Skip to main content
Cyber Monday

Deal expires in

- Days
:
- Hours
:
- Minutes
:
- Seconds

Get up to 50% off on CookieYes!

Show popup

Privacy Laws

16 min read

A Guide to UK Data Protection Act 2018 [With Infographic]

By Kavya July 12, 2024

Expert reviewed

A Guide to UK Data Protection Act 2018 [With Infographic]

Want to deploy cookie banners across multiple client websites?

Partner with CookieYes →

With the United Kingdom’s exit from the European Union, many businesses across the UK and the world have been left with questions about GDPR compliance in the country. This article will look at the UK Data Protection Act 2018 (DPA) and how it’s different from the EU GDPR. We will also glimpse into the UK GDPR that is now read in conjunction with the DPA 2018.

What is the  UK Data Protection Act 2018?

The UK Data Protection Act 2018 is a comprehensive data protection framework for the UK, which came into force on 25 May 2018 – the same day as the EU General Data Protection Regulation (GDPR). It was amended on 01 January 2021 to reflect the UK’s status outside the EU, after the Brexit. As per the UK Government’s website,

“The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR)”.

The Data Protection Act extends GDPR standards to areas of processing not covered by the GDPR. It also creates four distinct data protection regimes to cover processing in specific areas:  

  • Within the scope of the GDPR  (UK GDPR)
  • Outside the scope of the GDPR 
  • By competent authorities for law enforcement purposes 
  • By the intelligence services

What is the UK GDPR?

UK GDPR is the data protection regime in the UK that came into effect on 1 January 2021, after the Brexit. Following the end of the EU-UK transition period in December 2020, the EU GDPR was incorporated into British domestic data privacy law – the Data Protection Act (2018) to become the UK GDPR. It is defined in section 3(10) of the Data Protection Act 2018 (DPA 2018), supplemented by section 205(4). 

In short, the UK GDPR is the UK’s version of the EU GDPR that lays down key principles and obligations for processing personal data in the UK and provides rights for consumers. 

Which data protection laws apply in the UK?

With effect from 1 January 2021, UK organisations that process domestic personal data must comply with: the UK Data Protection Act 2018 and the UK GDPR. The two pieces of privacy legislation are intended to be read in conjunction with each other. 

The PECR (Privacy and Electronic Communications Regulations) is another law that regulates electronic communication such as marketing messages, website cookies, trackers and sets out privacy rights for users. It is the UK law that implements the EU’s ePrivacy Directive or the EU cookie law. The PECR uses the UK GDPR’s standard of consent.

What are the 7 principles of the Data Protection Act 2018?

The seven principles of the Data Protection Act 2018 for any organisation or business that processes personal data:

  1. Lawfulness, fairness, and transparency

Businesses should be transparent and accurate about their data processing. They should fairly use personal data that is not detrimental to the individuals and respect their data rights.

2. Purpose limitation

Personal data should be collected for a specific purpose, state the purpose before asking for consent from the data subject, and process the data only for that specific purpose. Businesses should not use the data for any other applications.

3. Data minimization

Businesses should ensure that the data collected is adequate, relevant and limited to the intended purpose. This principle curtails organisations from hoarding personal data without a clear purpose.

4. Accuracy

The personal data businesses collect must be accurate, up to date and they should take reasonable steps to erase or rectify data that is inaccurate or incomplete. 

5. Storage limitation

This principle restricts businesses from keeping data for an indefinite time, or beyond that of its intended purpose. Organisations should delete personal data when it’s no longer necessary.

6. Integrity and confidentiality

Data should be processed with appropriate technical or organisational measures and security measures to protect it from unauthorised or unlawful processing, accidental loss, destruction or damage.  Businesses should implement both physical and technological controls to ensure security.

7. Accountability

Businesses should take responsibility for the personal data they process and their compliance with the other principles of data protection. Organizations should be able to prove that their data protection measures are secure and sufficient. 

