17 February 2025
The Data Protection Act 2018 is the UK’s primary data protection law, working alongside the UK GDPR to regulate how organisations collect, store, use, and share personal data. Following the UK’s departure from the European Union, the Act continues to provide the legal framework governing the handling of personal information across the UK.
For businesses, compliance is essential. Any organisation processing customer, employee, or payment data must meet strict legal obligations around data security, transparency, and lawful use. Failure to comply can result in significant financial penalties, reputational damage, and enforcement action from the Information Commissioner’s Office (ICO). This guide explains the key principles of the Act, what they mean in practice, and the steps businesses should take to remain compliant in 2026.
The Data Protection Act 2018 (DPA 2018) is the UK’s main data protection law. It replaced the 1998 Act and works alongside the UK GDPR to regulate how organisations collect, store and use personal data.
It applies to any information that can identify a living person, including:
The law applies to all organisations that process personal data, regardless of size or sector.
At the heart of the Data Protection Act 2018 and UK GDPR are seven core principles that govern how personal data must be collected, processed, stored, and protected. These principles form the foundation of UK data protection law and apply to all organisations that process personal data.
They are legal requirements, not guidelines, and organisations must comply with all seven. The Information Commissioner’s Office (ICO) has the authority to investigate breaches and impose penalties where non-compliance is identified.
Principle | Name | What It Means | Business Implication |
1 | Lawfulness, Fairness, and Transparency | Data must be processed legally, fairly, and in a transparent way that people can reasonably expect. | Have a clear lawful basis for processing. Tell people what you do with their data. |
2 | Purpose Limitation | Data collected for one purpose must not be used for a different, incompatible purpose. | Don't use customer email addresses for purposes they didn't consent to. |
3 | Data Minimisation | Only collect the minimum amount of personal data necessary for the stated purpose. | Don't ask for the date of birth if only a name and email are needed. |
4 | Accuracy | Personal data must be accurate and kept up to date. Inaccurate data must be corrected or deleted. | Maintain records. Give people a way to update their details. |
5 | Storage Limitation | Data must not be kept for longer than necessary for its original purpose. | Establish a data retention policy. Delete data when it is no longer needed. |
6 | Integrity and Confidentiality (Security) | Data must be protected against unauthorised access, loss, or destruction using appropriate security measures. | Encrypt sensitive data, restrict access, use strong passwords, and enable MFA. |
7 | Accountability | Organisations must take responsibility for complying with all the above and be able to demonstrate compliance. | Keep records of processing activities (ROPA). Conduct DPIAs for high-risk processing. |
The Data Protection Act 2018 (DPA 2018) and UK GDPR are often referenced together, but they serve different functions within the UK’s data protection framework. While closely linked, each has a distinct legal role.
In practice, UK GDPR sets out the primary compliance requirements for organisations, while the DPA 2018 provides the supporting legal structure and UK-specific provisions. Both should be read together to ensure full compliance.
The purpose of data protection law is to protect the fundamental rights and freedoms of individuals in relation to the processing of their personal data. Specifically, it aims to:
From a business perspective, the Act creates a framework that, when followed, builds trust with customers, protects the organisation against breach-related liability, and reduces the risk of regulatory action. The National Cyber Security Centre (NCSC) frames good data protection as inseparable from good cyber security: protecting the confidentiality, integrity, and availability of personal data requires technical controls, not just policy documents.
Under UK GDPR, individuals are granted eight statutory rights governing how their personal data is collected, processed and retained. Organisations are legally required to recognise and respond to these requests, typically within one calendar month.
These rights include:
The right to be informed about how personal data is collected and used
Failure to respond appropriately to these rights can result in regulatory enforcement action, financial penalties and reputational harm. For this reason, organisations should maintain clear internal procedures to manage data subject requests effectively and demonstrate ongoing compliance.
The ICO can impose significant penalties and enforcement action for breaches of UK GDPR and the Data Protection Act 2018, including:
In addition, organisations must report qualifying personal data breaches to the ICO within 72 hours where there is a risk to individuals. Failure to report, or inadequate breach detection and response processes, is itself a compliance breach.
If an incident occurs, the blog Cyber Security Compliance covers the broader compliance obligations that sit alongside data protection law.
