What does the Data Protection Act 2018 do?

It supplements the UK GDPR and sets national rules for areas outside its scope, such as law enforcement and intelligence processing, plus exemptions and conditions for sensitive data.

How does the DPA 2018 relate to the UK GDPR?

The two operate together: the UK GDPR sets the main framework while the DPA 2018 tailors it for the UK and covers processing the UK GDPR does not.

Who enforces the Data Protection Act 2018?

The Information Commissioner's Office (ICO) enforces the Act, with powers to investigate, audit, and issue fines.

🇬🇧 United Kingdom · Data privacy

Data Protection Act 2018

Data Protection Act 2018 (c. 12)

The Data Protection Act 2018 is the UK's national data protection law that supplements the UK GDPR and implements rules for areas outside its scope, including law enforcement and intelligence services processing. Together with the UK GDPR it forms the UK's data protection framework.

Jurisdiction:🇬🇧 United Kingdom

Type:Data privacy

In effect:2018

Authority:Information Commissioner's Office (ICO)

Who it applies to

Organizations and public authorities processing personal data in the UK, including general processing under the UK GDPR, law enforcement processing, and intelligence services processing.

Identity requirements

Provide additional conditions for processing special category and criminal offence identity data
Apply exemptions and safeguards that affect handling of identity data
Set appropriate security measures for law enforcement and other regulated processing
Support individual rights and access requests in conjunction with the UK GDPR
Enable ICO enforcement, audit, and accountability powers over identity data processing

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Sets extra conditions and safeguards for processing sensitive and criminal-offence identity data.
Audit, logging & accountability	Underpins ICO audit and enforcement powers and accountability over identity data processing.
Identity governance (IGA)	Defines exemptions and special-category conditions that shape governance of identity attributes.
Breach notification	Supports the UK breach-reporting regime applied alongside the UK GDPR.

Penalties

Enforced via the ICO using UK GDPR fine levels of up to 17.5 million pounds or 4 percent of worldwide annual turnover, plus specific offences under the Act.

Official source

https://www.legislation.gov.uk/ukpga/2018/12/contents

Data Protection Act 2018: frequently asked questions

What does the Data Protection Act 2018 do?: It supplements the UK GDPR and sets national rules for areas outside its scope, such as law enforcement and intelligence processing, plus exemptions and conditions for sensitive data.
How does the DPA 2018 relate to the UK GDPR?: The two operate together: the UK GDPR sets the main framework while the DPA 2018 tailors it for the UK and covers processing the UK GDPR does not.
Who enforces the Data Protection Act 2018?: The Information Commissioner's Office (ICO) enforces the Act, with powers to investigate, audit, and issue fines.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all United Kingdom regulations or the full country index.