What is the difference between the GDPR and Data Protection Act 2018?

The UK GDPR and Data Protection Act 2018 interoperate in the United Kingdom. The core definitions from the EU GDPR, such as personal data, controller, processor and the rights of data subjects, legal bases for processing are the same in UK GDPR. However, the Data Protection Act 2018 and UK GDPR differs from the EU GDPR, in some important ways as underlined in the infographic below.

EU GDPR vs UK DPA [Infographic]

EU GDPR vs UK DPA comparison

How to comply with the UK Data Protection Act 2018?

Complying with the UK data protection laws will not be too different from the GDPR compliance in the EU. If you have already taken the necessary steps for your website’s GDPR compliance, you might not have to make significant changes to accommodate the UK laws. 

1. Review the data you collect

Make sure all the data you collect on your website is on lawful grounds and adheres to the principles of the Act. Map out how data is collected on your website, where it is stored and/or transferred and deleted. 

Assess the categories of data (including sensitive categories) you collect and catalogue them. The UK GDPR includes a non-exhaustive list of identifiers as personal data including:

  • Names, emails, phone numbers, location data, including current or previous employee data
  • Display pictures, social media IDs and profile URLs 
  • Online identifiers like cookies and IP addresses, Payment details like bank account number and credit card information

Limit any data processing practices that may not have legal grounds or relevancy. Also, review if any third-party apps collect personal data and their purpose for it.

If you process sensitive categories of personal data, you have to put additional provisions in place. Sensitive categories of data include:

  • Racial or ethnic origin
  • Political opinions, religious or philosophical beliefs 
  • Trade union membership
  • Genetic data, biometric data

For processing such data, you should maintain documentation of the processing activities, implement data protection policies, have written contracts in place with data processors, conduct Data Protection Impact Assessment (DPIA) and appoint a Data Protection Officer (DPO).

2. Obtain consent for collecting data

Like the EU GDPR, the DPA requires websites to obtain explicit consent from the users in the UK to collect their personal data. Be it forms, cookies, emails, or third-party plugins, user consent is crucial to data processing. Use active opt-in methods to obtain consent, such as: 

  • Ticking an opt-in box on website forms
  • Clicking on a ‘accept’ button on a cookie banner
  • Double opt-in for emails

You cannot rely on lack of response, inactivity, pre-ticked boxes, default settings or blanket acceptance as signs of consent. You should also provide easy ways for the individual to opt-out or withdraw consent such as unsubscribe links. 

CookieYes cookie consent solution is feature-packed to support compliance with DPA 2018 and the UK GDPR. User’s consent is key to websites that deploy cookies. As per GDPR, consent should be freely given, specific and unambiguous. 

If you use cookies, you should ask explicit consent for the specific purpose for which the cookies will be used. A cookie consent manager like CookieYes will help you get GDPR-standard cookie consent. 

  • Cookie scanner will detect all cookies and trackers on your website and block third-party scripts until consent is given. 
  • Customizable cookie consent banners allow users to give opt-in consent, manage cookie preferences or withdraw their consent easily
  • The consent log will record all user consents to ensure you have a centralized, retrievable record, for proof of consent. 
  • Multi-language support will help you display auto-translated banners in 30+ languages as per the target user’s language preference.
  • Comply with multiple privacy laws like the EU GDPR, California’s CCPA, Brazil’s  LGPD, CNIL guidelines and other global data privacy regulations. 

Add a custom cookie banner
on your website in minutes

Try for free

14-day free trialCancel anytime

3. Revamp your privacy policy

Add a privacy page to your website that details how you handle the personal data of the users. You must provide a link to the privacy policy page on your homepage for easy access to the visitors. Your privacy policy should primarily:

  • Inform users about the personal data you collect, your purpose for collecting and how you are ensuring that their personal data is protected 
  • Describe the users’ rights under GDPR
  • Be available in a concise, transparent, and accessible form 
  • Be written in clear and plain language
  • Direct users how to access and rectify their data

CookieYes features a Free Privacy Policy Generator that will help you create a custom privacy policy for your website. It generates a privacy policy after collecting your inputs about your business. All you have to do is answer the questions, preview and generate a policy. You can then copy the content in text or HTML and add it to your website. 

