Data Protection Act 2018 and UK GDPR
A guide to the Data Protection Act 2018 and UK GDPR for UK businesses, covering data protection principles, lawful bases for processing, individual rights and compliance obligations.
The Data Protection Act 2018 (DPA 2018) is the UK’s main data protection legislation. It supplements and tailors the UK General Data Protection Regulation (UK GDPR), which was retained in UK law after Brexit. Together, these two instruments form the legal framework governing how organisations collect, store, use and share personal data.
Every business that handles personal data – which means virtually every business – must comply with this framework. The Information Commissioner’s Office (ICO) enforces the rules and has the power to impose fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is greater.
For a practical overview of GDPR principles in a business context, see the GDPR for businesses guide.
Key definitions
| Term | Meaning |
|---|---|
| Personal data | Any information relating to an identified or identifiable living individual |
| Special category data | Sensitive data: racial origin, political opinions, religious beliefs, health, biometrics, etc. |
| Data controller | The organisation that determines the purposes and means of processing |
| Data processor | An organisation that processes personal data on behalf of a controller |
| Data subject | The individual whose personal data is being processed |
| Processing | Any operation on personal data, including collection, storage, alteration, disclosure and erasure |
The seven data protection principles
The UK GDPR sets out seven principles that must be followed whenever personal data is processed:
| Principle | Requirement |
|---|---|
| Lawfulness, fairness and transparency | Process data lawfully, fairly and in a transparent manner |
| Purpose limitation | Collect data for specified, explicit and legitimate purposes; do not process it further in a way incompatible with those purposes |
| Data minimisation | Only collect data that is adequate, relevant and limited to what is necessary |
| Accuracy | Keep data accurate and up to date; rectify or erase inaccurate data without delay |
| Storage limitation | Do not keep data longer than necessary for the purposes for which it was collected |
| Integrity and confidentiality | Process data securely, protecting against unauthorised access, loss or destruction |
| Accountability | The controller must be able to demonstrate compliance with all of the above |
Lawful bases for processing
You must have a lawful basis before processing personal data. The UK GDPR provides six:
| Lawful basis | When it applies |
|---|---|
| Consent | The individual has given clear, affirmative consent for a specific purpose |
| Contract | Processing is necessary to perform a contract with the individual |
| Legal obligation | Processing is necessary to comply with the law |
| Vital interests | Processing is necessary to protect someone’s life |
| Public task | Processing is necessary for a task in the public interest |
| Legitimate interests | Processing is necessary for the controller’s legitimate interests, unless overridden by the individual’s rights |
Most businesses rely primarily on contract, legal obligation and legitimate interests. Consent is harder to manage because it must be freely given, specific, informed and unambiguous, and the individual can withdraw it at any time.
Processing special category data requires both a lawful basis and a separate condition under Article 9 of the UK GDPR or Schedule 1 of the DPA 2018, such as explicit consent, employment law obligations or substantial public interest.
Individual rights
Data subjects have the following rights under the UK GDPR:
| Right | What it means |
|---|---|
| Right of access (SAR) | Request a copy of personal data and information about how it is processed |
| Right to rectification | Ask for inaccurate data to be corrected |
| Right to erasure | Ask for data to be deleted in certain circumstances |
| Right to restrict processing | Ask for processing to be limited while issues are resolved |
| Right to data portability | Request data in a structured, commonly used format |
| Right to object | Object to processing based on legitimate interests or direct marketing |
| Automated decision-making | Challenge decisions made solely by automated means with significant effects |
You must respond to a Subject Access Request (SAR) within one calendar month. This can be extended by a further two months for complex or numerous requests, but you must inform the individual within the first month.
Accountability obligations
The accountability principle requires organisations to demonstrate compliance, not just assert it.
Records of processing activities
If your organisation has 250 or more employees, you must maintain written records of processing activities (ROPA). Smaller organisations must also keep records if their processing is not occasional, or involves special category data.
Data Protection Impact Assessments (DPIAs)
A DPIA is required before any processing likely to result in a high risk to individuals, such as systematic profiling, large-scale processing of special category data or systematic monitoring of public areas.
Data Protection Officer (DPO)
You must appoint a DPO if your core activities involve large-scale regular and systematic monitoring of individuals, or large-scale processing of special category data. Even if not legally required, many organisations appoint a DPO voluntarily.
Data processing agreements
When you use a data processor (such as a payroll provider or cloud storage service), you must have a written data processing agreement covering security measures, sub-processing restrictions and obligations on data return or deletion.
Data breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
| Action | Timeframe |
|---|---|
| Report to the ICO | Within 72 hours of becoming aware (if the breach is likely to result in a risk to individuals’ rights and freedoms) |
| Notify affected individuals | Without undue delay (if the breach is likely to result in a high risk to their rights and freedoms) |
| Record the breach internally | All breaches, regardless of whether they are reported to the ICO |
Failure to report a notifiable breach is itself a compliance failure that can attract a fine.
International data transfers
Transferring personal data outside the UK is restricted unless the destination country has an adequacy decision or appropriate safeguards are in place. The UK recognises adequacy for transfers to the EEA/EU. Where no adequacy decision exists, businesses commonly rely on the International Data Transfer Agreement (IDTA), Binding Corporate Rules for intra-group transfers, or specific derogations such as explicit consent.
ICO enforcement
The ICO’s enforcement powers include information notices (requiring organisations to provide information), assessment notices (allowing compliance audits), enforcement notices (requiring specific actions), penalty notices (fines up to £17.5 million or 4% of turnover) and criminal prosecution for certain offences such as unlawfully obtaining personal data.
Practical steps for businesses
- Audit your data – identify what personal data you hold, where it comes from, who you share it with and how long you keep it
- Establish lawful bases – document the lawful basis for each processing activity
- Update your privacy notice – ensure it is clear, comprehensive and accessible
- Implement security measures – encryption, access controls, regular backups and staff training
- Create a data breach procedure – know how to detect, report and respond to breaches within 72 hours
- Handle SARs efficiently – have a process for responding to requests within one month
- Review data sharing agreements – ensure contracts with processors meet UK GDPR requirements
- Train your staff and maintain your ROPA and compliance documentation