GDPR and Data Protection Act 2018

DPA 2018 introduction

The Data Protection Act 2018 is a response to a developing digital age where the amount of data process is increasing. It provides a more comprehensive legal framework than the Data Protection Act 1998 which is to exercise and implement with relative ease. The Data Protection Act 2018 looks to implement guidelines set out in the General Data Processing Regulations in accordance with the modern Convention 108 adopted on 18 May 2018. Furthermore, the Data Protection Act of 2018 focuses on the following four principles:

  • General Data Processing
  • Law Enforcement Data Processing
  • Data Processing by the intelligence services
  • Regulatory oversight and enforcement

It is also important to understand that while DPA 2018 set out according to EU regulations. This act will remain in place as it will be incorporated into UK’s domestic law under European Union Withdrawal Bill. This is significant as it would essentially allow free flow of data that is vital for future trading relationships post-Brexit, outlined by the Government in ‘The exchange and protection of personal data – a future partnership paper’.

Data Protection Officer

GDPR and Data Protection Act 1998

The GDPR carries over eight data protection principles set out in the Data Protection Act 1998 as well as providing an additional principle of accountability. The laws are as follows:

  • Lawfulness – both the Data Protection Act 1998 and GDPR audit emphasize the personal data is to process fairly and lawfully, while the GDPR goes on to add an extra provision of personal data in process transparently about the data subject.
  • Purpose – both the Data Protection Act 1998 and GDPR outline that personal data is for specified, law purposes, anything beyond the specified purpose is a violation of both.
  • Minimization – under the GDPR and DPA 1998 outlines that data collected should be adequate, relevant and not excessive
More laws:
  • Accuracy – both the DPA 1998 and the GDPR emphasize that data is accurate and is up to date with the latter further clarifying that reasonable steps are there to erase or rectify inaccurate data.
  • – the DPA 1998 states that personal data shall not kept for longer than is necessary, whereas the GDPR adds a provision where personal data can store for longer periods provided its solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
  • Access – while the GDPR has no equivalent principle, the DPA 1998 states that the rights of data subjects shall process personal data.
  • Security – Both the DPA 1998 and the GDPR emphasis that appropriate measures. Whether that may be technical or organizational, shall be against unauthorized or unlawful processing of personal data and accidental loss of personal data.
  • Overseas transfer – while the GDPR has no equivalent principle. The DPA 1998 states that data shall not transfer outside the European Economic Area. Unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects about the processing of personal data.
  • Accountability – Under the DPA 1998. There was no such principle of accountability. And is only establish by GDPR, in which it states that controller shall be responsible for, and be able to show, compliance with principles.

GDPR and Data Protection Act 2018 (Key differences)

While the Data Protection Act 2018 is essentially translating data processing standards set by the GDPR. The GDPR makes no mention to regulations surrounding data processing and law enforcement as well as intelligence services. Instead, DPA 2018 implements Law Enforcement Directive (EU) 2016/680 into UK law. According to the Law Enforcement Directive, any public authority that is capable of preventing, investigating, identifying, prosecuting, or carrying out criminal penalties, including defending against and preventing threats to public safety, is competent authority for the purposes of processing personal data.


Although the GDPR does not specifically address law enforcement data processing. It may be of argument that it is exceedingly risky for data processing exclusively on the Law Enforcement Directive’s requirements. Thus, the Law Enforcement Directive as outlined in the DPA 2018 interacts with principles set out in the GDPR. Including other purposes within law enforcement agencies such as internal personnel management/ human resources management.

Processing of personal data with national security by relevant security agencies is not within scope of GDPR or Law Enforcement Directive. However complying with the standards of the modernized Convention 108. Leading to data processing by intelligence services being in line with future international standards. In addition to this, in DPA 2018, intelligence services’ data processing exempt from standards set by GDPR, as was case in DPA 1998. Instead, it complies with standards established in domestic law. Such as Investigatory Powers Act 2016, which provides for agency-specific warrants. The Investigatory powers Act 2016 also creates a series of offences of misused data within an agency.

