).


There are a number of exemptions to the applied GDPR:

  • Section 24 exempts manual unstructured processing of personal data held by public authorities from most of the applied GDPR’s provisions.
  • Section 25 exempts historical research carried out by public authorities that was underway before 24 October 1998 from the principle of accuracy, the right to rectification and the right to erasure.
  • Section 26 exempts processing for national security and defence purposes that is not covered by the EU GDPR, or Parts 3 (law enforcement) or 4 (intelligence services) of the DPA 2018, from certain requirements, including those relating to data subject rights, personal data breach notifications and transfers to third countries and international organisations.
  • Section 27 states that a certificate signed by a cabinet minister, the Attorney General or the Advocate General for Scotland is conclusive evidence that exemptions under Section 26 are required for national security.
  • Section 28 modifies Article 9 of the EU GDPR to allow the processing of special categories of data for national security or defence purposes.

Schedule 6 modifies the applied GDPR and the applied Chapter 2 so that they work in a UK context. For instance:

For instance:

  • References to EU and member state law have effect as references to domestic law.
  • References to the EU and member states have effect as references to the UK.
  • References to supervisory authorities have effect as references to the Information Commissioner.
  • References to national parliaments have effect as references to both houses of parliament.

Part 3: Law enforcement processing

Part 3 applies to competent authorities’ processing of personal data for law enforcement purposes. Such processing is permitted, provided that it occurs:

  • Wholly or partly by automated means; and
  • Not by automated means where it forms, or is intended to form, part of a filing system.

Note that Part 3 applies only to processing for law enforcement purposes. That is, “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

Other processing by competent authorities will fall under the scope of the EU GDPR. On some occasions, processing will fall under both regimes.

What is a competent authority?

A competent authority under Part 3 is akin to a data controller under the EU GDPR.

Competent authorities are defined in Schedule 7 and include, but are not limited to, government departments, police commissioners and chief constables, the director general of the NCA (National Crime Agency), the director of the SFO (Serious Fraud Office), the FCA (Financial Conduct Authority), the HSE (Health and Safety Executive), the FSA (Food Standards Agency), HM Land Registry, the DPP (Director of Public Prosecutions), the Information Commissioner, and courts or tribunals.

Data protection principles

The six data protection principles set out in Part 3, Chapter 2 differ from the six data processing principles in Article 5 of the EU GDPR in only one significant way: there is no requirement for personal data to be processed transparently, because of the risk of prejudicing criminal investigations.

Under Part 3 of Chapter 2 of the DPA 2018, personal data must be:

  1. Processed lawfully and fairly;
  2. Collected for specified, explicit and legitimate purposes;
  3. Adequate, relevant and not excessive in relation to the purpose for which it is processed;
  4. Accurate and, where necessary, kept up to date;
  5. Kept for no longer than is necessary; and
  6. Processed in a secure manner, using appropriate technical or organisational measures.

Personal data based on facts must be distinguished from personal data based on personal assessments.

Competent authorities or their processors must be able to distinguish between different categories of data subjects, such as suspects, convicts, victims and witnesses.

Where sensitive data is processed, additional safeguards must be implemented.

Data subjects’ rights

Data subjects have some of the same rights that they do under the EU GDPR, namely the right:

  • To be informed;
  • Of access;
  • To rectification;
  • To erasure or to restrict processing; and
  • Not to be subject to automated decision-making.

However, there are exemptions and restrictions that can prevent data subjects from exercising some of them.

The rights to rectification, erasure and to restrict processing do not apply to “the processing of relevant personal data in the course of a criminal investigation or criminal proceedings”.

(‘Relevant personal data’ means “personal data collected in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority” – for example, judges’ notes.)

Moreover, certain rights under the EU GDPR – such as the right to object and the right to data portability – do not exist under Part 3.

Other provisions

As with the EU GDPR, there is an accountability principle that requires competent authorities and processors acting on their behalf to implement appropriate technical and organisational measures to ensure the security of the personal data they process.

Relevant documentation must be kept, data protection measures must be implemented by design and by default, DPOs (data protection officers) must be appointed where appropriate, and there is a duty to report certain types of data breaches to the Information Commissioner within 72 hours of becoming aware of them, where feasible.

Like under the EU GDPR, data subjects must be informed of personal data breaches without undue delay if there is likely to be a high risk to their rights and freedoms.

To learn more about Part 3 processing, book your place on our Part 3 – Law Enforcement Processing training course

Part 4: Intelligence services processing

Part 4 applies to the UK intelligence services’ processing of personal data where it occurs:

  • Wholly or partly by automated means; and
  • Not by automated means where it forms, or is intended to form, part of a filing system

The intelligence services are the Security Service (MI5), the Secret Intelligence Service (MI6) and the GCHQ (Government Communications Headquarters).

Data protection principles

The six data protection principles in Part 4 are the same as the EU GDPR’s data processing principles, expect for a slight variation in wording in the sixth principle, which refers to ‘security measures’ rather than ‘technical and organisational measures’.

Personal data must be:

  1. Processed lawfully, fairly and transparently;
  2. Collected for specified, explicit and legitimate purposes;
  3. Adequate, relevant and not excessive in relation to the purpose for which it is processed;
  4. Accurate and, where necessary, kept up to date;
  5. Kept for no longer than is necessary; and
  6. Processed in a secure manner, using appropriate security measures.

If processed for the purpose of national security, only the first principle’s requirement for lawfulness applies.

In order to be lawful, at least one of the conditions in Schedule 9 for processing personal data and Schedule 10 for sensitive processing must be met.

Schedule 11 sets out further exemptions.

How IT Governance can help you comply with the EU GDPR and DPA 2018

IT Governance has been at the forefront of GDPR compliance solutions since before the Regulation came into effect.

As well as providing a wide range of EU GDPR books, training and staff awareness courses, tools, policy templates, software and consultancy services, we have created two training courses to teach you all you need to know about the DPA 2018.

Data Protection Act 2018 Training Course

Data Protection Act 2018 Training Course

The DPA 2018 modifies the GDPR by filling in gaps that were left to individual member states to interpret and implement, and sets out data processing regimes that fall outside the GDPR’s scope.  This training course provides a comprehensive introduction to the DPA 2018 and its relationship to the EU GDPR.

This one-day course will provide you with an overview of the differences between the GDPR and the DPA 2018, and how they work together.

Find out more

DPA 2018 Part 3 - Law Enforcement Processing Training Course

Data Protection Act 2018 Part 3 – Law Enforcement Processing Training Course

If your organisation processes personal information for law enforcement purposes, this training course has everything you need to help you process personal data lawfully.

It provides in-depth knowledge and understanding of Part 3 processing, covering matters directly relevant to the processing of personal data by a competent authority for law enforcement purposes.

Find out more

This website uses cookies. View our cookie policy
WIN £100