The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This guide is for data protection officers and others who have day-to-day responsibility for data protection. It is aimed at small and medium-sized organisations, but it may be useful for larger organisations too. 

If you are a sole trader (or similar small business owner), you may find it easier to start with our specific resources for small business owners and sole traders.

The guide covers the Data Protection Act 2018 (DPA 2018), and the UK General Data Protection Regulation (UK GDPR).

It is split into five main sections:

Introduction to data protection

This section introduces some basic concepts, explains how the DPA 2018 works, and helps you understand which parts apply to you. It will also help you identify which sections of this guide to read.

Guide to the UK GDPR

This section explains the UK GDPR, tailored by the DPA 2018. This section will be most relevant to most organisations.

Guide to Law Enforcement Processing

This section is for public authorities processing for law enforcement purposes.

Guide to Intelligence Services Processing

This section is for the three intelligence agencies: MI5, SIS (also known as MI6) and GCHQ.

Key data protection themes

This section contains guidance on key themes, explains how the law applies in that context, and links to any statutory codes of practice.

Where relevant, this guide also links to more detailed guidance and other resources, including ICO guidance, statutory ICO codes of practice, and relevant guidelines published by the European Data Protection Board (EDPB).

We produced many guidance documents on the previous 1998 Act. Even though that Act is no longer in force, some of this guidance contains practical examples and advice which may still be helpful in applying the new legislation. While we are developing our new guidance we will keep those documents accessible on our website, with the proviso that they cannot be taken as guidance on the DPA 2018.