The UK Data Protection Act 2018 and UK General Data Protection Regulation

The Data Protection Act 2018 is a UK law that sets out how personal data must be collected, handled and stored to protect people’s privacy. It also gives individuals the right to know what personal data is held about them and to have that data erased in certain circumstances.

The Act came into force on 25 May 2018 and replaced the Data Protection Act 1998.

Read the full text of the DPA 2018

Book a DPA 2018 training course

The DUAA (Data (Use and Access) Act 2025) came into law on 19 June 2025. We are currently reviewing and updating our information pages to account for the changes to UK data protection law introduced by the Act. If you need any expert guidance on how your data processing obligations will change, contact our experts today.

The UK GDPR is the UK’s post-Brexit version of the EU GDPR.

EU regulations apply in member states with all the force of domestic law. After the UK left the EU on 1 January 2019, there was a transition period, during which EU law applied in the UK.

The transition period ended on 31 December 2020 and EU law ceased to apply directly.

The DPPEC (Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit)) Regulations 2019 – secondary legislation passed under the EU Withdrawal Act – then amended the EU GDPR to create a domestic data protection law: the UK GDPR.

The UK GDPR is very similar to the EU GDPR, so organisations that comply with the latter are likely to be in compliance with the former.

Learn more about GDPR compliance

Remember that if you process EU residents’ personal data, you will still have to comply with the EU GDPR.

The UK GDPR is substantially similar to the EU GDPR.

For instance, data subjects still have the same rights:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision-making and profiling.

There are still six data processing principles and six lawful bases for lawful processing, and data controllers and processors are still obliged to ensure the security of the personal data they process.

Learn more about GDPR compliance

However, there are some areas of divergence.

Child consent age

• EU GDPR: A child can consent to data processing at age 16.
• DPA 2018/UK GDPR: A child can consent at age 13.

Processing of criminal data

• EU GDPR: Processors of criminal data must have official authority to do so.
• DPA 2018/UK GDPR: Processors of criminal data do not require official authority.

Automated decision making/processing

• EU GDPR: Data subjects have rights to refuse automated decision making or profiling.
• DPA 2018/UK GDPR: Permits automated profiling subject to legitimate grounds for doing so.

Data subject rights

• EU GDPR: Enhances data subjects’ rights relating to how their personal data is processed.
• DPA 2018/UK GDPR: Data subject rights can be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes.

Privacy vs Freedom of Expression

• DPA 2018/UK GDPR: An exemption exists in relation to the processing of personal data if it is in the public interest.

Representatives

• EU GDPR: Many non-EU data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in the EU.
• DPA 2018/UK GDPR: Many non-UK data controllers and processors that offer goods and services to, or monitor the behaviour of, data subjects in the UK must appoint a representative in the UK.

Administrative fines

• EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
• DPA 2018/UK GDPR: The maximum fine for non-compliance is £17.5 million.

Since the end of the Brexit transition period on 31 December 2020, the EU GDPR no longer applies to the processing of UK residents’ personal information.

However, it does still apply to UK organisations that process EU residents’ personal data.

If you are in the UK and offer goods and services to, or monitor the behaviour of, EU residents, you may need to:

• Appoint an EU representative.
• Identify a lead supervisory authority in the EU.
• Update any contracts governing EU–UK data transfers to incorporate standard contractual clauses; and/or
• Update your policies, procedures, and other documentation in light of the changes you make.

As revised by the DPPEC Regulations, the UK DPA 2018’s main provisions are as follows.

• Part 2, Chapter 2 supplements the UK GDPR and should be read alongside the Regulation by every UK organisation that processes personal data.
• Part 2, Chapter 3 sets out exemptions for manual unstructured processing and for national security and defence purposes.
• Part 3 sets out the regime for processing personal data for law enforcement purposes. 
• Part 4 sets out the regime for processing personal data by the UK’s intelligence services.

(Part 1 contains preliminary information, Part 5 deals with the powers of the Information Commissioner, Part 6 covers enforcement and Part 7 provides supplementary information.)

Identifying which data processing regime applies to the processing you carry out is essential.

What is the Data Protection Act 2018 (DPA 2018)?
The DPA 2018 is the UK’s data protection law. It sets out how personal data must be handled, aligning UK law with the GDPR while adding UK-specific provisions.

Which organisation soes the DPA 2018 apply to?
The DPA 2018 applies to any organisation that processes personal data in the UK, whether public sector, private sector or charity. It also covers organisations outside the UK if they process data about UK residents.

Are the principles of DPA 1998 similar to DPA 2018?
Yes. Both Acts are based on principles of fairness, lawfulness and security, but DPA 2018 updates and expands the principles to align with GDPR, adding stronger rights for individuals and tighter accountability for organisations.

Does the GDPR work in conjunction with the DPA 2018?
Yes. The GDPR and DPA 2018 work together in the UK. GDPR sets the framework, while DPA 2018 tailors certain rules for the UK, such as exemptions, criminal offence processing and powers for the ICO.

What is the difference between GDPR and DPA 2018?
GDPR is EU legislation that provides the baseline for data protection. The DPA 2018 is the UK’s national law that sits alongside it, applying GDPR standards in the UK and adding extra rules where needed.

What is personal data under the DPA 2018?
Personal data means any information that can identify a living individual, directly or indirectly – such as names, addresses, IDs, online identifiers or other factors relating to identity.

What happens if the DPA 2018 is breached?
If an organisation breaches the DPA 2018, the ICO can investigate, issue enforcement notices and impose fines of up to £17.5 million or 4% of annual global turnover.

What is the main purpose of the DPA 2018?
The main purpose is to protect people’s privacy by setting clear rules for how personal data is collected, used, stored and shared, while giving individuals rights over their information.

GRC Solutions has been at the forefront of GDPR compliance solutions since before the Regulation came into effect.

We can help you identify your data protection requirements and provide a wide range of GDPR and data protection books, training and staff awareness courses, tools, policy templates, software and consultancy services to help you comply.

• UK GDPR and DPA 2018 after Brexit Training Course 
• GDPR Gap Analysis
• GDPR EU Representative
• Data Privacy Solutions