Beta Disclaimer! Please note that we are currently in our beta test phase and we are updating the site on a regular basis.

The Data Protection Act 2018 and GDPR

Share :

Data Protection Act & GDPR

The Data Protection Act 2018 (DPA 2018) works with the General Data Protection Regulation (GDPR) to protect your personal information (personal data).

DPA 2018 updates UK data protection laws for the digital age. It received Royal Assent on 23 May 2018. It works with the General Data Protection Regulation (GDPR) to protect your personal information. The Act provides a comprehensive and modern framework for data protection, with stronger sanctions for malpractice.


GDPR introduced accountability, mandatory personal data breach notification, data portability and new obligations on processors. It gives you the following rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

What Is the DPA 2018?

  • It has replaced the Data Protection Act 1998 (DPA 1998) and is now the law concerning the processing of personal data.
  • It makes the EU General Data Protection Regulations (GDPR) part of UK Law, so that most processing of personal data is also subject to the GDPR. Personal data must be processed lawfully and fairly, on the basis of the individuals consent or another specified basis. Individuals can obtain information about the processing of their personal data and ask for incorrect information about them to be rectified.
  • It makes Article 8 of the Charter of Fundamental Rights of the EU about the  right to the protection of personal data part of UK law.
  • It covers processing of unstructured manual files by public authorities. This is not covered by GDPR or EU Law.
  • Part 3 is about Law Enforcement Processing and brings the Data Protection Law Enforcement Directive which concerns the police and criminal justice sector into force.
  • Part 4 provides new data protection rules for the intelligence services, which is based on the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108 ).
  • Part 5 gives the Information Commissioner new powers with responsibility for monitoring and enforcing its provisions.
  • Part 6 brings all the data protection enforcement powers together and increases maximum fines for breaches. It provides for maximum fines up to 20 million Euro or 4% of the undertaking’s total annual worldwide turnover.
  • Part 6 also introduces two new criminal offences. Section 171 makes it an offence to re-identify de-identified personal data and alter personal data to prevent disclosure and Section 173 makes it an offence to alter personal data to prevent disclosure following a subject access request.

Public Interest Under DPA 2018

Article 6 of GDPR says that personal data can only be processed if there is a lawful basis for it, and Section 8 of DPA 2018 explains that a lawful basis means that processing must be in the public interest or in the exercise of official authority that is necessary for:

  • The administration of justice.
  • The exercise of a function of either House of Parliament.
  • The exercise of a function conferred on a person by an enactment or rule of law.
  • The exercise of a function of the Crown, a Minister of the Crown or a government department.
  • An activity that supports or promotes democratic engagement.

Your Rights Under DPA 2018

Section 13 DPA 2018 regulates access to data held by credit reference agencies.

Section 14  sets out minimum safeguards that should be in place when a significant decision is based on automated processing which is required or authorised by UK law 

  • Data Controllers must inform data subjects when an automated decision has been made, as soon as reasonably practicable in writing.
Within one month of notification, the data subject may request that the controller reconsider the decision or take a new decision not based on automated processing.
The controller must consider the request within one month from receipt, comply with it and notify data subjects of steps taken to comply and the outcome of complying.

DPA 2018 Exemptions

GDPR and DPA 2018 contain exemptions to their application. Section 15 DPA 2018 provides direction to the exemptions in Schedules 2, 3 and 4 which disapplying some individual personal data rights.
The DPA 2018 includes exemptions for:
  • Crime prevention and taxation purposes.
  • Immigration control.
  • Disclosures required by law or made in connection with legal proceedings.
  • Regulators must not prejudice their activities.
  • Journalistic, academic, artistic and literary purposes which are collectively referred to as “the special purposes” provided the controller believes publication is in the public interest.
  • Research organisations and archiving services if they could be impaired or prevented from achieving their core purpose.

Last Updated: [02/07/2022]