UK Data Protection Act 2018 (DPA ACT) | 2021 Update

Updated August 23, 2021.

The Data Protection Act 2018 (DPA ACT) is a domestic law governing the use of personal data and the flow of information in the United Kingdom.

The UK is no longer part of the EU and a new and amended Data Protection Act has taken effect.

In this article, we dive into the Data Protection Act 2018 – what does the law say and how has it changed after Brexit?

UK Data Protection Act, in short

---

Data Protection Act 2018 – 2021 update

The UK is no longer part of the European Union.

This means changes to the legal landscape of data privacy and protection in the United Kingdom.

The UK Data Protection Act 2018 was actually passed in April 2016 and took effect (received Royal Assent) on May 25, 2018 – the same day as the European General Data Protection Regulation (GDPR) went into effect.

This is no coincidence.

The UK Data Protection Act was passed before the Brexit referendum later that summer and is in fact constructed around and meant to be read in conjunction with the EU GDPR, that has uniform authority over all member states.

However, since the UK is no longer part of the EU, the European GDPR no longer has application domestically in the United Kingdom, and so the Data Protection Act of 2018 has been amended to accommodate the post-Brexit changes to UK data privacy law that have taken place.

After Brexit, the UK Data Protection Act no longer refers to the EU’s GDPR, but to the UK-GDPR.

Data protection law in UK after Brexit 2020

Here are the overall changes to UK data privacy law after Brexit –

• The EU’s GDPR has been lifted into a new UK-GDPR (United Kingdom General Data Protection Regulation) that took effect on January 31, 2020.
• The Data Protection Act 2018 has been amended to be read in conjunction with the new UK-GDPR instead of the EU GDPR.
• An adequacy decision for the UK was adopted on June 28, 2021 by the EU, securing unrestricted flow of personal data between the two blocs until June 2025.
• It is likely that the UK government will move to consolidate the two amended laws (UK-GDPR and Data Protection Act 2018) into one, comprehensive piece of data protection law at a later point.
• It is likely that the EU will grant an adequacy decision before June 2021, removing the UK from the list of “third countries” and ensuring unrestricted data flow between the two blocs.

See the UK adequacy decision from June 2021

Lean more about the UK-GDPR

See the ICO’s consultation on data transfers to and from the U.K. from August 2021

Learn more about EU’s GDPR and compliance

Cookiebot CMP and UK Data Protection Act

---

The UK has been protected and regulated by the EU’s GDPR since May 2018, but now that the country has left the EU, it has its own, equivalent set of data protection legislation.

Our CMP is a world-leading consent management platform built specifically for the strong GDPR provisions of personal data protection, both in the EU and UK.

Our solution scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary until the user has given their consent as to which they want to activate.

Cookiebot CMP standard consent banner for compliance with EU's GDPR and UK's Data Protection Act.

This way, you can ensure that your website is in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.

Under the new UK-GDPR and the amended UK Data Protection Act, users in the United Kingdom will have the same rights as users in the EU, and websites, companies and organizations who collect or process data of users in the UK will have to comply by the same requirements as those set out by the EU GDPR.

Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.

This is what Cookiebot CMP does best.

Learn more about GDPR and consent

Learn more about the UK-GDPR

UK Data Protection Act 2018, in detail

---

Scope, substance and compliance of the Data Protection Act 2018

The Data Protection Act 2018 is the UK’s third generation of data protection legislation. It replaces the previous 1998 law by the same name and modernizes the country’s legal framework in response to new technologies.

Brexit means an amended Data Protection Act 2018 in the UK.

The Data Protection Act 2018 contains four parts that create four different “data protection regimes” within the UK:

1. Part one is structured around the European GDPR, supplementing and tailoring it into domestic UK law.
2. Part two extends beyond the EU GDPR and modifies it in certain cases to apply differently to UK law.
3. Part three creates a new and separate regime for law enforcement authorities.
4. Part four creates a new and separate regime for the UK’s intelligence services.

The general processing regime found in Part 2, Chapter 2 of the Data Protection Act appropriates and supplements the EU GDPR.

Most of the processing of personal data is subject to the EU GDPR, and so the Data Protection Act refers to the GDPR’s most central provisions for the protection of personal data.

These include –

• Requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified legal basis.
• Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified.
• Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

The Data Protection Act 2018 also adopts the central definitions of the EU GDPR, such as:

• Personal data meaning “any information relating to an identified or identifiable living individual.”
• Processing meaning “an operation or set of operations which is performed on information,” such as collection, recording, storage, disclosure, combination etc.
• Data subject meaning “living individual to whom personal data relates.”
• Controller and processor meaning the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

The UK Data Protection Act 2018 supports the domestic UK-GDPR instead of the EU’s GDPR.

Where the UK Data Protection Act extends beyond the EU GDPR

Apart from referring to the UK-GDPR instead of the EU’s GDPR (since the UK has left the EU), the Data Protection Act 2018 creates additional provisions to the processing of personal data that goes beyond both the UK-GDPR and the EU’s GDPR.

