The Data Protection Act 2018 UK framework is one of the most important pieces of legislation for organisations that handle personal data. It works alongside the UK General Data Protection Regulation (UK GDPR) and sets out UK-specific rules for how personal information should be used, protected and regulated. For HR managers, office administrators and compliance beginners, understanding the Act helps make sense of everyday responsibilities such as managing employee records, handling customer information, responding to access requests and protecting sensitive data.

This guide provides a plain-English Data Protection Act 2018 summary for UK organisations. It explains what the Act does, how it relates to UK GDPR, which areas matter most in day-to-day compliance, and where the Information Commissioner’s Office (ICO) fits in.

If you are still building your foundation in UK data protection law, it may help to first read our UK GDPR guide. That pillar article explains the wider UK GDPR framework, core principles, scope and compliance duties.

What Is the Data Protection Act 2018?

The Data Protection Act 2018, often shortened to DPA 2018, is UK legislation that controls how personal data is processed. It replaced the Data Protection Act 1998 and modernised UK data protection law for the GDPR era.

In simple terms, the DPA 2018 does three main things:

• It supplements UK GDPR for general personal data processing.
• It creates separate rules for law enforcement and intelligence services processing.
• It gives the ICO powers to regulate, investigate and enforce data protection law in the UK.

Personal data means information that relates to an identified or identifiable living person. This can include names, addresses, email addresses, payroll details, HR records, identification numbers, customer profiles, CCTV footage and online identifiers.

The Act is important because UK GDPR does not cover every detail by itself. UK GDPR provides the main framework for general processing, but the DPA 2018 fills in UK-specific rules and exceptions. For example, it includes conditions for processing certain types of sensitive data, rules on exemptions, and provisions on the ICO’s role.

For most businesses, charities and employers, the DPA 2018 matters because it affects practical compliance tasks such as:

• processing employee health data;
• handling criminal offence information;
• applying exemptions carefully;
• responding to data subject access requests;
• managing retention and confidentiality;
• paying the ICO data protection fee where required;
• demonstrating accountability.

A useful way to think about it is this: UK GDPR gives the main principles and rights, while the DPA 2018 explains how those rules operate in the UK context.

How Does It Relate to UK GDPR?

The relationship between the DPA 2018 and UK GDPR is central to understanding UK data protection law. Many people ask about DPA vs UK GDPR, but it is not really a case of one replacing the other. They work together.

UK GDPR sets out the main rules for general processing of personal data. This includes the seven data protection principles, lawful bases for processing, individual rights, controller and processor duties, security obligations and breach reporting requirements.

The DPA 2018 supplements UK GDPR by adding UK-specific detail. It also covers areas that sit outside the general UK GDPR framework, including law enforcement and intelligence services processing.

For example, UK GDPR says that special category data, such as health information, racial or ethnic origin, religious beliefs, trade union membership and biometric data used for identification, needs extra protection. The DPA 2018 then provides additional conditions that may allow this type of data to be processed in specific UK contexts.

In HR, this matters because employers often handle special category data. Sickness records, occupational health reports, disability adjustment information and diversity monitoring data may all fall into this area. Employers need both a UK GDPR lawful basis and, where special category data is involved, an additional condition under UK GDPR and the DPA 2018.

For beginners, the relationship can be summarised like this:

• UK GDPR explains the main data protection duties.
• DPA 2018 adapts and supplements those duties for the UK.
• ICO guidance DPA materials help organisations understand how the law should be applied in practice.

This is why compliance documents often refer to both UK GDPR and the Data Protection Act 2018. A privacy notice, data protection policy, retention schedule or data subject access request procedure may need to reflect both.

If your organisation needs structured support, data protection training for UK organisations can help staff understand how UK GDPR and the DPA 2018 work together in everyday roles.

Key Provisions of the DPA 2018

The DPA 2018 is a detailed Act, but compliance beginners do not need to memorise every section. It is more useful to understand the main parts and how they affect organisational responsibilities.

Part 2: General Processing

Part 2 is the most relevant part for most UK businesses, employers, charities and public bodies. It applies to general processing of personal data and works alongside UK GDPR.

This part deals with areas such as:

• applying UK GDPR in the UK;
• special categories of personal data;
• criminal offence data;
• children’s data;
• exemptions and restrictions;
• individual rights;
• controller and processor responsibilities.
• For day-to-day business compliance, Part 2 is where most practical issues arise. For example, an HR team processing employee sickness records may need to consider the UK GDPR principles, a lawful basis for processing, special category data rules and DPA 2018 conditions.

