The Data Protection Act 2018

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • The Data Protection Act 2018
  • In brief
  • Overview of the history of the DPA 2018 and scope of this Practice Note
  • Further background guidance
  • Extra-territorial reach of the DPA 2018
  • The impact of the DPA 2018 on general processing
  • Lawful basis for processing—public tasks
  • Children’s consent in relation to information society services and in Scotland
  • What is an information society service?
  • Age limit for consent in relation to an ISS
  • More...

The Data Protection Act 2018

This Practice Note introduces the UK’s Data Protection Act 2018 (DPA 2018).

For higher-level introductions to data protection law in the UK, see Practice Note: Data protection law—new starter guide. The Data protection toolkit collates further general guidance on data protection and is a recommended starting point for research.

In brief

In summary, the DPA 2018 itself currently governs:

  1. the processing of personal data within the scope of the UK GDPR regime, supplementing the core provisions set out in the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR), including additional provisions relating to:

    1. lawful basis for processing

    2. processing special categories of personal data and criminal offence data

    3. credit reference agencies

    4. automated decision-making authorised by law

    5. accreditation of certification providers

    6. certain contractual terms relating to health records

    7. exemptions from generally applicable obligations under the UK GDPR regime

    8. specific laws relating to children’s consent in Scotland

    9. transitional changes following Brexit

  2. the processing of personal data by competent authorities for law enforcement purposes (The DPA 2018, Pt 3 contains a specific regime that is separate from the UK GDPR), and

  3. the processing of personal data by the intelligence services (The DPA 2018, Pt 4 contains a further specific regime that is separate from the UK GDPR)

The DPA 2018 also:

  1. contains a number of key provisions relating to the Information Commissioner’s powers, funding

Popular documents