Public interests

Data processing with purpose of serving public interests is where Data Protection Act 2018 varies from guidelines set by GDPR. Under special circumstances, the GDPR allows for domestic law to determine the processing of special categories of data. This would involve data regarding criminal convictions. Pricing of risk in financial services and the operation of anti-doping programs in the sport.

Data Protection Officer

Additional rules from the 1998 Data Protection Act carried over, although they fall short of the requirements of the GDPR. For example, they limit individuals’ rights while investigations into their behavior are ongoing and doing so would be advantageous. For example, section 29(1) of the 1998 Act enabled Her Majesty’s Revenue and Customs (“HMRC”) to withhold certain personal data on a case by case basis from an individual customer. Who submitted a subject access request if providing that personal data would be likely to prejudice specified crime and taxation purposes.

DPA 2018

The Act makes equivalent provision. Another way DPA 2018 differs from GDPR is that it further elaborates extra provisions on principles outlined in GDPR. The DPA 2018 contains a clause stating that research organizations and archiving services are free from GDPR compliance requirements. The Data Protection Act 2018 further allocates power to the Secretary of State to make further exemptions. This may involve restricting individual rights as outlined in the GDPR to protect public interests.

Data Protection Act 1998 and the Data Protection Act 2018

There is continuity between the Data Protection Act 1998 and the Data Protection Act 2018. The Data Protection Act 2018 is revision of Data Protection Act 1998 to ensure standards set by the GDPR.

However, important revisions are there. DPA 1998 did not set a minimum age at which a child can consent to such data processing. GDPR allows the UK to set a minimum age of 13 the DPA 2018 to allow such data processing. Continuity between the Data Protection Act 1998 and Data Protection Act 2018, when it comes to automate data processing. This is a type of processing where there is no human intervention. As is the case for data to collect about an individual’s finances. It is then process using an algorithm to decide creditworthiness. The GDPR requires additional safeguards to ensure individuals the right not to be subject to a decision based solely on automated process.

ICO and Data Protection Act 2018

The Information Commissioner oversees the enforcement of the Data Protection Act of 2018. Powers given to the Commissioner involve the ability to investigate. And sanction data protection breaches. And over recent years issue a civil monetary penalty notice of up to £500,000 over occurrence of more serious breaches. The GDPR adopts a zero-tolerance policy for more serious breaches. As it has given Commissioner to impose fines of £17 million or 4% of turnover is most serious cases. However, the Commissioner cannot freely reign the process. The DPA 2018 also reintroduces many of the criminal offences in the DPA 1998. Altered to comply with the standards set in the GDPR. It also introduces a small number of new offences to deal with emerging threats.

ePrivacy and Data Protection 2018

The Data Protection Act of 2018’s implementation has only enhanced ePrivacy by providing individuals more control over their data. The individual has the right to informed. Right of access, right of rectification, right to erasure, right to restrict processing. Right to data portability, right to object, rights in relation to automated decision making and profiling. Despite fact that ePrivacy has been enhance by expansion of individual rights Data Protection Act of 2018 is insufficient. Government agencies are eventually exclude from the GDPR’s criteria. It does not include measures addressing law enforcement and intelligence services. This suggests that ePrivacy is still weak because the government can obstruct it in the name of “public interests.”


The Data Protection Act, 2018 is result of a series of events leading to European Union rethinking Data processing laws in form of GDPR. Resulting in the introduction of the Data Protection Act which modernized UK data processing laws. Ultimately, the Data Protection Act 2018 is a revised version of the Data Protection Act 1998. Adding additional provisions to give the individual greater control over personal data. Also ensuring Commissioner has greater powers to hold controller accountable by increasing his power to impose fines for serious breaches. The Data Protection Act also goes on to modernize the legal framework for data processing. In the form of modern convention 108, which ensures that data processing standards are in line with international standards.