Understanding the UK Data Protection Act

What is the UK Data Protection Act?

The Data Protection Act (hereafter “DPA”) is the UK’s data protection and privacy regulation. The DPA complements the European General Data Protection Regulation (hereafter “GDPR”) and adapts its provisions to the particular national context of the UK.

The Information Commissioner’s Office (ICO) is the national data protection authority. It upholds information rights in the public interest by promoting openness in public bodies and data privacy for individuals in the UK.

The Data Protection Act was adopted in 2018 two days before the entry into force of the General Data Protection Regulation (GDPR)[1]. It replaces its 1998 predecessor with the aim of providing, pursuant to the GDPR, a legal framework adapted to new methods of processing personal data (as it failed to account for today’s technology).

Brexit has had a significant impact on GDPR. Following Brexit, the UK is no longer subject to the EU GDPR since the end of the transition period on the 31 of December 2020. The UK DPA/UK GDPR now applies to any organisation that was required to comply with the EU GDPR for processing the personal data of UK citizens. However, the GDPR remains applicable, anywhere UK companies handle the personal information of EU citizens.

What data is covered by the act?

The Data Protection Act covers the processing of all ‘Personal Data,’ which refers to information concerning a living individual (known as a ‘Data Subject‘). For data to fall under the definition of personal data, it must be able to identify  an individual, either on its own or when combined with other information. Consequently, purely anonymized data is not subject to the DPA.

Related Article

The Data Subject Explored

What does the DPA put in place?

The main purpose of the Act is to give individuals the ability to manage and control their personal data and assist organizations in the processing of such information in a lawful manner.

The GDPR allows Member States to make certain adjustments to accommodate national needs. Consequently, the Act adapts the GDPR by introducing specific conditions for processing sensitive data and incorporating exemptions tailored to the UK. Additionally, it outlines regulations and enforcement mechanisms within the UK.

The DPA establishes similar principles to the GDPR which are known as “data protection principles”.

Organizations, businesses and the government must make sure the data they use is

  • used fairly, lawfully and transparently;
  • used for specified, explicit purposes;
  • used in a way that is adequate, relevant and limited to only what is necessary (purpose limitation);
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary;
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

Similar to the GDPR, the DPA sets stricter rules for what it considers to be sensitive data which are:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

Although there are a lot of similarities, distinct measures were introduced by the DPA to protect personal data relating to criminal convictions and offenses (see hereafter “GDPR derogation”).

The Data Protection Act introduced new rights for UK citizens that are for the major part the same as the ones introduced by the GDPR. These rights can be exercised by any individual whose personal data are being processed by another entity (e.g. a company, non-profit,…).

Those rights are:

  • The right to be informed about how your data is being used and processed;
  • The right to access the personal data that the entity has about you;
  • The right to have incorrect data updated (also known as the right to rectification;
  • have your personal data erased;
  • the right to stop or restrict the processing of your data;
  • the right to data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances.

Furthermore, the UK Act incorporates the Law Enforcement Directive (LED) framework, which relates to competent authorities processing data for law enforcement purposes. Since the LED, being an EU directive, doesn’t have direct effect, national law is necessary for its implementation.

Moreover, the Act broadens the scope of GDPR standards to encompass processing areas not addressed by the GDPR or LED. It also establishes a distinct data protection framework for the intelligence services.

Upgrade your privacy approach

Book a free demo with one of our experts today! Don’t worry, they won’t bite.

Structure of the Act

The Act introduces four specific data protection regimes within UK Data Protection law, with each regime designed to regulate personal data processing for a particular type or category of data processing. These four regimes encompass the following processing areas:

  • Processing that takes place within the scope of the GDPR
  • Processing that is outside the scope of the GDPR
  • Processing by competent authorities or law enforcement purposes
  • Processing by the intelligence services

Data Protection Act & GDPR

By aligning with the GDPR, the UK was willing to build an enhanced data protection mechanism that goes beyond the adequacy model that the EU imposes on “third” countries, allowing personal data to flow freely between the UK and the EU following Brexit.

The GDPR has direct effect in all EU member states (direct effect means that individuals can invoke an EU law provision (here the GDPR), before a national court to exercise the rights provided in the law[2]. This means that businesses will still need to comply with this regulation and look to the GDPR for most legal obligations. However, the GDPR also gives member states limited opportunities to make provisions on how it applies in their country. This opportunity was taken up by the UK act.

GDPR derogation

There are some notable provisions in the GDPR that allow member states to implement measures that differ from the GDPR. They are referred to as “national derogations”. It’s important to note that these derogations are designed to address specific circumstances and balance the protection of individuals’ data rights with other societal interests.

As we said, the UK Data Protection Act incorporates the GDPR into UK law but it also includes some specific derogations and additions. Derogations are instances where a country deviates from certain provisions of the regulation. To name a few, these are:

National Security and Defense

The DPA includes provisions related to national security and defense, specifying conditions under which certain GDPR provisions may not apply in situations where it could compromise these interests[3].


A company is suspicious that one of their clients might be using their products to plan a terrorist attack. They notify the secret services with the person’s information.

If that person wants to request an access to his information under the UK GDPR, the company can avoid mentioning the disclosure to the secret services as it would jeopardize their ability to safeguard national security.

The same applies if the customer wants the company to delete his data (right to be forgotten). The company will effectively delete his data, but the secret services might keep it.

Processing for Law Enforcement Purposes

The Act includes provisions addressing the processing of personal data for law enforcement purposes, such as crime prevention and detection. These provisions align with the Law Enforcement Directive (LED), and they contain specific derogations from some GDPR principles in the context of law enforcement.


A law enforcement officer responds to a disturbance following assault allegations. The officer has a body camera while attending the scene. Witnesses are interviewed, and their statements are captured on the camera.

The recorded footage is then processed as part of the crime investigation. This processing is conducted with the aim of preventing, investigating, detecting, or prosecuting criminal offenses.

Immigration Control

The DPA includes provisions related to immigration control, allowing for the processing of personal data for immigration enforcement purposes. This involves derogations from certain GDPR rights and principles[4].


A person who has sought asylum in the UK and received a refusal for their application may submit a request to the Home Office to have access to all their personal data. This request can only be made with the intention of appealing the decision.


The Act contains provisions related to scientific or historical research purposes, allowing derogations from some GDPR rights if certain conditions are met. This only applies to three types of research activities:

  • Archiving in the public interest;
  • Scientific or historical research;
  • Statistical purposes.

Journalism, Academic, Artistic, or Literary Purposes

The DPA includes specific provisions regarding the processing of personal data for journalistic, academic, artistic, or literary purposes, providing derogations in certain circumstances[5].

Legal Professional Privilege

The Act includes provisions related to legal professional privilege, providing derogations from certain GDPR provisions concerning the processing of personal data for legal purposes.


The UK Data Protection Act plays an essential role in safeguarding individuals’ privacy by regulating the processing of their personal data. Aligned with principles such as fairness, transparency, and accountability, the DPA empowers the data subjects by giving them greater control over their personal data.

The Act not only incorporates essential provisions of the GDPR but it also tailors them to the specific situation and needs of the UK, establishing a robust framework for data protection.


Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Ted André

Consultant @ CRANIUM


Copyright © RESPONSUM BV

ISO certification logo