Data Protection Act 2018 vs UK GDPR: What's the Difference?
Two laws, one framework — and most UK businesses can't say exactly where one ends and the other begins. This guide breaks down what the Data Protection Act 2018 and UK GDPR each actually cover, where they overlap, and what's changed now that the Data (Use and Access) Act 2025 has rewritten parts of both.
E
Eleanor Whitcombe
Jul 06, 2026
9 min read
Illustration of two overlapping legal document icons representing the Data Protection Act 2018 and UK GDPR working together as a combined framework

If you've searched for "Data Protection Act 2018 vs UK GDPR," you've probably hit the same wall most people do: two laws, overlapping names, and no obvious explanation of which one you're actually supposed to follow. The short answer is that you need to follow both — but understanding why makes compliance far less confusing.

This guide breaks down what each law actually does, where they overlap, and where the differences matter for your business.

If you want the fuller picture of your obligations under either law individually, we've got standalone guides to each — start with our UK GDPR guide for UK businesses in 2026.

Why the UK Has Two Overlapping Data Protection Laws

The Data Protection Act 2018 (DPA 2018) and UK GDPR aren't rival laws competing for your attention — they were designed to work as a pair.

When the EU's General Data Protection Regulation came into force in 2018, the UK needed domestic legislation to sit alongside it, filling in areas the EU regulation deliberately left to member states. That's what the DPA 2018 did. It didn't duplicate the GDPR; it complemented it, covering things like law enforcement processing, national security, and UK-specific exemptions.

Then Brexit happened. The EU GDPR technically stopped applying to the UK, so the government copied it into domestic law almost word for word, creating "UK GDPR." The DPA 2018 was amended to keep working alongside this new UK version rather than the original EU one.

The result: two interlocking pieces of legislation, each covering ground the other doesn't. Since 2025, that relationship has shifted again — the Data (Use and Access) Act 2025 (DUAA) has amended both UK GDPR and the DPA 2018 directly, with major changes taking effect from 5 February 2026 and further provisions due on 19 June 2026. Neither law has been replaced; both have been updated in place.

What the Data Protection Act 2018 Actually Covers

Think of the DPA 2018 as the law that handles everything UK GDPR doesn't reach. Specifically, it covers:

  • Law enforcement processing — how police forces and other agencies handle personal data for the purposes of preventing, investigating, or prosecuting crime (governed by "Part 3" of the Act).
  • Intelligence services processing — data handled by the UK's security and intelligence agencies (Part 4).
  • National security exemptions — circumstances where standard data protection obligations can be set aside for national security reasons.
  • UK-specific exemptions — a list of situations where certain UK GDPR obligations don't fully apply, such as processing for journalism, legal privilege, or regulatory functions.
  • The ICO's powers and enforcement mechanisms — including fining powers and investigatory authority.
  • Criminal offences relating to data protection, such as unlawfully obtaining personal data.

If you're a typical UK business, most of your day-to-day obligations won't come from the law enforcement or intelligence provisions. What matters most for you is the exemptions framework and the ICO's enforcement powers — both of which shape how any breach or complaint against your business would actually play out.

The DUAA has added to this list too. From 19 June 2026, the DPA 2018 will include a new statutory right for individuals to complain directly to your business about how their data has been handled, alongside requirements for how you must respond.

For a fuller walkthrough of this law on its own — including the criminal offences and national security provisions — see our plain-English guide to the Data Protection Act 2018.

What UK GDPR Covers

UK GDPR is the law most people actually mean when they say "GDPR compliance UK." It sets out the core rulebook for how personal data should be handled:

  • The seven key principles — lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability.
  • Lawful bases for processing — consent, contract, legal obligation, vital interests, public task, and legitimate interests (plus the newer "recognised legitimate interests" basis introduced by the DUAA from February 2026).
  • Individual rights — access, rectification, erasure, restriction, portability, objection, and rights around automated decision-making.
  • Rules on international data transfers — including the "data protection test" the DUAA introduced for assessing whether data can be sent outside the UK.
  • Accountability requirements — records of processing, data protection impact assessments, and (where required) a Data Protection Officer.

In short: UK GDPR is where the substance of data protection legislation lives for most commercial organisations. If someone asks "what does GDPR require of my business," the answer sits almost entirely in this law.

Where the Two Laws Overlap

The overlap is where most confusion comes from, so it's worth being explicit about it.

Area

UK GDPR

DPA 2018

Core principles (lawfulness, minimisation, etc.)

Sets them out

Individual rights (access, erasure, etc.)

Sets them out

Provides specific exemptions to them

Lawful bases for processing

Sets them out

Adds detail on special category data conditions

ICO enforcement powers

References them

Sets out the detail (fines, notices, powers)

Special category data (health, ethnicity, etc.)

Defines the category and general conditions

Adds UK-specific additional conditions

Criminal offences

Creates them

Complaints handling (from June 2026)

Reflects the right in Article 12

Creates the underlying right and process

The practical takeaway: UK GDPR tells you what the rules are; the DPA 2018 often tells you how they apply in specific UK contexts, including where exemptions kick in or how the ICO can act if you don't comply.

The special category data row is worth a closer look on its own — see our guide on personal data vs special category data for where the extra conditions apply.

