Last updated: 06.02.24

The Data Protection Act (2018): Its Purpose and Principles


In our ever-expanding digital world, data is collected and disseminated everywhere. Because of this, it’s of paramount importance that measures are put in place to ensure that the way that data is stored and processed is done ethically and safely.

To safeguard individuals across the globe, legislation has been put in place to protect the privacy of those online. In the UK, one specific law plays a big role in doing this, and it is known as the Data Protection Act (2018)

For organisations, the Data Protection Act (2018) plays a major role in how different-sized companies can use and handle people’s data across the country. Now, the public can rest assured that their data is protected in our advanced digital era thanks to the Act’s framework. 

In this article, we shed light on the Data Protection Act (2018) and discuss its purpose and key principles, the latter of which play a pivotal role in ensuring that people’s data remains private and lawfully processed. 

What is The Data Protection Act 2018?

First and foremost, what is the Data Protection Act 2018? 

Abbreviated to the DPA, the Data Protection Act (2018) is an Act of Parliament in the UK that is designed to ensure that personal data is collected, stored, and handled appropriately and responsibly to protect people’s privacy. The act was incorporated into UK law as a result of the EU-wide guidelines on data protection, also known as the General Data Protection Regulation or GDPR. 

The Data Protection Act (2018) is an official piece of legislation, and for companies specifically, it holds them accountable by law to ensure that their customers’ data is safely and securely dealt with. Because of its scope, the Data Protection Act (2018) affects the overwhelming majority of public-facing organisations.

Thanks to the Act’s modern framework, individuals and organisations are clear on the principles and guidelines that need to be followed under UK GDPR to protect personal data. The Data Protection Act (2018) also outlines the negative repercussions of not following its terms and guidelines, which can be serious. 

What is the Purpose of the Data Protection Act (2018)?

The main purpose of the Data Protection Act 2018 is to allow individuals to feel empowered that they have control over their data. Not only this, but it ensures that organisations across the UK are held accountable for processing the personal data of the public lawfully and that they are supported in doing this as our digital era develops.

The UK Data Protection Act (2018) predecessor was the Data Protection Act (1998). The reason why the 1998 version of the act was replaced was that it became dated, failing to take into account the technological advancements of our current digital era, where more and more data is being processed than ever.

Not only this, but the General Data Protection Regulation (EU) 2016/679 was outlined in 2016, and since the UK left the EU, the new Data Protection Act (2018) was enforced and adapted the EU GDPR guidelines to the specific conditions for processing data in the UK.

Why is the Data Protection Act (2018) Important?

Before the original Data Protection Act was introduced in 1998, the rules governing the way that companies had to protect sensitive information about their customers were much less defined. This meant that an individual’s details could be stored in an unsafe manner, sold to third-party companies for profit, or withheld from the individual in question - unless company-defined data processing surcharges were paid.

Now, however, everything is regulated and organisations have a responsibility to the data protection rights of the public. Certain predefined rights about the individual whose data is being stored have to be fully respected and several offences have been defined to ensure that companies who do not comply with the act can be fined. So, now more than ever, the UK public knows that their data is being protected to the highest degree.

The Scope of the Data Protection Act (2018) 

The Data Protection Act (2018) covers any information that could be used to identify an individual, whether this is records that contain a name and an address or information about medical conditions or marriage status. For most businesses, this means that their customer data, which is gathered every time somebody places an order or signs up for a service, needs to be done so in line with the UK Data Protection Act (2018). 

However, it is important to note that the UK Data Protection Act (2018) also covers data obtained from a third-party source or data gathered via email signup forms. Unfortunately, a great many organisations do not fully understand the scope of the Act and don’t always know what information they should be protecting. This means that they struggle to comply with the stricter parts of the legislation, and often unwittingly violate its rules and regulations.

The Key Areas of the Data Protection Act (2018) 

The Data Protection Act 2018 explores four key areas.

General Data Processing

This refers to the act implementing GDPR standards across all general data processing. General data processing as outlined by the Data Protection Act (2018) also defines the age for which parental consent is no longer needed to process data online, which is the age of 13. Alongside this, it details the restrictions to access and delete personal data, so that any data processing that is being carried out with a strong public policy justification can continue.

Finally, this area better explains the definitions used in the GDPR, applying this to a UK-specific context, and allows for sensitive social, educational, and health-related data to continue to be processed confidentially

Law Enforcement Processing

Specifically, this area of the UK Data Protection Act 2018 sheds light on how personal data should be processed by law enforcement agencies, including the police and other criminal justice agencies, for law enforcement-related issues. Implemented safeguards are also outlined to protect personal data whilst allowing for this to be shared internationally. 

Intelligence Services Processing 

This area works to ensure that any laws that govern how personal data is processed by intelligence services are done in line with current international standards and their appropriate safeguards, as well as so that this remains up-to-date. 

Regulation and Enforcement

The ‘Regulation and Enforcement’ area of the Data Protection Act (2018) seeks to ensure that the Information Commissioner has additional powers to enforce and regulate data protection laws in the UK. This includes giving them the power to deliver high administrative fines and bring criminal proceedings for specific offences.