Part 3: Law Enforcement Processing

Part 3 applies to competent authorities processing personal data for law enforcement purposes. This includes activities such as the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties.

Most ordinary businesses will not process data under Part 3. However, it may be relevant to policing bodies, certain public authorities and organisations with formal law enforcement functions.

A private employer carrying out routine employment checks or workplace investigations would usually be operating under UK GDPR and Part 2, not Part 3, unless it has a specific law enforcement role.

Part 4: Intelligence Services Processing

Part 4 applies to processing by the intelligence services. This is a specialist area and is not usually relevant to SMEs, HR teams or office administrators.

It exists because intelligence services need a separate data protection framework due to the nature of their work. For most organisations, it is enough to know that the DPA 2018 contains this separate regime, but it will not normally apply to everyday business processing.

Schedule 1: Special Category and Criminal Offence Data

Schedule 1 is particularly important for HR, recruitment, safeguarding, financial services, healthcare and other organisations that handle sensitive information.

It provides conditions for processing special category data and criminal offence data in certain circumstances. These may include employment, social security and social protection, substantial public interest conditions, health and social care purposes, equality monitoring, safeguarding, preventing fraud and other specific situations.

For example, an employer may need to process health data to manage statutory sick pay, reasonable adjustments or workplace health and safety. In that case, the employer must identify the appropriate UK GDPR lawful basis and the relevant special category condition.

In some cases, the organisation may also need an appropriate policy document. This document explains how the organisation complies with data protection principles and how long it keeps the data.

The key point is that sensitive data should never be processed casually. Organisations should know what type of data they hold, why they hold it, which lawful basis and condition apply, who can access it, and how it is protected.

Important Exemptions Under the DPA 2018

The DPA 2018 includes exemptions that can limit certain data protection duties in specific circumstances. These exemptions should be used carefully. They are not a general excuse to ignore UK GDPR or refuse individual rights requests.

ICO guidance explains that exemptions may affect duties such as the right to be informed, the right of access, other individual rights, breach reporting and compliance with certain principles. However, whether an exemption applies depends on the facts.

Important exemptions include areas such as:

• national security and defence;
• crime and taxation;
• legal professional privilege;
• management information;
• negotiations;
• confidential references;
• journalism, academic, artistic and literary purposes;
• research and statistics;
• regulatory functions.

National Security and Defence

The national security and defence exemption may apply where personal data is processed for national security purposes. This is not usually relevant to ordinary SMEs, but it is important in the wider UK data protection framework.

Organisations should not assume this exemption applies simply because data is sensitive or confidential. It has a specific purpose and should be interpreted carefully.

Journalism and Freedom of Expression

The DPA 2018 includes exemptions linked to journalism, academic, artistic and literary purposes. These are designed to balance data protection rights with freedom of expression.

For example, journalistic processing may sometimes be exempt from certain UK GDPR requirements where conditions are met and publication is in the public interest. This area can be complex, so organisations involved in media, publishing or investigations should seek specialist guidance.

Crime, Taxation and Regulatory Functions

Some exemptions exist where applying normal data protection rights could prejudice crime prevention, taxation, regulatory action or legal proceedings. For example, an organisation may not always have to disclose information in response to a data subject access request if doing so would prejudice an active investigation.

However, exemptions must be applied narrowly and documented. A business should be able to explain which exemption it relied on, why it applied, and which parts of the request or duty were affected.

For HR and office administrators, the main message is simple: do not refuse a request or withhold information just because it feels difficult or sensitive. Escalate the issue to the person responsible for data protection and record the decision-making process.

What the ICO Oversees Under the DPA 2018

The Information Commissioner’s Office is the UK regulator responsible for data protection and other information rights legislation. Under the DPA 2018, the ICO has powers to support, monitor and enforce compliance.

The ICO’s role includes:

• publishing guidance for organisations;
• maintaining the register of fee payers;
• handling complaints from individuals;
• conducting investigations;
• issuing information notices, assessment notices and enforcement notices;
• issuing reprimands and monetary penalties where appropriate;
• promoting good practice and accountability.

For most UK organisations, one practical ICO-related duty is the data protection fee. Organisations, including sole traders, that use personal information usually need to pay a data protection fee to the ICO unless they are exempt. The fee depends on factors such as size, turnover and organisation type.

