Data Protection Act

  • Gov Leglislation
  • Author:UK Government
  • Published:Various
  • Country: United Kingdom

Data Protection Act 1998
1998 CHAPTER 29

An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

[16th July 1998]

What is the DPA 2018?

The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU. [ICO, 14-09-2021]

It sits alongside and supplements the UK GDPR – for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.

The ‘applied GDPR’ provisions (that were part of Part 2 Chapter 3) enacted in 2018 were removed with effect from 1 Jan 2021 and are no longer relevant. The processing of manual unstructured data and processing for national security purposes now fall under the scope of the UK GDPR regime. [ICO, 14-09-2021]

What is the UK GDPR?

The UK GDPR is the UK General Data Protection Regulation. It is a UK law that came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.

It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context,

You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The EU GDPR is regulated separately by European supervisory authorities, and you may need to seek your own legal advice on your EU obligations. [ICO, 14-09-2021]

Act ACT 2008 Data Data Protection Data Protection Act 1998 Data Protection ACT 2008 GDPR