FAQ on Data Protection Act 2018

What is the Data Protection Act 2018 summary?

The Data Protection Act 2018 is the data protection framework implemented by the UK in May 2018. It replaced the Data Protection Act 1998 to take into consideration how data is used in the current digital economy and outlines a framework on how data can be lawfully collected, processed and used in the UK. The Data Protection Act 2018 extended the scope of EU GDPR and since Brexit, includes the provisions of UK GDPR.

What is the main purpose of the Data Protection Act 2018?

The two main purposes of the Data Protection Act 2018 is to:

1. Give UK citizens and residents more control of their personal data. Individuals have the right to access, correct, delete and restrict how their personal data is used by businesses.
2. Regulate how businesses process personal data and ensure that data is used lawfully, fairly, and transparently.

Is UK GDPR same as DPA 2018?

The UK GDPR and the Data Protection Act (2018) sets out the framework for data protection law in the UK. After the end of the Brexit transition period, on 31 December 2020, the GDPR has been implemented into English law as the UK GDPR and will be read in conjunction with the Data Protection Act 2018.

Who enforces the UK Data Protection Act?

The Information Commissioner’s Office (ICO) is the UK’s national supervisory authority that enforces and regulates the Data Protection Act 2018 (DPA), as well as the UK GDPR.

What does Brexit mean for GDPR?

With the UK exiting the EU, it is now formally a ‘third country’. After Brexit on 1 January 2019, there was a transition period, during which EU GDPR applied in the UK. The transition period ended on 31 December 2020 and the UK GDPR came into effect on 01 January 2021. Data protection in the UK now falls under the scope of the UK GDPR and Data Protection Act 2018.

Who does UK GDPR apply to?

The UK GDPR applies to all organizations that process the personal data of residents of the UK. It also applies to organisations outside the UK that offer goods or services to residents in the UK.

Does the EU GDPR still apply in the UK? 

Yes. If your business operates in Europe, offers goods or services to consumers in the EU, or monitors EU residents’ behaviour, you should comply with both the EU GDPR and UK GDPR and Data Protection Act 2018.

Does UK GDPR affect data sharing?

EU has adopted ‘adequacy’ decisions in June 2021, allowing the sharing of personal data to the UK. This means UK businesses and organisations can continue to receive personal data from the EU and EEA without additional arrangements in place. The UK had already recognised the EU and EEA member states as ‘adequate’ for data transfers.

Kavya

Kavya is a content designer who works across marketing, and product to create simple, user-first content. She brings expertise in long-form content, UX writing, and copywriting for B2C and B2B brands. In her downtime, she’s probably watching re-runs of mobster dramas and baking.

Keep reading

Featured image of Best Black Friday & Cyber Monday SaaS Deals for 2024

Best Black Friday & Cyber Monday SaaS Deals for 2024

Here are our top picks for Black Friday and Cyber Monday SaaS deals for 2024. Grab them before they expire and save big!

Read more
Featured image of 10 Must-Have Clauses in Your Data Processing Agreement

Privacy Laws

10 Must-Have Clauses in Your Data Processing Agreement

Establish a strong and effective controller-processor relationship by incorporating these key clauses into your Data Processing Agreement.

Read more
Featured image of What Is Consent-Based Marketing? Benefits, Strategies & More

Consent

What Is Consent-Based Marketing? Benefits, Strategies & More

Consent-based marketing more than just ticking boxes— it's about building a privacy-first, user-centric strategy that respects user preferences. Let’s explore what it is, how it works, & why it’s essential.

Read more

Show all articles