The new Data Protection Act 2018 

After nearly a year of debate and consultation, the new Data Protection Act received Royal Assent on the 23rd of May 2018, two days before the GDPR went into force.

It has been 20 years since the last Data Protection Act was passed and it comes at a time when the UK is facing many challenges and changes. Not only the recent implementation of the GDPR which a lot of businesses weren’t ready for but also Brexit.

The old Data Protection Act failed to account for today’s internet and digital technologies, social media and big data. Modern technology has invaded our lives and the digital world has transformed every aspect of our existence.

The GDPR and the Data Protection Act 2018 are here to help protect us on and offline. Through their implementation it makes the UK one of the world’s most progressive data protection regimes.

The ICO’s Information Commissioner Elizabeth Denham said, “Governed by these laws, organisations will have the incentive and the opportunity to put people at the heart of their data services,” she said. “Being fair, clear and accountable to their customers and employees, organisations large and small will be able to innovate with the confidence that they are building deeper digital trust.”

How is the Data Protection Act different from the GDPR?

The Act is a complete data protection system. Meaning, as well as governing general data covered by the GDPR, it covers all other general data, law enforcement data and national security data. In addition to that, the Act exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in areas such as academic research, financial services and child protection.

The new Data Protection Act and the GDPR are here to empower people to take control of their data. It is here to support businesses and organisations to protect them and their customers.

The key thing is the GDPR and the Data Protection Act will help us be stronger when we leave the EU.

The Digital, Culture, Media & Sport Secretary of State, Matt Hancock said: “The Data Protection Act gives people more control over their data, supports businesses in their use of data, and prepares Britain for Brexit. In the digital world strong cybersecurity and data protection go hand in hand. The 2018 Act is a key component of our work to secure personal information online.”

What will the new Data Protection Act do for us?

  • Provides a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice
  • Sets new standards for protecting general data, in accordance with the GDPR, giving people more control over the use of their data, and providing them with new rights to move or delete personal data
  • Preserves existing tailored exemptions that have worked well in the Data Protection Act 1998, ensuring that UK businesses and organisations can continue to support world leading research, financial services, journalism and legal services
  • Provides a bespoke framework tailored to the needs of our criminal justice agencies and the intelligence services, to protect the rights of victims, witnesses and suspects while ensuring we can tackle the changing nature of the global threats the UK faces


The main elements of the new Data Protection Act are:

  • General data processing
  • Implements GDPR standards across all general data processing
  • Provides clarity on the definitions used in the GDPR in the UK context
  • Ensures that sensitive health, social care and education data can continue to be processed while making sure that confidentiality in health and safeguarding situations is maintained
  • Provides appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes
  • Sets the age from which parental consent is not needed to process data online at age 13, supported by a new age-appropriate design code enforced by the Information Commissioner. Law enforcement processing
  • Provides a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes.
  • Allows the unhindered flow of data internationally whilst providing safeguards to protect personal data. Intelligence services processing
  • Ensures that the laws governing the processing of personal data by the intelligence services remain up-to-date and in-line with modernised international standards, including appropriate safeguards with which the intelligence community can continue to tackle existing, new and emerging national security threats. Regulation and enforcement
  • Enacts additional powers for the Information Commissioner who will continue to regulate and enforce data protection laws
  • Allows the Commissioner to levy higher administrative fines on data controllers and processors for the most serious data breaches, up to £17m (€20m) or 4% of global turnover for the most serious breaches
  • Empowers the Commissioner to bring criminal proceedings against offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request

Read the full Data Protection Act here. 

Be.Privacy which is our original UK-centric data protection training product is currently being updated.

Do not forget that the majority of the data protection act 2018, bring into UK law the EU General Data Protection Regulation which is covered by be.GDPR training.

As we have detailed in this article there are specific UK-centric additions, for which we are creating great training scenarios in be.Privacy, but also give you more best practice advice and detail the effect of changes to other UK laws enhanced by the DPA2018.

The Data Protection Act 2018 is not the end of the data protection journey we are just at the beginning be.Infoready.

Adrian McGarry


Also recently published