The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The UK's third generation of data protection law has now received the Royal Assent and its main provisions will commence on 25 May 2018. The new Act aims to modernise data protection laws to ensure they are effective in the years to come.

An introduction to the Data Protection Bill

As the Data Protection Bill went through Parliament we produced an overview document as an introduction to help people and organisations navigate their way around it and focus on the sections that were most relevant to them. It remains a helpful resource but it is important to note that it does not reflect the final text of the legislation. Now that the legislation has received Royal Assent we are updating this document to reflect the final contents of the Act and will make it available as soon as possible.

Our intention in the longer term is to develop our main suite of guidance to cover the Data Protection Act 2018 in more detail. We will publish this under the umbrella of a new Guide to Data Protection which will cover the GDPR, the applied GDPR, Law Enforcement and any other relevant provisions.

What is the difference between the DPA 2018 and the GDPR? 

The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side. 

Information about how to get ready for the GDPR can be found in our Guide to the GDPR. 

However, the DPA 2018 is not limited to the UK GDPR provisions. 

What else does the DPA 2018 cover? 

  • The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context. 
  • It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the DPA 2018sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. The ICO has produced a detailed Guide to Law Enforcement Processing.
  • National security is also outside the scope of EU law. The Government has decided that it is important the intelligence services are required to comply with internationally recognised data protection standards, so there are provisions based on Council of Europe Data Protection Convention 108 that apply to them. 
  • There are also separate parts to cover the ICO and our duties, functions and powers plus the enforcement provisions. The Data Protection Act 1998 is being repealed so it makes the changes necessary to deal with the interaction between FOIA/EIR and the DPA.