Where They Differ: Exemptions, Law Enforcement, and National Security

The clearest dividing lines are in areas UK GDPR deliberately leaves open for domestic law to fill:

  • Exemptions
    The DPA 2018 contains a schedule of exemptions from certain UK GDPR obligations — for example, limited exemptions relating to journalism, research, legal proceedings, and regulatory activity. UK GDPR itself doesn't define these; the DPA 2018 does. 
  • Law enforcement processing 
    If your organisation isn't a police force or prosecuting authority, Part 3 of the DPA 2018 generally won't apply to you directly — but it's worth knowing it exists if you ever share data with law enforcement.
  • National security
    Both laws include national security exemptions, but the detailed mechanics — including the use of "national security certificates" — sit in the DPA 2018.
  • Criminal offences
    UK GDPR creates civil obligations. The DPA 2018 is what makes certain conduct — like knowingly obtaining personal data without the controller's consent — a criminal offence.
  • PECR fines
    Not strictly part of either law, but relevant here: the Privacy and Electronic Communications Regulations (covering cookies and email marketing) now carry the same maximum fine as UK GDPR — up to £17.5 million or 4% of global annual turnover — following DUAA changes that took effect in February 2026.

For most SMEs, the practical difference boils down to this: UK GDPR is where your compliance obligations live, and the DPA 2018 is where you'll find the exemptions, the criminal offences, and the enforcement teeth behind them.

Which One Applies to Your Business, with Examples

In practice, you rarely need to consciously choose between the two — you comply with UK data protection law as a combined framework. But it helps to see how each law shows up in real scenarios:

  • A customer emails asking what data you hold on them. This is a Subject Access Request under UK GDPR (Article 15). The DPA 2018 only becomes relevant if an exemption applies — for example, if some of the requested information is subject to legal privilege.
  • You want to run a marketing email campaign. UK GDPR's lawful basis rules (usually consent or legitimate interest) apply, alongside PECR rules on electronic marketing. 
  • The ICO investigates a data breach at your business. The DPA 2018 sets out the ICO's investigatory and fining powers, while UK GDPR sets out what the breach was actually a failure to comply with.
  • A journalist requests information you hold about a public figure. The DPA 2018's journalism exemption may reduce some of your UK GDPR obligations in this specific context.
  • A former employee asks you to erase their personnel file. UK GDPR's right to erasure applies, but the DPA 2018's exemptions (for example, around legal claims or employment records you're required to retain) may mean you can lawfully refuse in part.

Notice the pattern: UK GDPR almost always sets the default rule, and the DPA 2018 is where you look for the exception or the enforcement detail.

How the Two Laws Work Together in Practice

For day-to-day compliance, treat the two laws as a single combined framework rather than separate checklists:

  1. Start with UK GDPR to establish your lawful basis, your principles-based obligations, and the individual rights you need to honour.
  2. Check the DPA 2018 for any relevant exemption before assuming a right applies in full — particularly around legal proceedings, journalism, regulatory functions, or law enforcement sharing.
  3. Factor in the DUAA's 2026 changes to both laws — including recognised legitimate interests, the revised transfer test, and (from June 2026) the new complaints-handling requirement under the DPA 2018.
  4. Keep policies cross-referenced. Your privacy notice, retention schedule, and SAR process should reflect both laws' requirements, not just UK GDPR in isolation.
  5. Watch ICO guidance, which is regularly updated to reflect how the two laws interact following the DUAA reforms.

FAQs

Do I need to comply with both laws, or just one?
Both. UK GDPR sets out your core obligations and individual rights, while the Data Protection Act 2018 fills in UK-specific detail, exemptions, and enforcement powers. Treat them as one combined framework rather than a choice between the two.

Which law takes priority if they conflict?
They're designed to work together rather than conflict, since the DPA 2018 was written specifically to complement UK GDPR. Where the DPA 2018 provides an exemption to a UK GDPR obligation, that exemption applies only in the specific circumstances it defines — it doesn't override UK GDPR generally.

Does the Data Protection Act 2018 apply to law enforcement and government bodies?
Yes — Part 3 of the DPA 2018 specifically governs how police forces and other law enforcement bodies process personal data for crime-related purposes, and Part 4 covers the intelligence services. Most commercial businesses won't be directly subject to these parts, but they matter if you ever share data with these bodies.

Is the Data Protection Act 2018 the same as the old 1998 Act?
No. The 1998 Data Protection Act was replaced entirely by the 2018 Act, which was introduced to work alongside the EU GDPR (and later UK GDPR) rather than stand alone. The 1998 Act's separate, self-contained framework no longer applies.

Will these laws change after UK data reform proposals?
They already have. The Data (Use and Access) Act 2025 has amended both UK GDPR and the DPA 2018, with major provisions taking effect from 5 February 2026 and further changes — including new complaint-handling requirements — due on 19 June 2026. It's worth checking ICO guidance periodically, as further detail is still being published. 

Knowing which law covers what is one thing — applying it correctly when a real request, complaint, or breach lands on your desk is another. Untangling which rules apply to your organisation is exactly what we cover in GDPR Essentials for UK Businesses — get a clear, practical framework instead of legal guesswork.

Start your learning journey with KitLearn

Discover courses designed to help you grow faster, learn smarter, and achieve more.