For Individuals Only

This website is designed for individual consumers to understand their rights and track their own SAR and FOI requests.

It is not intended for commercial use by organisations, companies, or professionals managing requests on behalf of others.

Back

DPA 2018 Summary

Key parts of the Data Protection Act 2018 that complement the UK GDPR

The Data Protection Act 2018 works alongside the UK General Data Protection Regulation. This page summarises the parts that matter most to individuals.

The UK GDPR sets out the core data protection framework. The DPA 2018 fills in the UK-specific detail, including exemptions, enforcement powers, and rules for law enforcement and intelligence services.

[Source: Legislation.gov.uk – DPA 2018]

1. Structure of the Act

The DPA 2018 is divided into four main parts:

Part 1
Overview and definitions
Part 2
Supplements the UK GDPR
Part 3
Law enforcement processing
Part 4
Intelligence services

For most consumers, Part 2 is the most relevant.

2. UK GDPR Supplementation (Part 2)

Part 2 of the DPA 2018:

  • Applies the UK GDPR in domestic law
  • Sets age of consent for online services at 13 in the UK
  • Provides conditions for processing special category data
  • Defines additional exemptions from certain data subject rights

3. Special Category and Criminal Offence Data

The Act sets out:

  • Additional lawful bases for processing special category data (health, ethnicity, religion, biometric data)
  • Strict conditions for processing criminal offence data

Important: Organisations must identify both a lawful basis under UK GDPR AND a specific condition under the DPA 2018. Without both, processing is unlawful.

4. Exemptions from Rights

The DPA 2018 creates limited exemptions from certain rights under the UK GDPR. Examples include where disclosure would:

Prejudice crime prevention or detection
Affect taxation matters
Reveal confidential references
Impact negotiations

Exemptions are not automatic. Organisations must justify their use and apply them narrowly.

5. Law Enforcement Processing (Part 3)

Part 3 applies to police, prosecuting authorities, and other competent authorities processing personal data for law enforcement purposes. This regime is separate from the UK GDPR and has its own rules and safeguards.

6. Intelligence Services (Part 4)

Part 4 governs processing by security and intelligence services. This framework is distinct and subject to specific oversight mechanisms.

7. Enforcement and the ICO

The DPA 2018 gives powers to the Information Commissioner's Office (ICO) to:

Investigate complaints
Issue enforcement notices
Impose fines
Conduct audits

8. Offences Under the Act

The DPA 2018 creates criminal offences, including:

  • Knowingly or recklessly obtaining or disclosing personal data without consent
  • Re-identifying anonymised data without authority
  • Altering records to prevent disclosure following a subject access request

9. Complaints and Remedies

If you believe your data protection rights have been breached:

  1. 1 Complain to the organisation first.
  2. 2 Escalate to the ICO if unresolved.
  3. 3 Seek compensation through the courts if you suffer damage or distress.

In Summary

The Data Protection Act 2018:

It does not replace the UK GDPR. It completes it within UK law.

Sources and further reading:

Last reviewed: March 2026. This page provides a factual summary of the legislation and does not constitute legal advice.

Back to Resources Hub