The Data Protection Act 2018 Principles 

Any personal data in the UK has to be stored, processed, and disseminated according to the six principles of the Data Protection Act 2018. These principles are as follows:

  • Firstly, personal data that are stored and processed by an organisation has to be handled in a lawful, transparent, and fair fashion and used only for its intended purpose.
  • Secondly, data should only be gathered and stored if it’s for a specific, clearly defined, and legitimate purpose, and should not be kept ‘just in case’. This personal data should also not be further processed in a way that doesn’t comply with this principle.
  • Any data that is stored for a specific purpose should only be adequate for that intended purpose, and should not include excessive or unneeded details that are irrelevant.
  • Data should be accurate, and should also be kept up-to-date where possible to prevent old personal information from being associated with the wrong individual.
  • Data should not be kept for longer than it is needed.
  • Finally, sensitive information of any kind should be processed in a way that maintains the confidentiality and security of an individual. 

Rights of the Data Subjects Under the Data Protection Act (2018) 

Several specified rights under the UK Data Protection Act 2018 and UK GDPR allow for a data subject to have control over when their data is handled and processed. These rights include:

  • The right to have access: The subject has the right to gain a copy of their data and any additional supplementary information. 
  • The right to be informed: Companies need to make it clear how they will be using an individual’s data.
  • The right to erasure: Data subjects have the right to have their data erased. This is also known as ‘the right to be forgotten’.
  • The right of rectification: This allows subjects to have any incorrect or incomplete personal information rectified or completed.
  • The right to object: The subject has the right to object to their data being processed at any time.
  • The right to data portability: This pertains to a data subject being able to receive their data that has been given to a controller in a common and machine-readable format.
  • The right to restrict processing: This refers to an individual being able to have a say in restricting the processing of their data. 
  • Having rights relating to individual decision-making and profiling that is automatic: This refers to the data subject having the right to not make a decision based only on automated processing, which includes profiling. 

How to Ensure Your Organisation is Meeting The Standards of the Data Protection Act 2018 Legislation

When it comes to processing personal data, there must always be a lawful reason for doing this. According to the UK GDPR rights, there are six lawful bases for processing personal data, which include: 

  • Contract: The processing of personal data is necessary for a contract to be performed, and the individual’s data in question is bound to this contract.
  • Consent: An organisation has to be given consent before processing personal data.
  • Legal Obligation: Processing personal data is necessary to comply with any legal requirements or obligations that a company has to abide by.
  • Vital Interests: The processing of personal data is needed to protect an individual’s vital interests.
  • Legitimate Interests: Processing personal data is essential to pursue the legitimate interests of an organisation or third-party.
  • Public Task: The processing of personal data is needed to perform a task that is of public interest.

As a company, you need to ensure that your reasons for processing personal information align with the aforementioned principles and the lawful bases of the UK Data Protection Act 2018.

Additionally, there are requirements relating to consent under UK GDPR, meaning that consent gained from a user must be freely given, informed, specific, and unambiguous to be processed. Alongside this, there are other security and data breach requirements, as well as specific guidelines for recording processing activities and meeting cross-border data transfer requirements. 

As an organisation, you must read up on all of these requirements alongside the aforementioned standards to remain compliant with the UK Data Protection Act (2018). 


What is the Difference Between GDPR and the Data Protection Act?

The main difference between the GDPR and the Data Protection Act (2018) is that GDPR is the European Union’s main legislation for data protection. In comparison, the Data Protection Act (2018) is the UK equivalent of the GDPR, protecting personal data and consumer privacy in the UK specifically. So, these two legislations are intertwined. 

What is an Example of a Breach of Data Protection? 

An example of a breach of data protection, which is all too common, is human error. This may include instances where individuals include personal information in emails or messages and send these accidentally to the wrong people. 

What Are The 3 Rules of Data Protection?

The three main rules, or principles, of data protection are lawfulness, fairness, and transparency. In short:

  •  There must be a lawful reason for processing personal data.
  • Data must be processed in a fair way that has no deception to the user, which also considers how this processing could impact an individual.
  • The party processing this data is open and honest about doing so, whilst complying with legal obligations.


Without the framework of the UK Data Protection Act (2018), the processing of data for UK citizens would not be done in a lawful, fair, and transparent manner. Thanks to this legislation’s strict guidelines and principles surrounding the processing of personal data, the public can rest assured that organisations are handling their data responsibly. 

We hope this article has shared the necessary information that you need to understand the Data Protection Act (2018) and how your organisation needs to abide by its principles for the safety of your customers and the success of your business.

If you’re working for a customer-facing organisation or an organisation that stores personal information, you’ll need to stay abreast of the specifics of the Data Protection Act (2018) and take steps to ensure that you remain compliant with this guide to legislation and GDPR.

You can find more information on how you should handle personal information in your role with our ‘Essentials of Data Protection (GDPR) training course’ to learn about your responsibilities when dealing with sensitive data in an organisation.