Difference between Data Protection Act 1998 and 2018

Are Companies Storing Your Data To Comply With The General Data Protection Regulation (GDPR)?

Over the past one to three months (or more specifically, it has been like this for the past one to three weeks), we have received a considerable number of letters and emails, all asking us to make several modifications to our organisation’s privacy policies so that we can be considered compliant with GDPR. Everyone has been worrying about what the General Data Protection Regulation (GDPR) requires and how to comply.

“The Data Protection Act 1998 and 2018; until the GDPR came into effect on the 25th of May 2018; formed the basis for the UK law governing how personal data is processed, stored and protected by organisations, businesses and even the government.”

data subject access requests

Controllers with access to this data followed somewhat strict rules known as the ‘data protection principles’, meaning they had to ensure the information they had access to. Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR)

  • used fairly and lawfully
  • utilised for limited, expressly stated purposes
  • adequately used, relevant and not excessive
  • accurate
  • kept for no longer than is necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the EEA without adequate protection

With especially more stringent legal protection for sensitive information, such as

  • ethnic background
  • political opinions
  • religious beliefs
  • health
  • sexual health
  • criminal records

Data protection act 1998

If the Data Protection Act 1998 was influential in safeguarding citizens’ personal information, why has the General Data Protection Regulation (GDPR) been introduced, and why is every company so serious about complying with it?

“Possibly, because many corporate giants are misusing personal information in light of recent advancements and developments with the widespread use of digital technology. Therefore, the Data Protection Act 1998 failed to provide a useful safeguarding measure for personal data in the digital age.”

data protection act 2018

Living in a data-central world; all interactions, everything we search for, buy or even post on social media is processed and stored by organisations to target and tailor those specific advertisements you see across your Facebook page or even Instagram. Surprised?

Well, while this may make life easier, convenient and connected, are people aware of what their data is exactly being used for apart from these adverts, it could also be sold to third parties without their knowledge or consent. This is why the GDPR came into effect.

“The Data Protection Act 2018 and then the GDPR ensures that this personal data is used properly and legally in the digital age. Organisations cannot circumvent the previous Data Protection Act and Directive by placing specific legal obligations on organizations making them severely liable for any breaches.”

It builds upon the Data Protection Act 1998 by obligating organizations to be more transparent, accountable, places limits on storage as well as strengthens confidentiality. Additionally, both the GDPR and the Data Protection Act 2018 emphasize the importance of the rights available to citizens such as; access, being informed, rectification, data portability, process restriction, and objection.

The Data Protection Act 2018 vs Data Protection Act 1998 differs in a lot of ways. The DPA revised in 2018 helps in addressing contemporary issues in the cyber world and the digital age. The Data Protection Act of 2018 is rather an update on the way technology has affected data collection, data use and storage. These updates also relate to the extension of the right to privacy of individuals on a clearer and deeper level than before.

Key changes

The key changes between the Data Protection Act of 2018 and the Data Protection Act of 1998 are:

  • The identification of a right to erasure stemming from the right to privacy of individuals
  • Introduction of greater exemptions within this law
  • This is an implementation of the GDPR in the UK 
  • Requires the implementation of all principles of the GDPR audit by organisations processing personal data

Here is a brief analysis of the data protection law of 2018 as compared to the older one:

Better understanding and relevance as compared to 1998’s lawCompliance may require training or expert advice
Clarifies exemptions
Improves coverage of all major aspects of data privacy rights for an individual

What does the UK Data Protection Act (DPA) say about managing privacy?

The United Kingdom’s DPA is a domestic law initially passed in 1988 that governs how personal data and other information are managed in the UK. This data privacy regulation was updated in 1998 and replaced on May 25, 2018, with the UK DPA 2018.

The basic concepts covered in the Data Protection Act include:

  • People have a fundamental right to privacy
  • People have a right to find out what information about them is collected and stored by the government and other organisations.
  • Organisations that collect information must build trust by managing privacy correctly.
  • Personal data must not be collected or used for any purpose other than the explicit purpose that an individual consented to. Personal data can be collected and used for only specified and legitimate purposes – purposes people consent to voluntarily and explicitly; those purposes must be fair, just, transparent, and legitimate.
  •  Records relating to individuals must be correct and, wherever appropriate, kept up to date; they must only be kept for as long as necessary.
  •  Organisations that collect data must follow the rules relating to privacy management, including protecting the data from access, processing, loss, damage, destruction without authorisation, and unauthorised or unlawful means.
  • Organisations must be cautious about how they handle sensitive personal information.

Does the Data Protection Act 2018 replace the Data Protection Act 1998?

UK law’s Data Protection Act 2018 transposes the EU GDPR. The Data Protection Act 1998 is an earlier version of the EU GDPR. There are some differences between the two Acts. For instance, the right to erasure, imposed on EU individuals under their right to privacy, is defined differently in the two pieces of legislation.

The DPA 2018 allows greater scope for exemptions to the law than its 1998 predecessor. Furthermore, the DPA 2018 obliges companies to conduct a GDPR audit.

Will GDPR become irrelevant after Brexit? 

While the GDPR may replace the previous EU directive and enforce it as a regulation, it is significant for controlling the data of EU citizens by companies outside the EU as well as within. Therefore, the DPA 2018 enshrines the GDPR into British law and covers data processing that does not fall under EU law. It adjusts the standards to accommodate and work in the national context.

The ICO eagerly welcomed the DPA Data Protection Act (2018). It believes it will “give the UK one of the world’s most progressive data protection regimes.” Rightly so, it is a landmark that will shape the future of data confidentiality by preventing identity theft and data exploitation by corporate giants and entrenching human rights.

Differences between Data Protection Act 1998 and GDPR

If companies have to follow both GDPR and the Data Protection Act 1998, they should be aware of a few main differences, which are

Geographic reach

  • GDPR applies to data processing by organisations operating within the EU.
  • GDPR also applies to organisations outside the EU that offer services or goods to individuals in the EU.
  • The Data Protection Act 1998 applies only to data processing by organisations operating within the UK.

Data protection

  • GDPR mandates organisations with over 250 employees or firms processing more than 5,000 subject profiles annually to appoint a dedicated Data Protection Officer.
  • Companies must demonstrate “data protection by design” measures to comply with GDPR.
  • This means considering privacy and data protection issues at any system, service, product, or process design phase.
  • Companies must continue considering these issues throughout the entire lifecycle.

Consent policies

  • One of the defining differences between GDPR and the Data Protection Act 1998 is the consent rules.
  • Data collection under the Data Protection Act does not necessarily need an opt-in.
  • GDPR requires clear privacy notices.
  • This ensures consumers can make an informed decision about consenting to their data being stored and used.


  • GDPR places a much greater focus on accountability than the Data Protection Act.
  • Organisations must prove they comply with the regulation.
  • Companies must commit to mandatory activities such as
  1. Conducting data audits
  2. Providing staff training
  3. Keeping detailed documentation of how they collect, store, and process data

New consumer rights

Under GDPR, consumers have been given substantial new rights

  • The right to be forgotten
  • The right to object to automated decision-making
  • Data portability rights


The Data Protection Act of 1998 varies from the DPA Data Protection Act of 2018 due to the changes in the technology and the much-needed additions. The latter one includes many new principles and provisions of individuals and their security both online and offline. Such as the right to erasure, the right to access data, and added web safety for individuals. The Data Protection Act of 1998 did not take into account the use of web cookies and similar technologies for example, which it does not with this revision.