Does The Data Protection Act 2018 Affect Your Business?

Published on Jan 20, 2021

One summer morning in June 2017, a pre-pandemic period that seems like a lifetime ago, the UK government announced plans to introduce new data protection legislation. The existing Data Protection Act 1998 was almost Victorian, given that it pre-dated social media and smartphones. Furthermore, legislation was needed to implement the coming General Data Protection Regulations (GDPR). The Data Protection Bill 2017-18 received its Royal Assent on 23 May 2018 to become the Data Protection Act (DPA) 2018.

For a review of the changes to UK data protection legislation following our exit from the EU, read our blog on GDPR after Brexit, which explains the divergence of UK GDPR from EU GDPR and what this all means.

Within both the EU and UK versions of GDPR, there are areas where the regulations state that domestic (national) law prevails. It is here that the DPA 2018 expands on the regulations, such as adding further safeguards and creating the UK's exemptions and offences. This means that the Data Protection Act 2018 must be read in conjunction with the UK GDPR as both are required to comply with the data protection legislation in the UK.

How The Data Protection Act 2018 Impacts Businesses

All businesses that deal with personal data need to understand the Act’s application in relation to their market sector. One of the first things to consider is the common terms that are used in both the DPA 2018 and the UK GDPR.

Below is a non-exhaustive list of DPA 2018 and UK GDPR terms that all organisations should be familiar with to ensure they have a good grasp of data protection as it relates to businesses.


Data protection is about the processing of personal data and relates to any operation or collection of operations that are performed on personal data. It covers the entire life cycle of personal data from its collection to its destruction and everything that happens in between - either manually or using automation, AI, or machine learning.

Data Subject

Is an identified or identifiable natural person (‘data subject’). [see personal data below]

Personal Data

Personal data is any information relating to an identified or identifiable natural person [data subject] that could be used to identify that person directly or indirectly. For example, a customer giving their name, address and showing a photo ID will directly identify that data subject; a person's shoe size, their choice of movies, or their favorite restaurant, would not directly identify them but with further information would indirectly identify them, however, all are classed as personal data.

Special Category Personal Data

This data is deemed to be particularly sensitive and can often lead to discrimination, it refers to a person’s race, religion, health, trade union membership, political beliefs, biometric data, sex life, sexual orientation, genetics. Processing this data is forbidden unless at least one of the specific conditions in Article 9 of the UK GDPR [C1] are met.

Controller (AKA Data Controller)

A legal person who determines the purpose and means of processing personal data. The Controller is always the company or organisation, public body, or agency although that can be an individual, for example, a sole trader who processes personal data is a controller. Where one controller works with and shares data with other controllers they jointly determine the purpose and means of processing. For example, where the police, social services, housing, and schools collaborate to help a group of families they would be joint controllers, all would be liable and responsible for the data.

Processor (AKA Data Processor)

Where the processing of personal data is outsourced to a third party, that third-party becomes a Processor for the DPA 2018/UK GDPR. A legally binding contract referred to as a Processor Agreement must be in place setting out the scope and methods of the processing, what must happen to the personal data when the contract ends, and that the processor can only act on the instructions of the controller. If at any time the processor decides the processing, then for that decision the processor becomes the controller with the responsibilities and liabilities of a controller.

You cannot be a data controller and processor for the same processing activity.

Paying The Data Protection Fee

In the UK, all organisations processing personal data must pay a fee to the Information Commissioner's Office (ICO) unless an exemption applies. This ensures the independence of the ICO and that all organisations who use the services of the Commissioner pay a small amount toward the upkeep of the ICO. The cost of the fee ranges from £40 to £2,900, for most private organisations it will be £40 or £60, with only the very large organisations and public authorities paying £2,900.

The ICO publishes the names of fee-paying organisations and also identifies businesses fined due to data protection breaches.

Data Protection Act 2018 Summary

The above definitions provide a basis on which businesses can understand data protection rules and principles. To mitigate the risk of compliance breaches and the financial and reputational damage that can result from them, public and private organisations must understand both the UK GDPR and the DPA 2018. This will provide the foundation to build robust data protection policies and procedures, designed to protect the best interests of data subjects and the organisation itself.

Explore the GDPR & FOI certified training from BCS, the Chartered Institute for IT, as well IAPP accredited GDPR and privacy management training courses we offer. To learn the essential aspects of data protection and privacy law training, book a flexible, certified online course.

[C1]Art. 9 GDPR – Processing of special categories of personal data | General Data Protection Regulation (GDPR) (

Click your chosen course below to see our next available courses dates