JavaScript is disabled. All written guidance, comparisons, checklists, glossary, and search work without it. Interactive tools (calculators, route finders, letter generator) require JavaScript. For official UK calculators, see gov.uk.

Data Protection Act 2018

(DPA 2018)

The UK statute supplementing the UK GDPR with domestic provisions, exemptions, and enforcement mechanisms. Implements the EU Law Enforcement Directive for criminal justice processing, and the Intelligence Services Directive. Section 170 makes unauthorised obtaining of personal data a criminal offence.

The DPA 2018 implements detailed UK rules alongside the UK GDPR: Part 2 (the GDPR's domestic implementation), Part 3 (Law Enforcement processing under Directive 2016/680), Part 4 (Intelligence Services). The criminal offences include: unlawful obtaining, disclosure, or procurement (s.170 — maximum unlimited fine), re-identification of de-identified data (s.171), and obstruction (s.179). Specific exemptions for journalism, art, literature, research, statistics, archiving (Schedule 2). The Information Commissioner is the regulator.

Official guidance

Related guides

UK GDPR Rights for Individuals

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) give individuals in the UK eight legally enforceable rights over how organisations collect, store, and use their personal data. These rights apply whether the data is held by a business, public body, or online platform.

6 min

Back to glossary

Data Protection Act 2018

Related terms

Related guides

UK GDPR Rights for Individuals