Data Protection Act 2018 – what is it?

If the UK data protection laws were a meal...

UK Data Protection Laws 101 – No, it’s not just GDPR.

What do you think of when someone mentions data protection laws? Probably the GDPR, considering the amount of press it received in the run-up to its 25th May 2018 deadline.

But did you know there are other data protection laws that should be on your radar too?

For those who didn’t know, the GDPR is supported by other data protection laws. These laws are just as important as the GDPR but have mostly stayed in its shadow.

Here’s a visualisation: if you think of the data protection laws as a meal, the GDPR would be the burger, the DPA 2018 the chips, and PECR & ePrivacy Directive would comprise the condiments and drink.

All are vital parts of the meal and work well to complement each other and create a meal, but the GDPR has very much been the main event.

Food-related analogy aside the GDPR has been, by far,  the most discussed data privacy law of late- and rightly so, considering the leaps and bounds in the way we process data today. But the other three laws and directives are also fundamental for businesses and the handling of data privacy.


Data Protection Laws 101

We’ve therefore decided to shed some light on the data privacy laws that you and your business need to know about through our 4-part series.

In this weekly series, we will give you the low-down on the nitty-gritty, from what the laws are to how they impact businesses, what the implications of non-compliance are and more.

The first on our list is the DPA. And no it hasn’t been nullified by the GDPR.


The Data Protection Act 2018

For those that have read about the GDPR in depth, you might already be aware of the Data Protection Act 1998. Most literature surrounding the GDPR has said that the new regulation is replacing the DPA 1998. This is technically true to an extent, but it’s not a like for like swap.


What is it?

The DPA 2018 is the third generation of data protection laws which replaced the 1988 act on 25th May 2018, when GDPR came into force.  The 1988 act has been updated as a separate, supporting act for the GDPR and is intended to modernise current data protection laws to ensure they are effective. It covers areas of data protection that do not fall within EU  law and adjusts the GDPR for the UK. It provides stronger legal protection for more sensitive information like race, ethnic background, religious beliefs and biometrics.


Why has it been created?

Although the GDPR has incorporated the intents of DPA 1988, it is a regulation that spans the world. The GDPR is not tailored to any specific country but rather applies to all businesses that process EU personal data.

The Data Protection Act 2018  is the method by which the UK will implement and manage the GDPR, overseen by the Information Commissioner’s Office (ICO).

In essence, it’s a privacy regime by which the UK will manage the GDPR.

So, whoever manages and handles personal data in your business must follow the data protection principles set out by the DPA 2018.


Data protection laws - Data Protection Act 2018

A survey by the UK Government identifying preparations made for the DPA 2018


What’s the difference between the GDPR and the Data Protection Act 2018?

The GDPR directly affects all EU member states but gives them limited opportunities to make provisions for how the regulation applies to their own country.

The DPA is the UK’s means of applying more control to the regulation, outlining the specific details. It applies to all organisations in the UK that process the data of UK-based citizens.

In essence, the act applies the standards and requirements outlined by the GDPR, but it adjusts the rules which don’t fit the context of the UK.


What happens if my business is not DPA 2018 compliant?

The DPA 2018 states that if a person has ‘failed or is failing’ the provisions of the DPA (Section 149 (2), (3), (4) or (5), or ‘has failed to comply with an information notice, an assessment notice or an enforcement notice’, they may be subject to pay the Commissioner a penalty.

This penalty is given by a written notice, a.k.a “penalty notice”. Whether or not you receive a fine and the amount of the fine depends on:

  1. The extent that the notice relates and affects GDPR compliance principles (listed in Article 83 (1) and (2) of the GDPR);
  2. The extent that the notice concerns items 3 (a) to (l) of Part 4 Chapter 6 Item 155 of the Data Protection Act 2018. These include:
    1. the nature, gravity and duration of the failure;
    2. any action taken by the data controller or processor to mitigate damage or distress;
    3. any relevant previous failures by the controller or process.

The specific amount for fines is specified by the Commissioner by written notice

For more about the penalties, take a look at Item 155 Penalty Notices of the DPA 2018 here.


Further reading:

The full DPA 2018:

DPA 2018 quick overview:[/vc_column_text]

Stay updated on what you need to know

To stay updated on this topic and our other blogs, subscribe to be notified on our blog updates and find out how the different data protection laws affect your business and what you can do about it.