Data Protection Act 2018
UK legislation implementing GDPR domestically; covers data protection rights, controller and processor obligations, and ICO powers.
Definition
The Data Protection Act 2018 is the UK legislation implementing the General Data Protection Regulation (GDPR) domestically and providing the framework for UK GDPR post-Brexit. It defines data protection rights for individuals, obligations for data controllers and processors, and the powers of the Information Commissioner's Office (ICO). The Act applies to all UK organisations processing personal data including public sector bodies and their suppliers. Compliance is mandatory; serious failures attract regulatory penalties.
How it works in practice
The Act covers four main areas. Part 1 introduces the framework and definitions. Part 2 applies UK GDPR provisions to most personal data processing. Part 3 covers law enforcement processing (police, prosecuting authorities, prison service) with adapted rules. Part 4 covers intelligence services processing with further adapted rules. Public sector procurement is primarily in scope of Part 2 except for police and intelligence contracts which fall under Parts 3 and 4 respectively. The Act and UK GDPR together define seven data protection principles (lawful, fair, transparent, purpose-limited, data minimised, accurate, retention-limited, secure, accountable), the six lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests), and the rights of data subjects (information, access, rectification, erasure, restriction, portability, objection, automated decision-making). For procurement the practical implications are that contracts must include data processing agreements, suppliers must implement appropriate security measures, breaches must be notified, and data must be handled in line with the principles. Brexit did not materially change UK data protection: UK GDPR substantially mirrors EU GDPR with minor adjustments. The European Commission has granted an adequacy decision allowing free transfer of personal data from EU to UK; this is reviewed periodically.
Common questions
How does the Data Protection Act 2018 relate to UK GDPR?
They work together. UK GDPR is the substantive framework; the Data Protection Act 2018 implements UK GDPR domestically and adds UK-specific provisions including the law enforcement and intelligence services regimes. References to "GDPR" in UK context usually mean UK GDPR plus the Data Protection Act 2018 together.
Did Brexit change UK data protection law?
Not materially. UK GDPR substantially mirrors EU GDPR with minor adjustments. The European Commission has granted an adequacy decision allowing free transfer of personal data from EU to UK; this is reviewed periodically and remains in force at time of writing.
What is the maximum penalty under the Act?
Up to £17.5M or 4 percent of global annual turnover, whichever is higher, for the most serious failures. Lower-tier failures attract penalties up to £8.7M or 2 percent of global annual turnover. The ICO has additional powers including enforcement notices, audit rights, and prosecution for criminal offences.