UK GDPR compliance and Data Protection Act compliance are not one-time exercises it requires ongoing processes, documentation, and a culture of data awareness across the organisation. The core practical steps are:
Action | What It Involves | Priority |
Establish lawful bases for processing | Identify and document the legal basis for every category of personal data processed consent, legitimate interests, contract, legal obligation, vital interests, or public task | Essential |
Create and maintain a Record of Processing Activities (ROPA) | A living document listing what data is processed, for what purpose, how long it is retained, and who has access | Essential |
Publish a clear privacy notice | Explain in plain English what data is collected, why, how it is stored, and how individuals can exercise their rights | Essential |
Implement a Subject Access Request process | A documented procedure for receiving, verifying, and responding to SARs within 30 days | Essential |
Appoint a Data Protection Officer (if required) | Required for public authorities, organisations processing special category data at scale, or those conducting large-scale systematic monitoring | Conditional |
Conduct Data Protection Impact Assessments (DPIAs) | Required before starting any processing likely to result in a high risk to individuals, e.g., introducing CCTV, new tracking technologies, or large-scale profiling | Conditional |
Establish a data breach response procedure | A clear process for identifying, assessing, containing, and reporting breaches to the ICO within 72 hours, where required | Essential |
Train staff on data protection obligations | Staff who handle personal data must understand their obligations ignorance is not a defence | Essential |
Apply appropriate technical security measures | Encryption, access controls, multi-factor authentication, and regular security testing to protect personal data | Essential |
Review and update contracts with data processors | Any third-party processing data on behalf of the business must have a Data Processing Agreement in place | Essential |
Staff training is one of the most consistently overlooked compliance requirements. The ICO's investigation findings regularly cite human error, phishing clicks, misdirected emails, and weak passwords as the cause of data breaches. Security awareness training that covers data protection obligations alongside practical cyber security skills directly reduces this risk.
On the technical security side, principle six of the UK GDPR requires measures that are appropriate to the risk. For businesses processing personal data at any scale, this means going beyond a basic antivirus solution. Managed cyber security services covering monitoring, endpoint protection, email security, and vulnerability management provide the layered technical controls the ICO expects to see in the event of an investigation.
Yes. The Data Protection Act 2018 and UK GDPR apply to any organisation, regardless of size, that processes personal data. There are very limited exemptions for small organisations, primarily around record-keeping requirements (organisations with fewer than 250 employees may have reduced ROPA obligations in some circumstances). However, the core principles, individual rights, and security requirements apply fully. The ICO offers specific guidance for small organisations on how to approach compliance proportionately.
The ICO can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches of the core principles. Less serious infringements, such as failing to maintain records, can attract fines of up to £8.7 million or 2% of global turnover. In addition to financial penalties, the ICO can issue enforcement notices, publish details of the breach, and, in some cases, restrict data processing activities.
The Information Commissioner's Office (ICO) is the UK's independent regulatory body for data protection and information rights. It registers data controllers, provides guidance on compliance, investigates complaints from individuals, conducts audits of organisations, and enforces the Data Protection Act 2018 and UK GDPR. The ICO can investigate any organisation suspected of breaching data protection law, whether prompted by a complaint, a self-reported breach, or its own intelligence.
A Subject Access Request is a formal request by an individual to receive a copy of all personal data an organisation holds about them, along with information about how it is being processed. Under the UK GDPR, organisations must respond to SARs within one calendar month. The response must be provided free of charge in most cases. Failing to respond correctly and on time is a breach of data protection law.
Data protection compliance is an ongoing responsibility under UK GDPR and the Data Protection Act 2018. Businesses must maintain records, train staff, review contracts, manage data securely, and respond to evolving risks. ICO enforcement shows that poor security, untrained staff, weak breach response, and excessive data retention often lead to costly action. Renaissance helps businesses stay compliant through managed cyber security services and security awareness training that protect data and strengthen staff understanding of their UK GDPR obligations.
While cyber threats continue to become more advanced, organisations need a security solution that goes beyond traditional defence mechanisms. From…
READ MORE
With an increasing number of endpoints being added as part of your organisation's reliance on new technologies, including cloud computing,…
READ MORE
In today’s threat landscape, small and medium-sized enterprises (SMEs) face many of the same cyber risks as large corporations, often…
READ MORE
Cyber threats are evolving, but small businesses are stepping up their defences. This guide explores why IT support for small…
READ MORE
