The United Kingdom is protected by the UK Data Protection Act 2018 (DPA 2018), a law that works alongside the UK General Data Protection Regulation (UK GDPR), which is like the EU GDPR but accounts for the 2020 withdrawal of the UK from the European Union.
Below, I summarize the UK Data Protection Act 2018, including who it applies to, how it impacts businesses and consumers, its different requirements, penalties for violating the law, and how it works with the UK GDPR.
- What Is the UK Data Protection Act 2018
- UK Data Protection Act 2018 Key Terms and Definitions
- What Does the UK Data Protection Act Cover
- Requirements of the UK Data Protection Act
- How The UK Data Protection Act Effects Consumers
- How The UK Data Protection Act Effects Businesses
- Who Must Comply with the DPA 2018
- How Can Businesses Comply with the DPA 2018
- How Is the UK Data Protection Act Enforced
- Fines and Penalties Under the UK Data Protection Act
- How Termly Helps with UK Data Protection Act Compliance
- Summary
What Is the UK Data Protection Act 2018
The UK Data Protection Act 2018, or the DPA 2018, is a domestic law established in the UK that makes up part of the legal privacy framework for the region alongside the UK GDPR.
It governs how personal information is collected, stored, and used and supplements and extends some of the standards laid out by the UK GDPR.
Data Protection Act Effective Date
The DPA 2018 became effective on May 25, 2018.
Brief History of The Data Protection Act, The UK GDPR, & The EU GDPR
To understand how the DPA 2018 and the UK GDPR work together, I need to explain what happened to the UK’s privacy framework after the country withdrew from the EU.
Technically, the Data Protection Act and the EU GDPR were introduced and entered into force before the UK withdrew from the European Union on Jan. 31, 2020.
The UK passed the DPA 2018 because the EU GDPR contains over 30 areas of flexible provisions or additional rules that permit national variations to how member-states interpret the Regulation. Enacting the Data Protection Act 2018 allowed the UK to give further effect to the GDPR in the existing flexible areas.
However, once the UK withdrew from the EU, the GDPR ceased to have effectiveness in the region. To prevent a legal vacuum, the UK government used the European Union Withdrawal Act 2018 to incorporate the text of the EU GDPR into domestic UK law.
The UK also secured an adequacy decision confirming the data protection regimes in the country were equivalent to the EUs, allowing data to continue to flow from the EU.
Finally, the DPA 2018 was amended to align with the new UK GDPR, remaining in force.
Today, the UK GDPR is nearly identical to the EU GDPR, and both outline the same data subject rights, legal bases, and business obligations and requirements.
UK Data Protection Act 2018 Key Terms and Definitions
According to Section 3 of the DPA 2018, the terms used in the Act have the same meaning as they have in Article 4 of the UK GDPR, which you can view below:
When these phrases are used in this guide, it’s with these specific definitions in mind.
What Does the UK Data Protection Act Cover
The DPA 2018 covers the personal information of people in the United Kingdom.
It applies to all UK-based businesses and organizations and to any data controllers or processors who:
- Offers goods or services to people in the UK, and
- Are outside of the UK but monitor people in the UK.
Requirements of the UK Data Protection Act
Below, I’ve summarized the main requirements of the DPA 2018 and how it impacts businesses.
Principles for Data Processing
Under the UK Data Protection Act 2018, personal data must be processed fairly, transparently, and lawfully.
Entities can only lawfully collect necessary data that’s relevant and proportionate to the purposes as disclosed to the consumer in a compliant privacy notice.
Any information not considered ‘necessary’ or ‘reasonable’ cannot be collected unless explicit, opt-in, informed consent is first obtained.
Rights of the Data Subject
The UK DPA 2018 solidifies the rights of UK data subjects as written in the UK GDPR, which include the right to:
- Access their data
- Correct their data
- Erase their data
- Restrict the processing of their data
- Object to data processing
Special Categories of Data
The DPA 2018 made it so data controllers must have a clear legal basis for processing “special categories” of data, like the following sensitive personal information:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
However, it also introduced the “criminal offence data” category, which makes processing personal data relating to criminal convictions and proceedings legal for authorized entities.
Data Security
Under the DPA 2018, entities must ensure they’re securely processing personal data.
The processing must include the appropriate organizational and technical measures to keep the amount of data and type of data safe from unauthorized access or other harms.
These security requirements are also found in the UK GDPR.
Law Enforcement
The UK DPA 2018 makes it so that a competent authority can legally process personal data for law enforcement purposes in Part 3 of the law.
