Jump to content

Data Protection Act 2018

From Wikipedia, the free encyclopedia

Data Protection Act 2018
Act of Parliament
Long titleAn Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes.
Citation2018 c. 12
Introduced byMatt Hancock (Commons)
Henry Ashton, 4th Baron Ashton of Hyde (Lords)
Territorial extent United Kingdom of Great Britain and Northern Ireland
Royal assent23 May 2018
CommencementMay 2018
Other legislation
Repeals/revokesData Protection Act 1998
Amended byPublic Services Ombudsman (Wales) Act 2019
Sentencing Act 2020
Armed Forces Act 2021
Advanced Research and Invention Agency Act 2022
Health and Social Care Act 2022
Relates toGeneral Data Protection Regulation, Data Protection Act 1998
Status: Current legislation
History of passage through Parliament
Text of statute as originally enacted
Revised text of statute as amended

The Data Protection Act 2018 (c. 12) is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

The Act was to be significantly amended by the Data Protection and Digital Information Bill. However, that bill was abandoned due to the 2024 United Kingdom general election.[1]


The Data Protection Bill was introduced to the House of Lords by Lord Ashton of Hyde, Parliamentary Under-Secretary of State at the Department for Digital, Culture, Media and Sport on 13 September 2017.[2]

The Data Protection Act 2018 received royal assent on 23 May 2018. The Act came into effect on 25 May 2018. It was amended on 1 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK's status outside the EU. It replaces the Data Protection Act 1998.[3]

The Act applies the data protection standards set out in the GDPR and, where the GDPR allows EU member states to make different choices for its implementation in their country, defines those choices for the UK.[4]


The Act has seven parts. These are outlined in Section 1:[5]

  1. This Act makes provision about the processing of personal data.
  2. Most processing of personal data is subject to GDPR.
  3. Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
  4. Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
  5. Part 4 makes provision about the processing of personal data by the intelligence services.
  6. Part 5 makes provision about the Information Commissioner.
  7. Part 6 makes provision about the enforcement of the data protection legislation.
  8. Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

The Act introduces new offences that include knowingly or recklessly obtaining or disclosing personal data without the consent-giving of the data controller, procuring such disclosure, or retaining the data obtained without consent. Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed would also be an offence.[6]

Essentially, the Act implements the EU Law Enforcement Directive,[7] it implements those parts of the GDPR which "are to be determined by Member State law" and it creates a framework similar to the GDPR for the processing of personal data which is outside the scope of the GDPR. This includes intelligence services processing, immigration services processing and the processing of personal data held in unstructured form by public authorities.

Under section 3 of the European Union (Withdrawal) Act 2018,[8] the GDPR will be incorporated directly into domestic law immediately after the UK exits the European Union.

The enforcement of the Act by the Information Commissioner's Office is supported by a data protection charge on UK data controllers under the Data Protection (Charges and Information) Regulations 2018. Exemptions from the charge were left broadly the same as for 1998 Act: largely some businesses and non-profits internal core purposes (staff or members, marketing and accounting), household affairs, some public purposes, and non-automated processing.[9][10] Under the 2018 Act, the enforcement regime for registration changed from criminal to civil monetary penalties.[11]

The Act introduces a new public interest test applicable to the research processing of personal health data.[12]

The Act gave people the right to apply to courts and tribunals for different orders, including: in the tribunal by ordering the Information Commissioner to conduct an investigation (section 166); in the court for compliance orders against the Commissioner or controllers or processors (section 167); in the tribunal against penalty notices and other enforcement decisions (section 162). The jurisdiction of these sections and their extent and limits have been the subject of a campaign of litigation arguing their different extent and limits, including as high as the Court of Appeal.[13][14][15][16]


The Data Protection Act (2018) is a revision of the Data Protection Act (1998) which includes the importance of organizations to be more responsible with the information as well as improving the confidentiality.[17] The latter revision also works in tandem with the GDPR, which the Data Protection Act (1998) didn't do.[18]

