Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Articles

What’s the Difference Between UK Data Protection Act 2018 & UK GDPR?

Annie Greenley-Giudici

Your guide to how Data Protection Act 2018 and EU GDPR regulations are connected

The UK Data Protection Act 2018 (DPA) is the UK’s domestic law that supplements and enacts the EU General Data Protection Regulation (GDPR). While the GDPR provides the core framework of data protection principles, the DPA includes specific provisions and exemptions tailored for the UK context, such as rules for national security, public authorities, and the age of consent.

Most UK businesses and organizations must comply with two major data privacy regulations that came into force on May 25, 2018:

  1. The EU General Data Protection Regulation (GDPR)
  2. The UK Data Protection Act (DPA) 2018

The UK Data Protection Act (DPA) took effect on the same day because it is meant to be read in conjunction with the EU General Data Protection Regulation (GDPR).

It’s been several years since both privacy management laws were enacted. There is still some confusion about the similarities and differences, including questions like:

  • What does the UK DPA say about managing privacy?
  • Did the GDPR replace the DPA in the UK?
  • How is data privacy management handled differently in the EU GDPR compared with the UK DPA?

What is DPA and what does the Data Protection Act say about managing privacy?

The United Kingdom’s DPA is a domestic law originally passed in 1988 that governs how personal data and other information are managed in the UK. This data privacy regulation was updated in 1998, and then replaced on May 25, 2018, with the UK DPA 2018.

The basic concepts covered in the Data Protection Act include:

  • People have a fundamental right to privacy
  • People have a right to find out what information about them is collected and stored by the government and other organizations
  • Organizations that collect information must build trust by managing privacy correctly
  • Personal data can only be collected and used for specified and explicit purposes – and those purposes must be fair, lawful and transparent
  • Records containing personal information must be accurate and, where necessary, kept up to date – these records must not be kept for longer than is necessary
  • Organizations must follow privacy management rules about data security, including protecting data from unlawful and/or unauthorized access, processing, loss, damage or destruction
  • Organizations must be especially careful about how they handle sensitive personal information.

Infographic illustrating Data Protection Act 2018 and UK GDPR principles, highlighting lawful data processing, personal data rights, transparency, security, and compliance.

Did the GDPR (Global Data Protection Regulation) replace the DPA (Data Protection Act) in the UK?

The UK DPA includes stronger rules for managing privacy of people’s personal information relating to:

  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Health
  • Sexual life
  • Criminal history

How the ICO enforces UK GDPR and Data Protection Act Rules

The Information Commissioner’s Office (ICO) regulates all data protection in the UK and provides best practice rules for managing data privacy and related risks including security breaches.

The ICO’s role includes:

  • Monitoring compliance with all relevant data protection regulations including the UK Data Protection Act 2018 and the GDPR;
  • Monitoring breach reports, conducting audits and advisory visits;
  • Offering advice and guidance on protecting and managing information;
  • Handling concerns, complaints and other inquiries; and
  • Enforcing data privacy regulation with legal action where appropriate, including issuing fines.

The ICO also cooperates with data protection authorities in other countries, including the European Data Protection Board, which includes representatives from data protection authorities in each EU member state.

Did the EU General Data Protection Regulation replace the Data Protection Act in the UK?

No. The EU GDPR and the UK DPA have both applied since May 25, 2018.

However, after Brexit, the government and other organizations in the UK were also required to comply with the UK General Data Protection Regulation, which became law on January 1, 2021.

All organizations that offer goods or services to people in Europe, or monitor the behavior of individuals in Europe must still comply with the EU GDPR. The rule changes in the UK GDPR were designed to put the GDPR in a UK context.

The UK DPA codifies GDPR rules in UK law and includes extra requirements or exemptions to the GDPR.

GDPR vs. Data Protection Act: Key Differences Explained

Did the EU General Data Protection Regulation replace the Data Protection Act in the UK?

No. The EU GDPR and the UK DPA have both applied since May 25, 2018 and are mostly based on similar principles about data protection and privacy management.

While the EU GDPR and the UK DPA share similar principles, there are some important differences that are often a source of confusion.

Comparison: UK Data Protection Act (DPA) 2018 vs. EU General Data Protection Regulation (GDPR)
Feature UK Data Protection Act (DPA) 2018 EU General Data Protection Regulation (GDPR)
National Security & Crime Includes exemptions for processing related to national security or defense purposes Allows member states wiggle room to change aspects of the legislation under Article 23
Freedom of Information Exempts GDPR application for processing unstructured manual data by certain government bodies No specific exemptions for unstructured manual data in this context
Compliance Reports Requires organizations to keep “appropriate policy documents” for processing special categories of data Does not have a similar explicit requirement for these documents
Data Subject Access Request (DSAR) Includes specific scenarios where organizations can refuse DSARs Provides clear data subject rights but with fewer explicit exceptions for refusal
Age of Consent Minimum age of consent for data processing is 13 years old in the UK Minimum age of consent is 16 years old, unless a member state lowers it (e.g., to 13)
ICO Codes of Practice Requires the ICO to produce codes of practice to guide organizations No similar requirement for a national body to produce specific codes of practice

Better manage UK DPA and EU GDPR Compliance

We know privacy management can be complex, but it doesn’t have to be hard. Here are some useful resources to help your organization comply with data privacy regulations:

Automate Your Privacy Program

Centralize privacy tasks, automate your program, and seamlessly align with laws and regulations.

Learn more

Essential Guide to the GDPR

Practical steps to manage the EU General Data Protection Regulation, including a compliance roadmap for implementation.

Download the guide
Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top