Telephone : 01908 041 464 | Email :
Quick Jump

Data Protection Act 2018


In today’s interconnected world, where personal data is a valuable asset, it is essential to have robust laws and regulations in place to protect individuals’ privacy.

The Data Protection Act 2018 is a comprehensive piece of legislation in the United Kingdom that governs the processing and protection of personal data. It is designed to bring the UK’s data protection laws in line with the European Union’s General Data Protection Regulation (GDPR) and provides individuals with greater control over their personal information. The act replaces the previous Data Protection Act 1998 and incorporates provisions from the GDPR.

The Data Protection Act 2018 sets the foundation by defining personal data as information that relates to an identifiable individual. It outlines key principles that organisations must follow when processing personal data, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. These principles ensure that personal data is handled responsibly and ethically.

The act also outlines various lawful bases for processing personal data, including obtaining consent, fulfilling contractual obligations, complying with legal requirements, protecting vital interests, performing tasks in the public interest, and pursuing legitimate interests. This ensures that organisations have legitimate reasons for processing personal data and that individuals’ rights are respected.

Furthermore, the Data Protection Act 2018 strengthens individuals’ rights over their personal data. It grants individuals the right to be informed about how their data is used, the right to access their data, the right to rectify inaccurate information, and the right to have their data erased under certain circumstances. Additionally, individuals have the right to restrict processing, the right to data portability, the right to object to processing, and protection against automated decision-making and profiling.

Lastly, the Data Protection Act 2018 grants the Information Commissioner’s Office (ICO) the authority to enforce data protection regulations. The ICO has the power to investigate data breaches, issue fines, and take enforcement action against organisations that fail to comply with their data protection obligations. Non-compliance with the act can result in significant fines, which highlight the importance of data protection and the seriousness of safeguarding personal information.

The Data Protection Act was passed on the 23rd of May 2018.

The Data Protection Act applies to the following countries:

  • United Kingdom; 
  • England; 
  • Scotland; 
  • Wales; and 
  • Northern Ireland. 

Does the Data Protection Act 2018 affect my business?

The Data Protection Act 2018 applies to a wide range of businesses, regardless of their size or industry. Here are some examples of businesses that will have requirements under the act:

  • Data Controllers – Any organisation that determines the purposes and means of processing personal data is considered a data controller. This includes businesses that collect and process personal data directly from individuals or obtain it from other sources. Data controllers have specific responsibilities under the act, including ensuring lawful processing, providing individuals with privacy notices, and responding to data subject requests.
  • Data Processors – Businesses that process personal data on behalf of a data controller are known as data processors. They are responsible for handling personal data according to the instructions provided by the data controller. Data processors must have appropriate security measures in place to protect the data they process and must comply with the contractual obligations outlined in data processing agreements.
  • Service Providers and Third-Party Vendors – Many businesses rely on service providers and third-party vendors to handle various aspects of their operations, including data processing. These service providers may include cloud hosting providers, marketing agencies, payment processors, or customer relationship management (CRM) software providers. Businesses that engage such service providers must ensure that they comply with data protection requirements and take adequate measures to protect personal data.

The Data Protection Act 2018 has significant implications for businesses. Here are some key ways in which businesses are affected by this act:

  • Businesses are required to comply with the provisions of the Data Protection Act 2018. This includes implementing appropriate technical and organisational measures to protect personal data, ensuring lawful processing, and adhering to data protection principles. Organisations must demonstrate accountability by documenting their data processing activities, conducting data protection impact assessments when necessary, and maintaining records of processing activities.
  • The act strengthens the rights of data subjects, giving individuals more control over their personal data. Businesses must be prepared to respond to data subject requests, such as providing access to personal data, rectifying inaccuracies, and erasing data in certain circumstances. They must have processes in place to handle these requests and ensure that individuals’ rights are respected.
  • Businesses need to ensure that they have a lawful basis for processing personal data. This may require obtaining explicit consent from individuals, unless another lawful basis applies. Organisations must review their data processing activities, assess the lawful basis for each type of processing, and ensure that they have proper consent mechanisms in place when required.
  • The Data Protection Act 2018 places a strong emphasis on data security. Businesses are obligated to implement appropriate security measures to protect personal data from unauthorised access, loss, or destruction. In the event of a data breach, organisations must promptly assess the risk to individuals’ rights and freedoms and, if necessary, notify the Information Commissioner’s Office (ICO) and affected individuals about the breach.
  • For businesses operating internationally or transferring personal data outside the UK or the European Economic Area (EEA), the act imposes additional requirements. Organisations must ensure that they comply with the specific regulations regarding international data transfers, including implementing appropriate safeguards to protect the transferred data and respecting individuals’ rights.


Do I need the Data Protection Act 2018 in my ISO Compliance Register?

Since most organisations will have responsibilities and tasks under the Data Protection Act 2018, you will need to include it in your ISO Compliance Register.

Legislation related to the Data Protection Act 2018

Legislation related to the Data Protection Act 2018 include:

  • The Data Retention Regulations 2014
  • The Copyright and Rights in Databases Regulations 1997
  • Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)

More information

Visit the Data Protection Act 2018 article on the website.

Create an account in the ISO Compliance Register App and add this article to your Register.