The UK Data Protection Act 2018 and UK General Data Protection Regulation

Now the Brexit transition period has ended, the DPA 2018 and UK GDPR are the primary data protection legislation for organisations that process UK residents’ personal data.

Speak to an expert

Please contact our expert team, who will be able to give advice and guidance about the compliance options.

What is the Data Protection Act (DPA) 2018?

The UK DPA (Data Protection Act) 2018 is a comprehensive, modern data protection law for the UK, which came into force on 25 May 2018 – the same day as the EU GDPR (General Data Protection Regulation).

Read the full text of the DPA 2018

Book onto a DPA training course

What is the UK General Data Protection Regulation (UK GDPR)?

The UK GDPR is the UK’s post-Brexit version of the EU GDPR.

EU regulations apply in member states with all the force of domestic law. After the UK left the EU on 1 January 2019, there was a transition period, during which EU law applied in the UK.

The transition period ended on 31 December 2020 and EU law ceased to apply directly.

The DPPEC (Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit)) Regulations 2019 – secondary legislation passed under the EU Withdrawal Act – then amended the EU GDPR to create a domestic data protection law: the UK GDPR.

The UK GDPR is very similar to the EU GDPR, so organisations that comply with the latter are likely to be in compliance with the former.

Learn more about GDPR compliance

Read the full text of the UK GDPR

Remember that if you process EU residents’ personal data, you will still have to comply with the EU GDPR.

Read more about the EU GDPR

New data protection rules

IT Governance can help you easily amend your current policies and procedures to ensure they remain compliant with the law now the Brexit transition period has ended.

Learn more

UK GDPR (General Data Protection Regulation) overview

The UK GDPR is substantially similar to the EU GDPR.

For instance, data subjects still have the same rights:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision-making and profiling.

There are still six data processing principles and six lawful bases for lawful processing, and data controllers and processors are still obliged to ensure the security of the personal data they process.

Learn more about GDPR compliance

However, there are some areas of divergence.

Important differences between the DPA 2018/UK GDPR and the EU GDPR

Child consent age

  • EU GDPR: A child can consent to data processing at age 16.
  • DPA 2018/UK GDPR: A child can consent at age 13.

Definition of personal data

  • EU GDPR: Personal data can include IP addresses, Internet cookies and DNA
  • DPA 2018/UK GDPR: More limited definition.

Processing of criminal data

  • EU GDPR: Processors of criminal data must have official authority to do so.
  • DPA 2018/UK GDPR: Processors of criminal data do not require official authority.

Automated decision making/processing

  • EU GDPR: Data subjects have rights to refuse automated decision making or profiling.
  • DPA 2018/UK GDPR: Permits automated profiling subject to legitimate grounds for doing so.

Data subject rights

  • EU GDPR: Protects data subjects to personal data processing.
  • DPA 2018/UK GDPR: Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.

Privacy vs Freedom of Expression

  • DPA 2018/UK GDPR: An exemption exists in relation to the processing of personal data if it is in the public interest.


  • EU GDPR: Many non-EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
  • DPA 2018/UK GDPR: Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.

Administrative fines

  • EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
  • DPA 2018/UK GDPR: The maximum fine for non-compliance is £17.5 million.

EU General Data Protection Regulation – A compliance guide.

Free green paper: Brexit and Data Protection

Download our free green paper “Brexit and Data Protection: A quick overview of the UK GDPR” to learn more about the UK GDPR, how it differs from the EU GDPR, and what you need to do to ensure your data processing remains in compliance with the law.

Download now

Brexit and the UK GDPR

Since the end of the Brexit transition period on 31 December 2020, the EU GDPR no longer applies to the processing of UK residents’ personal data.
However, it does still apply to UK organisations that process EU residents’ personal data.
If you are in the UK and offer goods and services to, or monitor the behaviour of, EU residents, you may need to:

  • Appoint an EU representative;
  • Identify a lead supervisory authority in the EU;
  • Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
  • Update your policies, procedures and other documentation in light of the changes you make.

Find out more about data protection law in the UK after Brexit

UK DPA (Data Protection Act) 2018 overview

As revised by the DPPEC Regulations, the UK DPA 2018’s main provisions are as follows.

  • Part 2, Chapter 2 supplements the UK GDPR and should be read alongside the Regulation by every UK organisation that processes personal data.
  • Part 2, Chapter 3 sets out exemptions for manual unstructured processing and for national security and defence purposes.
  • Part 3 sets out the regime for processing personal data for law enforcement purposes. Learn more about Part 3 processing ​
  • Part 4 sets out the regime for processing personal data by the UK’s intelligence services. Learn more about Part 4 processing ​

(Part 1 contains preliminary information, Part 5 deals with the powers of the Information Commissioner, Part 6 covers enforcement and Part 7 provides supplementary information.)

Identifying which data processing regime applies to the processing you carry out is essential.

How IT Governance can help you comply with the EU GDPR and DPA 2018

IT Governance has been at the forefront of GDPR compliance solutions since before the Regulation came into effect.

We can help you identify your data protection requirements, and provide a wide range of GDPR and data protection books, training and staff awareness courses, tools, policy templates, software and consultancy services to help you comply.

These include:

This website uses cookies. View our cookie policy
WIN £100