Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 International Privacy

UK Data Protection Act 2018

The UK Data Protection Act 2018 forms, together with the UK GDPR, the comprehensive data protection framework of the United Kingdom post-Brexit.

LinkedIn X WhatsApp

Summary

The UK Data Protection Act 2018 (DPA 2018) is the United Kingdom's principal data protection statute and forms, together with the UK GDPR, the comprehensive framework for the protection of personal data. It replaced the Data Protection Act 1998 and came into force on 25 May 2018, simultaneously with the EU GDPR.

The Act supplements the UK GDPR with UK-specific provisions in areas where the EU GDPR left discretion to Member States. It governs the processing of personal data under three regimes: general data processing (Part 2, under the UK GDPR), law enforcement processing (Part 3, implementing the EU Law Enforcement Directive), and processing by intelligence services (Part 4).

Following Brexit, the DPA 2018 was amended by regulations under the European Union (Withdrawal) Act 2018 to function as a standalone framework outside the EU. The Data (Use and Access) Act 2025 introduced further amendments, which are being commenced in phases between 2025 and 2026.

History

The Data Protection Act 2018 was introduced as the Data Protection Bill in the House of Lords in September 2017 to embed the EU General Data Protection Regulation into United Kingdom national law. The Act received Royal Assent on 23 May 2018 and came into force on 25 May 2018 — the same day the EU GDPR became applicable across the Union. It replaced the Data Protection Act 1998.

On 1 January 2021, the DPA 2018 was amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) to reflect the United Kingdom's departure from the EU. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and made broad amendments to the UK GDPR and the DPA 2018. The headline changes concern general and commercial processing (Part 2, under the UK GDPR): a new "recognised legitimate interests" lawful basis, relaxed rules for automated decision-making (Art. 22), subject access requests (SARs) limited to "reasonable and proportionate" searches, a new international data transfer framework, and a broadened definition of scientific research; further amendments affect Parts 3 and 4. Most provisions are being commenced in phases through mid-2026.

Scope

The DPA 2018 applies to the processing of personal data in the United Kingdom under three distinct regimes:

  • General data processing (Part 2): Supplements the UK GDPR for the processing of personal data by controllers and processors. Includes UK-specific exemptions, conditions for processing special categories of data, and exemptions for journalism, research, and archiving.
  • Law enforcement processing (Part 3): Implements the EU Law Enforcement Directive (LED, Directive (EU) 2016/680) and applies to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences.
  • Intelligence services (Part 4): Governs the processing of personal data by the UK intelligence services (MI5, MI6, GCHQ) under a separate framework tailored to national security.
  • Information Commissioner's Office (ICO): The DPA 2018 strengthens the powers of the ICO as the independent supervisory authority, including enforcement notices, penalty notices (up to GBP 17.5 million or 4% of global annual turnover), and assessment notices.
  • Extraterritorial reach: Applies to controllers and processors outside the United Kingdom that process personal data of individuals in the United Kingdom.

Key Requirements

  • Conditions for special categories of data (Schedule 1): Processing of sensitive data (health, race, religion, sexual orientation, biometric data) requires, in addition to a legal basis under Article 9 UK GDPR, a condition from Schedule 1 of the DPA 2018.
  • Law enforcement processing (Part 3): Competent authorities must carry out data protection impact assessments, maintain logs of automated processing operations, and implement special safeguards for sensitive data.
  • Exemptions for journalism and research (Schedule 2): The DPA 2018 provides specific exemptions from certain UK GDPR rights for journalistic, scientific, and historical research purposes, as well as archiving in the public interest.
  • Appropriate policy document (Schedule 1, para. 39): Controllers processing special categories of data on certain grounds must prepare a policy document describing the procedures and retention periods.
  • Age threshold for children's consent (Section 9): The United Kingdom sets the age threshold for children's consent in relation to information society services at 13 years (compared to 16 years under the EU GDPR).
  • National security processing (Part 4): Intelligence services are subject to standalone data protection obligations with oversight by the Information Commissioner and the Investigatory Powers Tribunal.

Predecessors

GDPR/DSGVO

Related Frameworks

GDPR/DSGVO

Corrections & Errata

2026-QA-307 Correction 29 May 2026
Typo 'erlaaesst' in the German key_dates entry for the 2021 adequacy decision

In the 28 June 2021 key_dates entry, event_de contains the misspelled word 'erlaaesst'. Correct: 'erlaesst'.

Full details on the errata page →
2026-QA-306 Correction 29 May 2026
DUAA amendments described as limited to Parts 3 and 4 — core changes affect Part 2 / UK GDPR

The entry states the Data (Use and Access) Act 2025 introduced only 'amendments to Parts 3 and 4 of the DPA 2018'. In fact the most significant DUAA changes concern general processing (Part 2 DPA / UK GDPR): new 'recognised legitimate interests' lawful basis, relaxed automated decision-making (Art. 22), SAR searches limited to 'reasonable and proportionate', new international transfer framework, broadened research definition.

Full details on the errata page →

Content last reviewed: 29 May 2026. Found an error or need an update? [email protected]