Data Protection Act 2018

Added on: 28/06/2018

The Data Protection Act 2018 (DPA 2018) is the UK's third generation of data protection law and aims to modernise data protection laws to ensure they are effective in the years to come.

What is the difference between the DPA 2018 and the GDPR?
The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side.

However, the DPA 2018 is not limited to the UK GDPR provisions. It also covers other area such as:

  • The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
  • It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the DPA 2018 sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.
  • National security is also outside the scope of EU law. The Government has decided that it is important the intelligence services are required to comply with internationally recognised data protection standards, so there are provisions based on Council of Europe Data Protection Convention 108 that apply to them.
  • There are also separate parts to cover the Information Comission and their duties, functions and powers plus the enforcement provisions. The Data Protection Act 1998 is being repealed so it makes the changes necessary to deal with the interaction between Freedom of Information Act 2000 and the DPA.