What is the Data Protection Act 2018?

The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998.

The United Kingdom is no longer a part of the EU and the Data Protection Act alongside the UK GDPR are the current data protection laws that govern the processing of personal data in the UK.

Data Protection Parts

The Data Protection Act is made up of four data protection parts, also known as “data protection regimes”, these are:

  • Part One: Preliminary
  • Part Two: General processing
  • Part Three: Law enforcement processing
  • Part Four: Intelligence services processing

For the majority of businesses Parts one and two of the Data Protection Act 2018 are most relevant and important, so let’s take a more detailed look at these two parts as they most likely apply to you and your business.

Part One: Preliminary


Part One of the Data Protection Act 2018 sets out definitions of key terms that are used in the act. Most of the key terms are the same as those found in the GDPR, and below are the main terms:

  • Personal data: this is defined as “Any information relating to an identified or identifiable living individual.”
  • Identifiable living individual: this is defined as “A living individual who can be identified, directly or indirectly, in particular by reference to:
    • an identifier such as a name, an identification number, location data or an online identifier; or
    • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual
  • Processing: the word processing is defined in the DPA 2018 as “In relation to information, means an operation or set of operations which is performed on information, or on sets of information“. Examples of these types of operations are collection, storage, organising, structuring, retrieval, use, disclosure via transmission, erasure etc.
  • Data subject: a data subject is defined as “the identified or identifiable living individual to whom personal data relates.”
  • Controller Processor: Controller is defined as “the natural or legal person, who alone or jointly with others determines the purpose and means of the processing of personal data” and Processor is defined as “the natural or legal person who processes personal data on behalf of the controller”.
  • Personal data relating to criminal convictions and offenses or related security measures: defined in the DPA as personal data relating to: “
    • the alleged commission of offenses by the data subject; or
    • proceedings for an offense committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.”
  • Court: according to the DPA the word court doesn’t include a tribunal.

Part Two: General processing

Under the DPA the term processing is defined as:

In relation to information, means an operation or set of operations which is performed on information, or sets of information such as:
• collection, recording, organisation, structuring or storage;
• adaptation or alteration;
• retrieval, consultation or use;
• disclosure by transmission, dissemination or otherwise making
• alignment or combination; or
• restriction, erasure or destruction.

Part two of the Data Protection Act supplements the UK GDPR. It relates to the processing of personal data that is both within the scope of the EU GDPR and that which falls outside of it.

Processing that is included in the GDPR

The Data Protection Act is in line with the central provisions relating to the protection of personal data that are included in the GDPR. These include the following the data protection principles as follows:

  • personal data is processed lawfully, fairly and transparently
  • personal data is only used for specific, explicit purposes
  • personal data is used in an adequate, relevant and necessary manner
  • personal data is accurate and kept up to date where necessary
  • personal data is not kept linger than necessary
  • personal data is handled securely, being protected against unlawful or unauthorized processing, access, loss, destruction and damage

Processing that differs to the GDPR

There are a few key areas where the processing of personal data differs between the DPA and the GDPR. They are:

  • The DPA sets the age of consent in processing online data to 13, where as the GDPR sets the age to 16.
  • Covers data processing in the following areas that are not included in the GDPR: law enforcement, national security and immigration.
  • The DPA specifies fines and repercussions for privacy law infringements. These include unlimited fines for illegally re-identifying personal data that had been anonymized for data protection.
  • The DPA allows for automated processing of personal data if there are legitimate grounds for the processing.

Legal Bases for Processing Personal Data

Under the DPA there are six legal bases for collecting and processing personal data, which must be adhered to. These are:

  • Consent given by the user
  • To fulfill a contract with the user
  • to protect an individuals vital interests (health and life)
  • you have a legal obligation to process the personal data
  • you are executing a task in the public interest or under official authority
  • there is a legitimate interest for your business for processing the personal data.

Whenever you are collecting and processing personal data you are required to have one of these legal basis for doing so.

Should you be collecting and processing personal data under the basis of consent, you must ensure you are meeting the requirements under the DPA. These methods need to be:

  • Unambiguous: the consent forms you use need to be clear and easily understood.
  • Explicit: consent must be obtained by stand alone means and not with other items.
  • Informed: your users must have information that fully explains what they are consenting to.
  • Freely given: when obtaining users consent it needs to be given in a clear whay, such as checking a check box or clicking a button to affirm consent.
  • Recorded: you are required to maintain records of consent.

Ensure that you obtain consent from your users prior to collecting and processing their personal data.

Data Subjects Rights

The DPA, like the GDPR, sets out data protection rights for data subjects. There are a couple of exceptions for intelligence and immigration services, however these are not relevant for the majority of businesses.

When processing personal data the following data subjects rights need to be adhered to. The individual has the right to

  • access a copy of their personal data from you
  • be informed. Should your user wish to obtain information regarding what data is collected, processed, shared or stored, you must give them this information.
  • rectification: should you have incorrect personal data the user may request changes to be made at any time.
  • be forgotten: your users have the right to having their data erased.
  • data portability: your users can request and be given their data for use with other services
  • withdraw consent: the consent for collecting , processing and storing data may be withdrawn at any time.
  • object to how their data is being used at any time.
  • automated decision making: the user can object to the automated processing of their data
  • profiling: the user can object to their personal data being used for profiling. an example of this is when data is used to predict your behaviour


In order to ensure you are complying with data protection principles and data subjects rights, there are a few things that you can do depending on the size of your organization. These are:

  • Create a Privacy Policy. A privacy policy is required by any website or organization that collects any personal data. It is a requirement by law, not just under the DPA but under most privacy laws.
  • Create a Data Protection Policy. A data protection policy ensures that anyone working within your organization understands what is required of them with regards to processing, maintaining and securing personal data and how they should handle any data breaches should they occur.
  • Perform a Data Audit. By performing a data audit, you will be aware of the type of data that’s collected and how its maintained, secured and processed by your organization.

Your Legal Toolkit

Latest Articles

What is the Data Protection Act 2018?

The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]

Where to put a Privacy Policy on your Website?

A Privacy Policy is a legal requirement for any business or website, but where should you put your Privacy Policy on your website? To be compliant with a number of International laws, including GDPR, CalOPPA and Australian Privacy Act 1988, your privacy policy is required to be in a prominent, easily located place on your […]

3 Reasons Your Website Needs a Privacy Policy

Whether you own a website, blog or eCommerce store you may find yourself wondering, do I need a privacy policy? The short answer is, if you collect personal data from your readers or users in any form, then yes you do need a privacy policy. The three most important reasons you will require a privacy […]