What is DPA 2018 (UK Data Protection Act)?

The Data Protection Act 2018 (DPA 2018) is the United Kingdom's comprehensive data protection legislation that works alongside the UK GDPR (the retained EU GDPR as amended for the UK post-Brexit). The DPA 2018 supplements the UK GDPR by providing detailed provisions in areas where the GDPR allows member state flexibility, and it also covers processing activities outside the scope of the UK GDPR, such as law enforcement processing and intelligence services processing.

The DPA 2018 establishes the Information Commissioner's Office (ICO) as the UK's independent supervisory authority for data protection. It defines the conditions for processing special category data and criminal conviction data, sets out specific exemptions including for journalism, research, and national security, and provides detailed rules for automated decision-making. The Act also implements the EU Law Enforcement Directive for processing by competent authorities for law enforcement purposes.

Following Brexit, the UK operates under its own data protection regime (UK GDPR plus DPA 2018), which is largely aligned with the EU GDPR but may diverge over time as the UK pursues its own regulatory approach. The EU granted the UK an adequacy decision in June 2021, facilitating data transfers between the EU and UK. Organizations operating in the UK should use ComplyIQ to track UK-specific requirements and ensure compliance with both the UK GDPR and DPA 2018.