Select Page

Your Guide to How UK Data Protection Act & EU GDPR Regulations Are Connected

Most UK businesses and organizations must comply with two major data privacy regulations that came into force on May 25, 2018:

  1. The EU General Data Protection Regulation (GDPR) 
  2. The UK Data Protection Act (DPA) 2018 

The UK Data Protection Act (DPA) took effect on the same day because it is meant to be read in conjunction with the EU General Data Protection Regulation (GDPR).

It’s been several years since both privacy management laws were enacted. There is still some confusion about the similarities and differences, including questions like:

  • What does the UK DPA say about managing privacy?
  • Did the GDPR replace the DPA in the UK?
  • How is data privacy management handled differently in the EU GDPR compared with the UK DPA?

What does the UK Data Protection Act (DPA) say about managing privacy?

The United Kingdom’s DPA is a domestic law originally passed in 1988 that governs how personal data and other information are managed in the UK. This data privacy regulation was updated in 1998, and then replaced on May 25, 2018, with the UK DPA 2018.

The basic concepts covered in the Data Protection Act include:

  • People have a fundamental right to privacy
  • People have a right to find out what information about them is collected and stored by the government and other organizations
  • Organizations that collect information must build trust by managing privacy correctly
  • Personal data can only be collected and used for specified and explicit purposes – and those purposes must be fair, lawful and transparent
  • Records containing personal information must be accurate and, where necessary, kept up to date – these records must not be kept for longer than is necessary
  • Organizations must follow privacy management rules about data security, including protecting data from unlawful and/or unauthorized access, processing, loss, damage or destruction
  • Organizations must be especially careful about how they handle sensitive personal information. 

Did the GDPR (Global Data Protection Regulation) replace the DPA in the UK?

The UK DPA includes stronger rules for managing privacy of people’s personal information relating to:

  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Health
  • Sexual life
  • Criminal history

How are data privacy risks and other UK DPA rules policed?

The Information Commissioner’s Office (ICO) regulates all data protection in the UK and provides best practice rules for managing data privacy and related risks including security breaches.

The ICO’s role includes:

  • Monitoring compliance with all relevant data protection regulations including the UK Data Protection Act 2018 and the GDPR; 
  • Monitoring breach reports, conducting audits and advisory visits;
  • Offering advice and guidance on protecting and managing information;
  • Handling concerns, complaints and other inquiries; and
  • Enforcing data privacy regulation with legal action where appropriate, including issuing fines. 

The ICO also cooperates with data protection authorities in other countries, including the European Data Protection Board, which includes representatives from data protection authorities in each EU member state.

Did the EU General Data Protection Regulation replace the Data Protection Act in the UK?

No. The EU GDPR and the UK DPA have both applied since May 25, 2018. 

However, after Brexit, the government and other organizations in the UK were also required to comply with the UK General Data Protection Regulation, which became law on January 1, 2021. 

All organizations that offer goods or services to people in Europe, or monitor the behavior of individuals in Europe must still comply with the EU GDPR. The rule changes in the UK GDPR were designed to put the GDPR in a UK context.

The UK DPA codifies GDPR rules in UK law and includes extra requirements or exemptions to the GDPR.

How is data privacy management handled differently in the GDPR compared with the UK DPA?

The EU GDPR and the UK DPA are mostly based on similar principles about data protection and privacy management.

 However, there are some important differences:

  • National security and crime – The GDPR allows members wiggle room to change aspects of the legislation under the terms of Article 23. These changes are generally kept within specific scenarios such as national security, crime and legal proceedings, and other types of special data categories.
  • Freedom of information – The DPA exempts application of the GDPR for processing necessary to safeguard national security or defense purposes or concerning unstructured manual data held by certain government bodies designated by freedom of information legislation.
  • Compliance reports – The DPA requires organizations to keep ‘appropriate policy documents’ related to processing special categories of data. These documents explain how the controller complies with the data protection principles and policies for how these categories of data are kept and erased.
  • Data subject access request – The DPA includes exceptions to data subject rights in specific scenarios in which organizations can refuse data subject access requests (DSAR).
  • Age of consent – the minimum age of consent for processing a person’s data is 13 years old in the UK under the DPA, and 16 years old in the GDPR.
  • Information Commissioner’s Office codes of practice – The DPA also requires the ICO to produce codes of practice to guide organizations on staying compliant when processing data in specific scenarios and/or industries.

How TrustArc can help you manage UK DPA and EU GDPR compliance

We know privacy management can be complex, but it doesn’t have to be hard. Here are some useful resources to help your organization comply with data privacy regulations: