The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

  • The DPA 2018 sets out the data protection framework in the UK, alongside the UK GDPR. It contains three separate data protection regimes:
    • Part 2: sets out a general processing regime (the UK GDPR);
    • Part 3: sets out a separate regime for law enforcement authorities; and
    • Part 4: sets out a separate regime for the three intelligence services.

In brief

What is the DPA 2018?

The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.

It sits alongside and supplements the UK GDPR - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.

The ‘applied GDPR’ provisions (that were part of Part 2 Chapter 3) enacted in 2018 were removed with effect from 1 Jan 2021 and are no longer relevant. The processing of manual unstructured data and processing for national security purposes now fall under the scope of the UK GDPR regime.

What is the UK GDPR?

 

The UK GDPR is the UK General Data Protection Regulation [link to legislation.gov.uk]. It is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.

It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context,

You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The EU GDPR is regulated separately by European supervisory authorities, and you may need to seek your own legal advice on your EU obligations.

If you hold any overseas data collected before 01 January 2021 (referred to as ‘legacy data’), this will be subject to the EU GDPR as it stood on 31 December 2020 (known as ‘frozen GDPR’). In the short term, there is unlikely to be any significant change between the frozen GDPR and the UK GDPR.

Further reading

We have produced more guidance and resources on Data protection and the end of the transition period.                  

How does the DPA 2018 work?

The DPA 2018 is split into a number of different parts, which apply in different situations and perform different functions. It sets out four separate data protection regimes:

  • Part 2: General processing (UK GDPR);
  • Part 3: Law enforcement processing; and
  • Part 4: Intelligence services processing.

The other parts contain provisions of general application, including interpretation and our functions and powers. When using the DPA 2018 it is important to be clear which set of provisions apply.

Further reading

Before the changes made under the EU Withdrawal Act, we published an overview of the DPA 2018 with a more detailed summary of its structure and content. This may still be useful if you need help navigating the legislation, but please be aware that there have been some changes (in particular the previous GDPR and applied GDPR chapters have now been merged to form the UK GDPR regime). We will consider whether to publish an updated version of this document in due course.

For more guidance on how the provisions work in practice, you should continue to read this Guide.

What is the general processing regime? 

Part 2 of the DPA 2018 supplements and tailors the UK GDPR. For most organisations, this is the part that will apply. You need to read it alongside the UK GDPR itself, as both sets of provisions apply directly to you. The key provisions of this part are:

  • sections 1-28;
  • schedule 1 (conditions for processing some sensitive types of data); 
  • schedules 2-4 (exemptions); and
  • schedule 21 (transitional provisions)

Further reading – ICO guidance

For more on how these provisions work in practice, read our Guide to the UK GDPR.

What is the law enforcement processing regime?

Part 3 of the DPA 2018 sets out a separate data protection regime for authorities with law enforcement functions when they are processing for law enforcement purposes. It also applies to their processors.

The relevant provisions are:

  • sections 29-81; and
  • schedules 7-8.

Further reading – ICO guidance

For more on how these provisions work in practice, read our Guide to law enforcement processing.

What is the intelligence services processing regime?

Part 4 of the DPA 2018 sets out a separate data protection regime for the intelligence services - MI5, SIS (sometimes known as MI6), and GCHQ – and their processors. The relevant provisions are:

  • sections 82-113; and
  • schedules 9-11.

Further reading – ICO guidance

For guidance on how these provisions work in practice, read our Guide to intelligence services processing (which is currently being developed).

Which regime applies?

Identifying the correct regime is important, as although the overall principles are similar, there are some key differences. You will need to be able to demonstrate that you are applying the correct regime.

Most organisations fall under the general processing regime and should read our Guide to UK GDPR.

If you’re not sure, click to the next page for more guidance to help you decide.