Data Protection Act 2018

The Data Protection Act 2018 is the UK’s third generation of data protection legislation. It came into force alongside the GDPR on 25 May 2018. The DPA 2018 serves a number of purposes, including:

  • Repealing and replacing the Data Protection Act 1998
  • Incorporating GDPR into UK law
  • Exercising the available derogations (flexibilities) in the GDPR which give member states discretion to make provision for how the GDPR applies in their country.
  • Dealing with processing that does not fall within EU law, for example, where it is related to immigration.
  • Transposing the EU Law Enforcement Directive into UK law.
  • Detailing the role, duties, functions and powers of the Information Commissioner’s Office (ICO).


As a result of the derogations permitted by the GDPR in relation to issues such as processing of health information and other special category data and exemptions for research and statistical data, it is important the GDPR and the DPA 2018 are read side by side.