More specifically, it outlines the following requirements:
- Data processed for law enforcement purposes must be done so lawfully and fairly, adhering to the core data protection principles outlined by the DPA 2018 and UK GDPR,
- The data must be collected for clearly defined and legitimate law enforcement purposes,
- Only necessary, adequate, relevant data can be processed for law enforcement purposes,
- All personal data processed for law enforcement purposes can only be kept for as long as necessary for the intended purposes and no longer,
- Only competent authorities can process data in this manner, meaning police forces and other authorized UK agencies.
How The UK Data Protection Act Effects Consumers
The UK Data Protection Act impacts consumers by solidifying their privacy rights, as the UK GDPR outlines.
Users in the UK can submit verifiable requests to follow through on these rights at any time, and entities must respond within a timely manner or risk facing fines for noncompliance.
Data subject requests to follow through on their privacy rights must be honored whenever it’s technically feasible, and the burden of proof is left on the business.
How The UK Data Protection Act Effects Businesses
Beyond the legal requirements already mentioned in this guide, the UK Data Protection Act also affects businesses’ privacy and cookie policies.
Because the Data Protection Act integrates with the UK GDPR in Part 2 of the law, it required businesses to present users with a compliant privacy notice explaining:
- What personal data you want to collect,
- Your legal basis for collecting the data,
- The rights data subjects have over their information and how to act on those rights,
- If you share data with third parties,
- Your data retention policy,
- Your company contact information.
Similarly, businesses need to update their cookie policies to identify and explain all cookies used by the website.
It must be presented to users as soon as they land on the page to keep them adequately informed following both laws.
Who Must Comply with the DPA 2018
All UK businesses, entities, and organizations are required to comply with the UK Data Protection Act.
It also applies to entities outside of the UK that meet the following criteria:
- Offer goods or services to people in the UK,
- Monitor the online behaviors of people in the UK.
How Can Businesses Comply with the DPA 2018
To comply with the DPA 2018, businesses must also comply with the UK GDPR, which means implementing all the following on your website or app:
- Publish an up-to-date privacy notice on your site meeting all transparency requirements,
- Publish an up-to-date cookie policy on your site identifying all cookies it uses and explaining their purpose,
- Add a cookie consent banner to your site with access to a preference center to allow UK users to follow through on their opt-out rights outlined by both laws,
- Use compliant contacts between data processors and third-party data controllers,
- Ensure data transfers are legally compliant and in line with both laws,
- Have a means for receiving and responding to verified requests from data subjects to follow through on their privacy rights,
- Implement security measures to protect all personal data from unauthorized access and other harm.
If your processing of special categories of data is likely to result in high risk (e.g., large-scale biometric data use), you must conduct a DPIA to assess and mitigate risks.
How Is the UK Data Protection Act Enforced
The DPA 2018 is enforced by the Information Commissioner’s Office (ICO).
The ICO is responsible for performing investigations and taking action against an entity that’s failed to comply with the DPA 2018 and the UK GDPR.
They also provide insights and guidance for interpretations of the Act, the Regulation, and the overall privacy framework in the UK.
Fines and Penalties Under the UK Data Protection Act
Violations of the UK GDPR may result in fines of up to 4% of annual global turnover or £17.5 million (whichever is higher). However, the DPA 2018 sets separate penalties for specific violations, such as unlawful law enforcement processing
How Termly Helps with UK Data Protection Act Compliance
Termly helps businesses easily comply with laws like the UK Data Protection Act (and the UK GDPR!) by offering legally backed policy solutions, like our Privacy Policy Generator and Consent Management Platform (CMP).
Our Privacy Policy Generator is updated on a regular basis and includes the notification requirements as outlined by over 25 privacy laws from around the world.
See an example of what it looks like in the screenshot below.
You can also use Termly’s CMP to set up a compliant cookie consent banner with access to an accurate cookie policy and a preference center so your UK users can easily follow through on their various rights.
It comes with a free Data Subject Access Request (DSAR) form, which makes receiving and responding to these requests even more efficient and seamless for your business.
Summary
The UK is protected by the Data Protection Act of 2018 and the UK GDPR, two strong privacy frameworks that provide several rights to consumers and outline various strict obligations and guidelines businesses must follow.
To comply with the DPA 2018, plan to update your privacy and cookie policies, add a DSAR form to your website, and use a CMP that adequately meets all opt-in and opt-out requirements described by this law and the UK GDPR.
To simplify compliance, use solutions like Termly’s Privacy Policy Generator and CMP, and stay on the right side of UK privacy laws (and beyond!).
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
