At a glance

  • Most organisations fall under the general processing regime. Go to our Guide to the GDPR.
  • If you are a ‘competent authority’ with law enforcement functions and you are processing for law enforcement purposes, or you are a processor acting on their behalf, you fall under the law enforcement regime. Go to our Guide to law enforcement processing.
  • If you are a ‘competent authority’ processing for other non-law enforcement purposes, you fall under the general processing regime. Go to our Guide to the GDPR.

In brief

Why does it matter?

There are three separate regimes set out in the DPA 2018. Identifying the correct regime is important, as although the overall principles are similar, there are some key differences in the detail. You will need to be able to demonstrate that you are applying the correct regime.

How do I decide which regime applies?

Most processing falls under the general processing regime, and most organisations should read our Guide to the GDPR.

However, law enforcement bodies and intelligence agencies, or processors acting on their behalf, will need to comply with a separate regime for much of their processing.

If you’re not sure which regime applies to you, this flowchart may help you decide:

  1. Are you a competent authority (or a processor acting on their behalf)?

A competent authority means any of the authorities listed in schedule 7 of the DPA 2018 (external link), or any other organisation or person with statutory law enforcement functions.

No: go to question 2.

Yes: go to question 3.

  1. Are you an intelligence service (or a processor acting on their behalf)?

The intelligence services are the Security Service (MI5), the Secret Intelligence Service (SIS, sometimes known as MI6), and the Government Communications Headquarters (GCHQ).

Yes: your processing falls under the intelligence services processing regime in part 4 of the DPA 2018. Read our Guide to intelligence services processing (these pages are currently under development).

No: your processing falls under the general processing regime in part 2 of the DPA 2018. Read our Guide to the GDPR. You don’t need to consider question 3.

  1. Are you processing for law enforcement purposes?

You should only answer this question if you answered ‘yes’ to question 1.

Law enforcement purposes means the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and prevention of threats to public security.

It does not include general organisational or administrative purposes (eg employment purposes).

Yes: as long as you are a competent authority (or its processor), your processing falls under the law enforcement processing regime in part 3 of the DPA 2018. Read our Guide to law enforcement processing.

No: your processing falls under the general processing regime in part 2 of the DPA 2018. Read our Guide to the GDPR.

Further reading – ICO guidance

We have more guidance for competent authorities on identifying the correct regime in the scope and key definitions section of our Guide to law enforcement processing.