Overview

The Data Protection Act 2018 is the United Kingdom's primary statute for the protection of personal information. It modernised and replaced earlier legislation to reflect developments in technology and data processing and to implement key elements of the EU General Data Protection Regulation. The Act regulates how personal data about living individuals may be collected, stored, used and shared by organisations and public bodies.

Scope and key principles

The Act applies to information that identifies, or could identify, a living person and covers data held electronically and certain structured manual records. Its core principles require that personal data be processed lawfully, fairly and transparently; collected for specified purposes; adequate, relevant and limited; accurate and kept up to date; stored no longer than necessary; and processed in a way that ensures appropriate security.

Rights of individuals

People whose data is processed—known as data subjects—are granted statutory rights. These include the right to access personal data, request correction or deletion, restrict or object to processing, and in many cases obtain a copy of their data in a portable format. The Act also recognises heightened protections for sensitive or "special category" data such as health records, racial or ethnic origin, political opinions and similar information.

Duties, lawful bases and roles

Organisations that determine purposes and means of processing are called data controllers; those that process data on controllers' behalf are processors. Processing must rest on a lawful basis such as consent, contract performance, compliance with a legal duty, protection of vital interests, carrying out public functions or legitimate interests. Some controllers are required to appoint a Data Protection Officer or maintain records of processing activities.

Enforcement, exemptions and practical effects

The Information Commissioner's Office provides guidance and enforces compliance, investigating breaches and issuing penalties where appropriate. The Act includes specific exemptions for areas such as national security, crime prevention and certain journalistic, artistic or literary purposes. Its provisions affect everyday activities from employee record keeping to marketing, and require organisations to consider privacy at the design stage.

Legislative context and further guidance

The Data Protection Act 2018 was enacted to bring domestic law into alignment with contemporary standards and international obligations. For official legislative texts and explanatory notes consult the government pages via government resources and the statute on the legislation site at legislation. Practical guidance for organisations and individuals about data handling and rights can be found through regulatory guidance at guidance and technical storage considerations at storage guidance.

  • Terminology: data subject, data controller, data processor.
  • Important concepts: lawful basis, privacy by design, special category data.
  • Where to get help: the national data protection regulator and official guidance links above.