This is sometimes called “ICO registration”, although the current system is mainly based on paying the data protection fee and being listed on the public register of fee payers.

The ICO also provides guidance on topics such as:

• lawful basis for processing;
• data protection principles;
• individual rights;
• security;
• data sharing;
• direct marketing;
• employment practices;
• children’s data;
• artificial intelligence;
• international transfers;
• data protection impact assessments.

For compliance beginners, ICO guidance is often the best first reference point because it explains what the regulator expects in practical terms. However, guidance does not remove the need for organisations to understand their own data, risks and responsibilities.

Practical Steps for UK Organisations

The DPA 2018 affects day-to-day compliance because it shapes how organisations handle sensitive data, apply exemptions, engage with the ICO and demonstrate accountability.

UK organisations can take several practical steps.

1. Map the personal data you hold

Start by identifying what personal data your organisation collects, where it is stored, who uses it, who it is shared with and how long it is kept. Include employee data, customer data, supplier contacts, website enquiries, CCTV, marketing lists and archived records.

2. Identify sensitive and higher-risk data

Pay particular attention to special category data and criminal offence data. HR teams should review sickness records, occupational health reports, equality monitoring data, disciplinary files, background checks and safeguarding information.

3. Check lawful bases and DPA 2018 conditions

For each processing activity, identify the UK GDPR lawful basis. If special category or criminal offence data is involved, check whether an additional condition under UK GDPR and the DPA 2018 is required.

4. Review privacy notices

Privacy notices should explain how personal data is used in clear language. Employees, applicants, customers and service users should be able to understand what data you collect, why you use it, who you share it with and what rights they have.

5. Create or update retention schedules

A retention schedule helps prevent personal data being kept indefinitely. It should explain how long different records are kept and the reason for each retention period.

6. Check ICO fee requirements

Use the ICO’s guidance to check whether your organisation needs to pay the data protection fee. Many organisations that process personal data need to pay unless an exemption applies.

7. Train staff

Training helps staff understand how UK GDPR and the DPA 2018 apply to their roles. HR teams, administrators, managers and customer-facing staff should know how to handle personal data securely, recognise data subject requests and report potential breaches.

Our GDPR Essentials for UK Businesses course is a practical starting point for teams that need to understand UK data protection law without unnecessary complexity.

8. Document key decisions

Accountability is central to UK data protection law. Keep records of lawful basis decisions, special category conditions, retention rules, supplier checks, training completion, breach assessments and exemptions relied on.

9. Review suppliers and processors

If suppliers process personal data for your organisation, check that written contracts are in place and that responsibilities are clear. This includes payroll providers, HR platforms, cloud software, IT support and marketing tools.

10. Keep compliance under review

Data protection compliance is not a one-off task. Review your processes when systems, suppliers, services, staff roles or legal requirements change. In 2026, this is especially important as organisations use more cloud platforms, automation and artificial intelligence tools.

For a wider compliance pathway, explore our data protection training for UK organisations, which supports teams in understanding the practical responsibilities created by UK GDPR and the DPA 2018.

FAQs

What is the main purpose of the Data Protection Act 2018?

The main purpose of the Data Protection Act 2018 is to set out the UK’s data protection framework and supplement UK GDPR. It provides UK-specific rules on personal data processing, special category data, law enforcement processing, intelligence services processing, exemptions and the powers of the ICO.

Is the DPA 2018 still in force after Brexit?

Yes, the DPA 2018 is still in force after Brexit. It continues to operate alongside UK GDPR as a key part of UK data protection law.

Does my business need to register with the ICO under the DPA 2018?

Many organisations that process personal data need to pay a data protection fee to the ICO unless they are exempt. This is often referred to as ICO registration, and businesses should check the ICO’s guidance to confirm whether the fee applies.

How does the DPA 2018 differ from the 1998 Act?

The DPA 2018 replaced the Data Protection Act 1998 and updated UK law for the GDPR framework. It introduced stronger accountability expectations, modernised individual rights and added detailed provisions for areas such as law enforcement processing, intelligence services and special category data.

What are the DPA 2018 exemptions?

The DPA 2018 includes exemptions that may limit certain data protection duties in specific circumstances, such as national security, crime and taxation, legal privilege, journalism, research and regulatory functions. Exemptions must be applied carefully and should be documented rather than used as a blanket reason to ignore data protection rights.

Ensure your team understands UK data protection law — explore our GDPR Essentials for UK Businesses course and start building confident, practical compliance across your organisation.