Data Protection Act 2018

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Data Protection Act 2018
Act of Parliament
Long titleAn Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes.
Citation2018 c 12
Introduced byMatt Hancock (Commons)
Henry Ashton, 4th Baron Ashton of Hyde (Lords)
Territorial extentUnited Kingdom of Great Britain and Northern Ireland
Royal assent23 May 2018
CommencementMay 2018
Other legislation
RepealsData Protection Act 1998
Relates toGeneral Data Protection Regulation, Data Protection Act 1998
Status: Current legislation
Text of the Data Protection Act 2018 as in force today (including any amendments) within the United Kingdom, from

The Data Protection Act 2018 (c 12) is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and updates the Data Protection Act 1998.


The Data Protection Act 2018 achieved Royal Assent on 23 May 2018. It applies the EU's GDPR standards.[1] Whereas the GDPR gives member states limited opportunities to make provisions for how it applies in their country, one element of the DPA 2018 is the details of these, applying as the national law. The DPA 2018 is however not limited to the UK GDPR provisions.[2]


The Act has seven parts. These are outlined in Section 1:[3]

  1. This Act makes provision about the processing of personal data.
  2. Most processing of personal data is subject to GDPR.
  3. Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
  4. Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
  5. Part 4 makes provision about the processing of personal data by the intelligence services.
  6. Part 5 makes provision about the Information Commissioner.
  7. Part 6 makes provision about the enforcement of the data protection legislation.
  8. Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

The Act introduces new offences that include knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent. Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed would also be an offence.[4]

Essentially, the Act implements the EU Law Enforcement Directive,[5] it implements those parts of the GDPR which 'are to be determined by Member State law' and it creates a framework similar to the GDPR for the processing of personal data which is outside the scope of the GDPR. This includes intelligence services processing, immigration services processing and the processing of personal data held in unstructured form by public authorities.

Under section 3 of the European Union (Withdrawal) Act 2018,[6] the GDPR will be incorporated directly into domestic law immediately after the UK exits the European Union.

The enforcement of the Act by the Information Commissioner's Office is supported by a data protection charge on UK data controllers under the Data Protection (Charges and Information) Regulations 2018. Exemptions from the charge were left broadly the same as for 1998 Act: largely some businesses and non-profits internal core purposes (staff or members, marketing and accounting), household affairs, some public purposes, and non-automated processing.[7][8] Under the 2018 Act the enforcement regime for registration changed from criminal to civil monetary penalties.[9]


  1. ^ "Publishing Service" (PDF). Gov-UK.
  2. ^ "Data Protection Act 2018". 2018-07-20. Retrieved 2018-08-29.
  3. ^ "Data Protection Act 2018". UK Government. Retrieved 8 August 2018. UKOpenGovernmentLicence.svg This article contains quotations from this source, which is available under the Open Government Licence v3.0. © Crown copyright.
  4. ^ "New Data Protection Act finalised in the UK". Retrieved 2018-08-29.
  6. ^ "European Union (Withdrawal) Act 2018". UK Government. Retrieved 8 August 2018.
  7. ^ Review of exemptions from paying charges to the Information Commissioner's Office (PDF) (Report). Department for Digital, Culture, Media and Sport. November 2018. Retrieved 30 April 2020.
  8. ^ "The Data Protection (Charges and Information) Regulations 2018 - Schedule Exempt Processing". Retrieved 30 April 2020.
  9. ^ "ICO issues the first fines to organisations that have not paid the data protection fee". Information Commissioner’s Office. 28 November 2018. Retrieved 1 May 2020.

External links[edit]