The Data Protection Act 2018
The Data Protection Act 2018

The following Financial Services guidance note provides comprehensive and up to date legal information covering:

  • The Data Protection Act 2018
  • Background
  • Extra-territorial reach of the DPA 2018
  • The impact on general processing under the GDPR
  • Lawful basis for processing—public tasks
  • Children’s consent in relation to information society services
  • Processing special categories of personal data
  • Processing of criminal conviction and offence data
  • Obligations of credit reference agencies
  • Automated decision-making authorised by law—safeguards
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

The Data Protection Act 2018 (DPA 2018), introduces four distinct data protection regimes into UK data protection law. It covers the processing of personal data:

  1. within the scope of the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR)—assisting and supplementing the adoption of the GDPR into UK law by providing permitted national derogations/exceptions to the requirements of the GDPR

  2. outside the scope of the GDPR—applying GDPR standards to additional areas of processing not covered by the GDPR and EU law, such as the processing of unstructured manual files by public authorities, this regime is known as the ‘applied GDPR’

  3. by competent authorities for