The DPA 2018 is based on the European Union’s GDPR and aligns with its principles and requirements.

However, the DPA 2018 also includes additional provisions and exemptions tailored specifically to the UK context.

DPA 2018 encompasses a wide range of data protection and privacy aspects, including:

Data protection principles: The DPA 2018 establishes a set of data protection principles that organizations must adhere to when processing personal data. These principles include lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Protection of personal data: The DPA 2018 applies to the processing of personal data, which refers to any information that relates to an identified or identifiable individual (data subject). This includes not only obvious identifiers such as names and addresses but also other data points that can be used to identify individuals, either directly or indirectly.

Data controllers and processors: The DPA 2018 distinguishes between data controllers and data processors. A data controller determines the purposes and means of processing personal data, while a data processor acts on behalf of the data controller. Both controllers and processors have specific obligations and responsibilities under the legislation.

Lawful basis for processing: The DPA 2018 outlines the lawful bases for processing personal data. Organizations must establish a lawful basis to process personal data, such as the data subject's consent, the necessity of processing for the performance of a contract, compliance with legal obligations, protection of vital interests, performance of a task carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by the data controller or a third party.

Data subject rights: The DPA 2018 grants individuals certain rights over their personal data. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling.

Special categories of personal data: The DPA 2018 places additional safeguards on the processing of special categories of personal data, which includes sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, and data concerning an individual's sex life or sexual orientation.

International data transfers: The DPA 2018 governs the transfer of personal data outside the UK. It aligns with the EU General Data Protection Regulation (GDPR) provisions concerning international data transfers and ensures that adequate safeguards are in place when personal data is transferred to countries or organizations outside the UK.

UK Government Information Commissioner's Office (ICO): The DPA 2018 grants powers and responsibilities to the Information Commissioner's Office (ICO) as the UK's independent regulatory authority for data protection. The ICO oversees and enforces compliance with the DPA 2018, investigates data breaches, and provides guidance and advice to organizations and individuals on data protection matters.


Speak to an expert.