Definition and purpose

The Data Protection Act 2018 is designed to empower individuals to take control of their personal data and to support organizations with their lawful processing of personal data.

The Act updates data protection laws in the UK, supplementing the General Data Protection Regulation (GDPR), implementing the EU Law Enforcement Directive (LED), and extending data protection laws to areas which are not covered by either. 

Governing Body

The Information Commissioner's Office (ICO) is the governing body responsible for overseeing and enforcing the Data Protection Act in the UK. The ICO is an independent authority that upholds information rights in the public interest and enforces compliance with data protection regulations including the DPA, NIS Regulations, Privacy and Electronic Communications Regulations, and more.

Last updated

The Data Protection Act first came into force in 1987. It has undergone several updates and revisions, with the most recent being the Data Protection Act 2018, which incorporates provisions of the EU's General Data Protection Regulation (GDPR). It came into effect on May 25, 2018.

Most recently in March 2023, the Data Protection and Digital Information (No. 2) Bill , which would make changes to the Data Protection Act 2018 and the UK General Data Protection Regulation, was introduced in the House of Commons. 

Applies to

The Data Protection Act applies to both data controllers and processors that process personal data within the territory of the UK and, in certain circumstances, outside of the UK. This includes a wide range of organizations and industries in the UK in both the public and private sectors, including businesses, government entities, healthcare, financial services, education, and non-profit organizations.

Controls and requirements

The Data Protection Act sets out a variety of controls and requirements for organizations, including but not limited to:

• Ensuring data is processed lawfully, fairly, and transparently.
• Obtaining explicit consent from data subjects for processing their data.
• Implementing appropriate security measures to protect personal data.
• Allowing individuals to access, correct, or erase their data, among other data subject rights. 
• Appointing a Data Protection Officer (DPO) for certain organizations.
• Reporting data breaches to the ICO and affected data subjects.
• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
• Complying with international data transfer regulations.
• Adhering to the principles of data minimization and storage limitation.

Please refer to the official Data Protection Act 2018 legislation for a detailed list of controls and requirements.

Audit type, frequency, and duration

While the Data Protection Act 2018 gives the Information Commissioner the power to carry out compulsory data protection audits, the ICO predominantly conducts “consensual audits” to assess whether a controller or processor is complying with good practice in the processing of personal data. Consensual audits means that the controller or processor gave their consent prior to the audit.

The duration of the audit varies based on what dates the ICO and processor or controller agree upon during their introductory meeting or conference call, but typically the audit will last no more than a week, according to the ICO.

The frequency of these audits vary. The ICO conducts a number of consensual audits each year with organizations who have requested one, but they have to prioritize the highest-risk organizations. However, organizations subject to the Data Protection Act are expected to maintain ongoing compliance and regularly review their data protection practices to ensure alignment with the law.