At a glance
- The DPA 2018 sets out the data protection framework in the UK, alongside the GDPR. It contains four separate data protection regimes:
- Part 2 Chapter 2 (GDPR): supplements and tailors the GDPR;
- Part 2 Chapter 3 (applied GDPR): extends a modified GDPR to some other (rare) cases;
- Part 3: sets out a separate regime for law enforcement authorities; and
- Part 4: sets out a separate regime for the three intelligence services.
- What is the DPA 2018?
- What is the GDPR?
- How does the DPA 2018 work?
- What is the general processing regime?
- What is the 'applied GDPR'?
- What is the law enforcement processing regime?
- What is the intelligence services processing regime?
- Which regime applies?
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018.
It sits alongside the GDPR, and tailors how the GDPR applies in the UK - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.
The GDPR is the General Data Protection Regulation (EU) 2016/679. It sets out the key principles, rights and obligations for most processing of personal data – but it does not apply to processing for law enforcement purposes, or to areas outside EU law such as national security or defence.
The GDPR came into effect on 25 May 2018. As a European Regulation, it has direct effect in UK law and automatically applies in the UK until we leave the EU (or until the end of any agreed transition period, if we leave with a deal). After this date, it will form part of UK law under the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.
We have produced more guidance and resources on Data protection and Brexit.
The government has also published a statement on data protection law and EU exit and an explanatory memorandum explaining how the GDPR will be incorporated into UK law after exit day.
The DPA 2018 is split into a number of different parts, which apply in different situations and perform different functions. It sets out four separate data protection regimes:
- Part 2 Chapter 2: General processing (GDPR);
- Part 2 Chapter 3: General processing (applied GDPR);
- Part 3: Law enforcement processing; and
- Part 4: Intelligence services processing.
The other parts contain provisions of general application, including interpretation and our functions and powers. When using the DPA 2018 it is important to be clear which set of provisions apply.
We have produced an overview of the DPA 2018 with a more detailed summary of its structure and content, if you need help navigating the legislation itself. However, for more guidance on how the provisions work in practice, you should continue to read this Guide.
Part 2 Chapter 2 of the DPA 2018 supplements and tailors the GDPR. For most organisations, this is the part that will apply. You need to read it alongside the GDPR itself, as both sets of provisions apply directly to you. The key provisions of this part are:
- sections 1-20;
- schedule 1 (conditions for processing some sensitive types of data); and
- schedules 2-4 (exemptions).
Further reading – ICO guidance
For more on how these provisions work in practice, read our Guide to the GDPR.
Part 2 Chapter 3 of the DPA 2018 applies a slightly modified version of the GDPR to general processing which falls outside the scope of the GDPR itself. This is known as the ‘applied GDPR’.
It is not intended to write the GDPR into UK law in preparation for leaving the EU. Once the UK leaves the EU (or at the end of any agreed transition period, if we leave with a deal), this will be achieved separately under the European Union (Withdrawal) Act 2018, at which point the GDPR and applied GDPR chapters will be merged to form a single general processing regime.
Instead, the applied GDPR is in place to catch any general processing that might otherwise fall through the gaps where EU law does not apply. However, it is not likely to be relevant in many cases. The two main cases in which the applied GDPR is significant are:
- if you are a public authority, it applies to unfiled papers and notes to ensure that freedom of information rules work properly – but there are exemptions from most data protection obligations; and
- if you are processing for national security or defence purposes, but you are not a law enforcement authority or an intelligence service, it covers that processing and provides an extra exemption where required for national security or defence.
We will add further guidance on the applied GDPR as cases arise in practice, but in most cases you should follow our general GDPR guidance.
The key provisions of the DPA 2018 are:
- sections 21-28;
- schedules 2-4 (exemptions); and
- schedule 6 (modifications to the GDPR).
The government has produced a ‘Keeling Schedule’ which shows the modified version of the applied GDPR for illustrative purposes.
Part 3 of the DPA 2018 sets out a separate data protection regime for authorities with law enforcement functions when they are processing for law enforcement purposes. It also applies to their processors. This part implements a separate EU directive on law enforcement processing, and writes it into UK law.
The relevant provisions are:
- sections 29-81; and
- schedules 7-8.
Further reading – ICO guidance
For more on how these provisions work in practice, read our Guide to law enforcement processing.
Part 4 of the DPA 2018 sets out a separate data protection regime for the intelligence services - MI5, SIS (sometimes known as MI6), and GCHQ – and their processors. The relevant provisions are:
- sections 82-113; and
- schedules 9-11.
Further reading – ICO guidance
For guidance on how these provisions work in practice, read our Guide to intelligence services processing (which is currently being developed).
Identifying the correct regime is important, as although the overall principles are similar, there are some key differences. You will need to be able to demonstrate that you are applying the correct regime.
Most organisations fall under the general processing regime and should read our Guide to GDPR.
If you’re not sure, click to the next page for more guidance to help you decide.