What do you need to know about the Data Protection Act 2018 and UK GDPR?

We all have data which is personal to us that we share, some of which is even sensitive. As a result, as a business processing that personal data you are expected to do so responsibly. The law also expects this, therefore if you or your business processes personal data, you must comply with Data Protection legislation.

With recent advancements in digital technology, the Data Protection Act 1998 had become outdated. As a result, the Data Protection Act 2018 (DPA 2018) came into force, replacing and updating the 1998 Act. The DPA 2018 came into effect on 25th May 2018 and was amended on 1st January 2021 to reflect the UK’s status outside of the EU.

The new legislation ensures that the personal data used by individuals and companies is used both properly and legally.

I have set out below a summary of the essentials your business needs to know, the changes the new legislation has made which may affect your business, plus the consequences for failure to comply with the law.

The Essentials

The DPA 2018 alongside the UK General Data Protection Regulation sets out the data protection framework in the United Kingdom which every business processing personal data must comply with in order to avoid receiving a penalty. The DPA 2018 contains three separate data protection regimes:

· Part 2: sets out a general processing regime;

· Part 3: sets out a separate regime for law enforcement authorities; and

· Part 4: sets out a separate regime for the three intelligence services.

These parts apply in different situations and perform different functions.

For most organisations, Part 2 will apply. This needs to be read alongside the UK GDPR.

However, your organisation must be aware that there are other parts of the Act containing provisions of general application, interpretation, functions and powers. These must be complied with also.

However, most importantly, it’s crucial that you identify the correct regime. This is because although the overall principles are similar there are some key differences across the three regimes. Furthermore, it is essential that your organisation can demonstrate that you are applying the correct regime. The Information Commissioner’s Office provides us with a helpful article in helping your organisation decide Which Regime?

What are the differences: DPA 1998 v DPA 2018

Here are some of key changes the DPA 2018 has made, and as a business you will need to be aware of:

1. One of the key differences in the new legislation is that it requires businesses to be more transparent and accountable. It also places limits on storage as well as strengthening confidentiality.

2. Additionally, there is an increased emphasis on the rights of individuals particularly concerning access, being informed, rectification, data portability, process restriction, and objection.

Ultimately, the new legislation requires organisations to take a more proactive approach to data protection. As a result, a starting point is to ensure to implement all the Data Protection Principles in your business. Further guidance on the DPA 2018 can also be found on the Informational Commissioner’s Office’s website.

Failure to comply

Failure to the comply with the data protection laws can incur a monetary penalty which is issued by the Information Commissioner. Therefore, it is even more important for businesses to ensure they comply with data protection laws.

There are two tiers of penalty for infringement under Part 3 of the Data Protection Act 2018 which the Information Commissioner’s Office may issue. These are known as the higher maximum and the standard maximum. The higher maximum can result in a business being fined £17.5 million or 4% of the total annual worldwide turnover of the proceeding financial year, whichever amount is higher. Whereas the standard maximum incurs a £8.7 million fine or 2% of the total annual worldwide turnover. Fines falling under the higher maximum tend to include a failure to comply with the data protection principles, rights individuals may have under Part 3 Data Protection Act 2018 or in relation to any transfers of data to third countries. On the other hand, fines under the standard maximum are those where there have been infringements of other provisions, such as administrative requirements of the legislation.

Useful Resources




This blog post was created by Rebecca Watson, who has just completed her third year as an MLaw student at Northumbria University. For the last year, Rebecca worked in the Business & Commercial firm within the Student Law Office. After finishing her degree, Rebecca is looking to obtain a training contract and qualify as a solicitor in a commercial firm. Rebecca hopes to take a gap year after completion of her studies and travel!