These are mostly found in the area of national security, law enforcement and immigration.

In the area of national security, which lies outside the scope of the EU GDPR, the Data Protection Act applies the same requirements for personal data processing to the UK intelligence services.

In the area of immigration, the Data Protection Act grants the UK Home Office the power to refuse personal data access requests based on the risk it could pose to immigration enforcement.

In addition, the Data Protection Act frames the role – jurisdiction, function and powers – of the Information Commissioner (ICO) as the leading data protection authority (DPA) in the UK.

Read the Data Protection Act 2018 law text here (pdf)

Learn more about the UK-GDPR

Brexit and UK Data Protection Act in 2021

---

The new and amended UK Data Protection Act

Now that Brexit has happened, several legal changes has taken effect in the area of data protection.

The EU Withdrawal Agreement that took effect on Exit Day specifies that the UK “shall ensure a level of protection of personal data essentially equivalent to that under Union law” (Article 71).

This is important because of Article 45 in the European GDPR, which requires countries that are not part of the EU to have an adequate level of domestic data protection laws in order to ensure a free flow of information to and from the EU.

However, on June 28, 2021, the EU adopted an adequacy decision for the UK, meaning that websites, companies and organizations in the United Kingdom who process personal data from users inside of the EU can carry on as before, business-as-usual for the next four years (until June 2025).

See the UK adequacy decision from June 2021

Lean more about the UK-GDPR

The UK Data Protection Act 2018 supports the domestic UK-GDPR instead of the EU’s GDPR.

New Data Protection Act 2018 and a new GDPR

The UK-GDPR (United Kingdom General Data Protection Regulation) is in effect in the UK and will be read in conjunction with the newly amended Data Protection Act 2018 (DPA 2018).

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DPPEC Regulations) is the statutory instrument amending both the GDPR (turning it into the new UK-GDPR) and the Data Protection Act 2018.

Read the DPPEC regulations here.

Important amendments to the UK Data Protection Act 2018

The most important amendments to the Data Protection Act include:

• The first two parts of the Data Protection Act that are currently referring to the EU GDPR has been amended to refer to the new UK-GDPR instead of the EU GDPR.
• All places in the Data Protection Act where the law refers to EU legislation and institutions are changed to the UK equivalents.
• The Information Commissioner (ICO) will become the lead enforcer of the Data Protection Act and the UK-GDPR instead of the lead supervisor in the EU of the European GDPR.
• The Data Protection Act deems all EAA/EU countries (including Gibraltar) as adequate.
• The Data Protection Act also integrates all EU adequacy decisions made prior to Brexit, e.g. the US Privacy Shield program.

New data protection laws in the UK took effect on Exit Day January 31, 2020.

These DPPEC Regulations can be viewed in the following Keeling Schedules showing the changes that took effect on Exit Day (January 31, 2020).

Keeling Schedule for the amendments to the Data Protection Act 2018.

Keeling Schedule for the creation of the new UK-GDPR.

FAQ

---

What is the UK Data Protection Act 2018

The Data Protection Act 2018 is the UK’s third generation of data protection laws. The Data Protection Act was passed in 2016 and took effect on May 25, 2018 – the same day as the EU’s General Data Protection Regulation (GDPR). The DPA 2018 was meant to be read in conjunction with the EU’s GDPR, but was amended in 2019 because of Brexit.

Learn more about Brexit and GDPR

What happens to the Data Protection Act after Brexit?

Brexit means overall changes to UK data privacy law. The EU’s GDPR has been amended into a new UK-GDPR that the amended Data Protection Act 2018 now must be read in conjunction with. An adequacy decision from June 2021 ensures unrestricted data flow, but the UK-GDPR, Data Protection Act 2018 and PECR governs all data processing domestically, also after Brexit.

Learn more about GDPR in the UK

What is the UK-GDPR?

The UK-GDPR is the United Kingdom’s domestic General Data Protection Regulation that will replace its European equivalent when the country finally and formally leaves the bloc by the end of the transition phase. The UK-GDPR mirrors the GDPR in its substance and scope.

Learn more about the UK-GDPR

How can my website be compliant with the UK Data Protection Act?

Your website must ask for and obtain the consent of users before processing their personal data. If your website uses third-party cookies, you need to implement a consent management solution that ensures that these cookies and trackers are not activated to process personal data before users have given their explicit consent to do so.

Resources

---

What is the EU's GDPR?

See the UK adequacy decision from June 2021

See the ICO’s consultation on data transfers to and from the U.K. from August 2021

The new and amended Data Protection Act 2018 (DPA ACT) (Keeling Schedule)

The new UK-GDPR (Keeling Schedule)

Information Commissioner’s Office (ICO), the lead enforcer of DPA in UK

The ICO’s introduction to the UK Data Protection Act