How does the Data Protection Act 2018 supplement the GDPR in the UK?


  • Makes the previous data protection laws fit for the digital age when an increasing amount of data is now being processed.
  • Empowers individuals to take control of their own data.
  • Supports Organisations and UK businesses with this change.
  • Ensures the UK is ready for the future after BREXIT.

DCMS Secretary of State, Matt Hancock stated: "The Data Protection Act gives people more control over their data, supports businesses in their use of data, and prepares Britain for Brexit. In the digital world, strong cybersecurity and data protection go hand in hand. The 2018 Act is a key component of our work to secure private data online."

What does the Act enable?

  • It provides a modern and comprehensive framework for information security in the UK, with much stronger sanctions for noncompliance;
  • Sets new criteria for data protection, following the GDPR. Giving individuals much more control over their data usage and also offering them new rights to request moving or deleting private information;
  • Preserves existing exemptions that have worked well in the Information Protection Act 1998. Ensuring organizations and UK companies can still help community leading research, financial services, authorized services, and journalism;
  • Provides a bespoke framework customized towards the requirements of the UK criminal justice organizations, as well as, to the intelligence services, to safeguard the rights of victims, suspects, and witnesses. While guaranteeing the ability to handle the changing dynamics of the global risks the UK faces.


The Data Protection Act 2018 achieved Royal consent on May 23rd, 2018. It facilitated the government pledge to upgrade the UK's data safety laws.

The Information Protection Act 1998 proved to be effective and positioned the UK at the forefront of data safety requirements worldwide. The 2018 Act modernizes data safety regulations in the UK, providing future proof ground for the increasingly digital society and economy.

Additionally, the 2018 Act applies the EU's GDPR standards, preparing Britain for Brexit. By employing strong data safety laws along with proper safeguards, companies will be able to work across international borders. This facilitates global trade, and brings the UK to the highest level of security, making it a dependable and trustworthy trade partner. With the DPA 2018, the UK guarantees new, innovative uses of data can continue while at the same time, strengthening the control and protection individuals have over their data.

The primary components of the 2018 Act

Overall information processing:

  • It implements GDPR requirements across almost all necessary data processing;
  • Provides transparency regarding the definitions applied to the GDPR in the UK context;
  • Ensures that health, education, and social care information can still be processed while securing that data confidentiality and safeguarding scenarios are maintained;
  • Provides restrictions to rights to access and delete data to allow specific processing in case of proper public policy justification (e.g., national security);
  • Sets the age from which parental consent isn't necessary to process information online at age 13, supported by a new age-appropriate code enforced by the Information Commissioner.

Police processing:

  • Provides a bespoke plan for the processing of personal data by the authorities, prosecutors, along with other criminal justice agencies for police purposes.
  • Allows the unhindered data flows worldwide while supplying safeguards to protect private data.

Intelligence services processing:

  • Ensures the regulations governing the processing of individual details by the intelligence services stay in-line and up-to-date with modernized global standards. Including proper safeguards so that the intelligence community is able to deal with emerging, new, and existing national security threats.

Enforcement and regulation:

  • Enacts extra drives for the Information Commissioner who'll proceed to regulate, as well as, enforce information safety laws.
  • Allows the Commissioner to levy higher management fines on information controllers and processors for the most critical data breaches, as much as £17m (€20m) or up to 4% of worldwide turnover for the most severe violations.
  • Empowers the Commissioner to get criminal proceedings from offenses wherein a data controller or maybe processor alters records with intention to prevent disclosure observing a subject access demand. 

Crucial Questions & Answers

How does the Act differ from the GDPR? 

The Act is a comprehensive information safety system; it governs standard details covered by the GDPR. It handles general data, law enforcement data, as well as national security data. Moreover, the Act exercises a selection of agreed adjustments to the GDPR that benefit the UK in places like academic investigation, financial services, and child protection.

What's the effect on businesses?

Organizations that currently work following the standard set by the information Protection Act 1998 should be well-positioned to comply with the new standards. The Act facilitates UK organizations to be able to continue exchanging data with the global community along with the EU, which is essential to many companies. 

Does the Act need organizations to enhance cybersecurity? 

Successful data security depends on organizations sufficiently protecting their IT infrastructure from malicious interference. By implementing the GDPR standards, the Act demands organizations that handle personal data to evaluate the risks of processing such data and perform appropriate measures to mitigate those risks. For many organizations, such measures include adequate cybersecurity controls.

Zivver can help your organization become DPA 2018 compliant in no time. Check out our pricing plans.

Get started with ZIVVER today

Written by

Renato Zamagna

Originally published on October 24, 2019

Last update on July 16, 2021