From the Data Protection Act (1998) to the Data Protection Act (2018), the key additions are the following:[17]

  • the right to erasure
  • inclusions of exemptions of the Data Protection Act
  • being regulated in tandem with the GDPR

The revision allowed the law makers to add the ability to erase any data if the individual chooses to and this is based on the premise of the basic right to privacy.[17]

The 2018 version allowed people to get a clear interpretation of the exemptions of the act, which was unclear in the 1998 version.[18]

When the Data Protection Act (1998) was being made, the GDPR did not exist, thus there was no law for the DPA to work with.[clarification needed] Eventually, with the creation of the GDPR, the DPA was updated to work in tandem.[19]


  1. ^ Whannel, Kate (25 May 2024). "Which laws were passed in final days of Parliament?". BBC News. Retrieved 26 May 2024.
  2. ^ This article incorporates text published under the United Kingdom Open Parliament Licence: Brown, Thomas (5 October 2017). "Data Protection Bill [HL]: Briefing for Lords Stages". House of Lords Library.
  3. ^ This article contains OGL licensed text This article incorporates text published under the British Open Government Licence: "About the DPA 2018". Information Commissioner's Office. 18 January 2022. Retrieved 30 January 2022.
  4. ^ "Data Protection Act 2018 Factsheet – Overview" (PDF). Department for Digital, Culture, Media and Sport. 23 May 2018.
  5. ^ "Data Protection Act 2018". UK Government. Retrieved 8 August 2018. This article contains quotations from this source, which is available under the Open Government Licence v3.0. © Crown copyright.
  6. ^ "New Data Protection Act finalised in the UK". www.out-law.com. Retrieved 29 August 2018.
  7. ^ Directive (EU) 2016/680 of the European Parliament and of the Council
  8. ^ "European Union (Withdrawal) Act 2018". UK Government. Retrieved 8 August 2018.
  9. ^ Review of exemptions from paying charges to the Information Commissioner's Office (PDF) (Report). Department for Digital, Culture, Media and Sport. November 2018. Retrieved 30 April 2020.
  10. ^ "The Data Protection (Charges and Information) Regulations 2018 - Schedule Exempt Processing". legislation.gov.uk. Retrieved 30 April 2020.
  11. ^ "ICO issues the first fines to organisations that have not paid the data protection fee". Information Commissioner’s Office. 28 November 2018. Archived from the original on 28 September 2020. Retrieved 1 May 2020.
  12. ^ Taylor, Mark J.; Whitton, Jess (2020). "Public Interest, Health Research and Data Protection Law: Establishing a Legitimate Trade-Off between Individual Control and Research Access to Health Data". Laws. 9 (1). MDPI: 6. doi:10.3390/laws9010006. hdl:11343/258554.  This article incorporates text from this source, which is available under the CC BY 4.0 license.
  13. ^ James Killock and Michael Veale v ICO (Information rights - Freedom of Information - exceptions : practice and procedure) [2021] UKUT 299 (AAC), 24 November 2021, retrieved 24 February 2024
  14. ^ "Our Adtech challenge: what we won, what we lost and what we do next". Open Rights Group. Retrieved 24 February 2024.
  15. ^ Delo, R (On the Application Of) v Information Commissioner & Anor [2022] EWHC 3046 (Admin), 2 December 2022, retrieved 24 February 2024
  16. ^ Delo, R (On the Application Of) v The Information Commissioner (Rev1) [2023] EWCA Civ 1141, 10 October 2023, retrieved 24 February 2024
  17. ^ a b c Zaheer, Adnan. "Data Protection Act 1998 - Be Compliant | Seers". Seers | Articles. Retrieved 16 November 2020.
  18. ^ a b "About the DPA 2018". ico.org.uk. 28 September 2020. Retrieved 16 November 2020.
  19. ^ "Data Protection Act 2018". ico.org.uk. 20 July 2020. Archived from the original on 7 August 2018. Retrieved 16 November 2020.

External links[edit]