UK Data Protection Act 2018 & UK GDPR
Understand the post-Brexit data protection regime that combines UK GDPR with the Data Protection Act 2018.
Overview
The UK Data Protection Act 2018 (DPA 2018) sits alongside the UK GDPR to govern how organisations collect, use, disclose, and retain personal data in the United Kingdom. The framework mirrors many EU GDPR concepts but includes UK-specific exemptions, enforcement bodies, and criminal offences.
Who Must Comply?
- UK-based controllers and processors handling personal data
- Overseas organisations offering goods/services to UK residents
- Entities monitoring the behaviour of UK residents
- Public authorities (with tailored provisions in Part 3 and Part 4)
- Law enforcement and intelligence services (specific regimes in DPA 2018)
Regulatory Structure
- UK GDPR: Core principles, lawful bases, rights, and supervision
- DPA 2018 Part 2: UK-specific provisions and exemptions
- DPA 2018 Part 3: Law enforcement processing (LED)
- DPA 2018 Part 4: Intelligence services processing
- ICO: Independent regulator enforcing the regime
UK GDPR Principles
| Principle | Implementation Guidance |
|---|---|
| Lawfulness, Fairness & Transparency | Ensure a valid lawful basis and communicate processing in an accessible, plain-English privacy notice. Record legitimate interests assessments where applicable. |
| Purpose Limitation | Collect personal data for specified purposes and avoid incompatible secondary uses unless an exemption applies under DPA 2018 Schedule 2. |
| Data Minimisation | Capture only the data points necessary to achieve the stated purpose. Embed data minimisation in forms, systems design, and procurement criteria. |
| Accuracy | Keep records up to date and provide self-service correction routes. DPA 2018 Schedule 1 adds obligations when processing special category data for employment, health, or safeguarding. |
| Storage Limitation | Define retention schedules, apply secure deletion/archiving policies, and align with statutory obligations such as the Companies Act or financial regulations. |
| Integrity & Confidentiality | Implement proportionate technical and organisational controls (encryption, access management, security testing) tailored to the risk profile. Document risk assessments in your Records of Processing Activities (RoPA). |
| Accountability | Demonstrate compliance via policies, training, supplier due diligence, DPIAs, and senior governance forums. Maintain evidence for ICO audits or investigations. |
Lawful Bases for Processing
- Consent: Freely given, specific, informed, and unambiguous indication.
- Contract: Necessary to fulfil or prepare a contract with the individual.
- Legal Obligation: Required by UK law (e.g., tax, employment, health & safety).
- Vital Interests: Protecting someone’s life or physical wellbeing.
- Public Task: Performing a function in the public interest or official authority.
- Legitimate Interests: Balancing organisational needs against individual rights.
Tip: Document your lawful basis in RoPA records and reference it in privacy notices.
Special Category & Criminal Data
The DPA 2018 introduces additional conditions (Schedule 1) when processing sensitive data such as health, biometric, or criminal offence information.
- Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing.
- Implement an Appropriate Policy Document (APD) describing safeguards and retention.
- Record additional condition relied upon (e.g., employment law, substantial public interest).
- Ensure secure handling, access logging, and staff vetting.
Individual Rights under UK GDPR
Handling Requests
- Target response time: one month (extendable by two months for complex cases).
- Verify identity before releasing personal data.
- Log requests end-to-end with timestamps and decision rationale.
- Know exemptions (e.g., legal privilege, management forecasting) defined in DPA 2018 schedules.
Key Rights
- Access, rectification, erasure, restriction, portability, and objection
- Rights related to automated decision-making and profiling
- Right to withdraw consent at any time
- Right to complain to the Information Commissioner’s Office (ICO)
Practical Tip: Build self-service portals for access or rectification to streamline compliance and audit trails.
Data Protection Officer (DPO)
- Mandatory for public authorities, large-scale monitoring, or large-scale special category processing.
- DPO must report to the highest management level and operate independently.
- Responsible for training, DPIA oversight, liaison with ICO, and monitoring compliance.
- Document DPO appointment and resources provided.
Personal Data Breach Response
- Assess risk promptly and document decision-making within incident response plans.
- Notify the ICO within 72 hours if risk to individuals is likely.
- Inform affected individuals without undue delay if risk is high.
- Maintain breach logs even when notification is not required.
- Review root causes and update security controls post-incident.
International Data Transfers
Transfer Mechanisms
- Adequacy regulations issued by the UK government
- International Data Transfer Agreements (IDTAs)
- Addendum to EU Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Derogations for specific situations (explicit consent, vital interests)
Due Diligence
- Conduct Transfer Risk Assessments (TRAs) for non-adequate destinations
- Review supplier security and local surveillance laws
- Document safeguards and monitoring plans
Post-Brexit Considerations
- EU organisations transferring to the UK rely on EU adequacy decision (2021)
- UK organisations sending data to the EU typically rely on UK adequacy regulations
- Monitor future UK divergence for updates to adequacy and contractual clauses