In May 2018, the Data Protection Act 2018 came into force alongside the new General Data Protection Regulations (GDPR).  The aim of the Data Protection Act UK is to modernise UK data protection laws in conjunction with the GDPR and to ensure these laws will continue to be effective in the future.

How are the Data Protection Act UK and the GDPR different?

The GDPR affects all EU states and is the basis for data protection law within those countries. The Data Protection Act UK implements the GDPR in the UK.

The Data Protection Act UK approaches data processing under four specific categories:

  • processing within the reach of the GDPR
  • outside the reach of the GDPR
  • for law enforcement purposes
  • by the intelligence services

The Data Protection Act UK goes further than the reach of the GDPR and sets out additional guidelines in respect of:

  • data processing that falls outside EU law
  • the transposition of the EU Data Protection Directive 2016/680 into domestic UK law
  • how data protection laws should be handled by UK intelligence services
  • the responsibilities, functions, and powers of the ICO
  • how data protection laws will be enforced in the UK

The six data protection principles

Under the Data Protection Act UK, the processing of personal data must comply with the following principles:

  • the processing must be lawful and fair
  • the purposes of the processing must be specified, explicit and legitimate
  • the personal data collected must be adequate, relevant and not excessive
  • the personal data retained must be accurate and monitored to ensure it is current
  • the personal data must be retained for only as long as is necessary
  • the personal data must be processed in a manner that is secure

The rights of the data subject

Under the Data Protection Act UK, data subjects have the right:

  • to receive information on the identity and contact details of the controller and the data protection officer, the purpose for processing the data, their individual rights, the basis in law for processing their data, and how long that data will be retained
  • to be informed whether their personal data is being processed and have access to that personal data
  • to rectify and make complete any personal data, and for the body who collected the data to be informed of any such rectification or completion along with the data subject themselves
  • to erase or restrict the use of personal data and receive notification that this has been done
  • to not be subject to automated decision making
  • to exercise rights through the Information Commissioner

Key sections of the Data Protection Act UK

An overview of the DPA UK and key terms used

This preliminary section gives an overview of the Data Protection Act UK, discusses protection of personal data and lays out definitions for the key terms used in the Act, including but not limited to:

  • personal data
  • identifiable living individual
  • controller and processor

General Processing

This section gives further clarity on the GDPR requirements for data processing but also lays out how processing that falls outside of the GDPR and EU law should be handled, quoting the relevant sections of the GDPR and the DPA UK.

It is broken down into three chapters:

  • what this section covers and related definitions
  • types of processing covered by the GDPR
  • types of processing that are not covered by GDPR and EU law and are not law enforcement or intelligence services related

Chapter 2 also discusses lawful grounds for data processing, a child’s consent, special categories of personal data, criminal convictions, the limiting of fees charged by controllers, processing in the interests of the public, required documentation, safeguards, obligation of credit reference agencies, lawful automated decision making and exemptions.

In addition to listing rights of the data subject, Chapter 3 discusses data held by public authorities, historical research, and exemption for national security and defence processing other than by law enforcement bodies.

Law enforcement processing

This section covers data processing by law enforcement bodies and is split into 6 chapters:

  • what this section covers and related definitions
  • 6 data protection principles, and safeguards
  • rights of the individual (data subject)
  • controller and processor obligations
  • personal data transfer to countries outside the EU or to an international organisation
  • supplementary provisions

Under Chapter 2, there is also information on safeguards in relation to archiving and sensitive data processing.

Chapter 3 details the controller’s responsibilities, the exercise of rights through the Information Commissioner, the form the information must be provided in, dealing with excessive requests, exemptions to these rights and the time frame for complying with one of the above requests.

Intelligence services processing

This section discusses data processing and handling in the context of national security which is not covered by EU law or the GDPR.

Under the umbrella of national security, 3 intelligence services are named in the DPA UK. These are:

  • Security Service
  • Secret Intelligence Service
  • Government Communications Headquarters.

This section relates to the processing of personal data carried out by the intelligence services that is either completely, or in part, processed by automated means or that forms part of a filing system.

There are 6 chapters to this section:

  • what this section covers and related definitions
  • 6 data protection principles, and safeguards
  • rights of the individual (data subject)
  • controller and processor obligations
  • personal data transfer to countries outside the EU or to an international organisation
  • exemptions

The Information Commissioner

This section contains information on the Information Commissioner. It lays out:

  • General functions
  • International role
  • Codes of practice
  • Consensual audits
  • Records of national security certificates
  • Information provided to the Commissioner
  • Confidentiality of information
  • Guidance about privileged communications
  • Fees
  • Charges
  • Reports


This section details how compliance to the Data Protection Act UK will be enforced and the related powers of the Information Commissioner.

It describes the 4 types of notice that a non-compliant business might receive:

  • Information Notice
  • Assessment Notice
  • Enforcement Notice
  • Penalty Notice

and outlines the possible penalty that might be imposed with factors that would be taken into consideration.

It also details powers of entry and inspection, rights and determinations of appeal, data subject complaints, compliance orders, compensation, news-related material, and unlawful obtaining of personal data.

How legal advice can help

The Data Protection Act UK seeks to implement, clarify and expand on the General Data Protection Regulations. UK organisations are required to understand and comply with both sets of regulations under UK data protection laws.

Specialist legal advice can assist your business in ensuring that you have the correct documentation and processes in place for data collection, handling, usage and storage, to ensure your organisation is protected against complaints or non-compliance penalties.

As Editor of Lawble, Gill helps business and individuals become better informed about their legal rights. Gill is a content specialist in the fields of law, tax and human resources.