Data Protection Act 2018

Of relevance to: All regulated firms
Key dates: Royal Assent 23 May 2018

The Data Protection Act 2018 replaces the Data Protection Act 1998 and provides a comprehensive legal framework for data protection in the UK, supplemented by the General Data Protection Regulation (“GDPR”) until the UK leaves the European Union (“EU”).

The four main matters provided for in the Bill are:

  • general data processing,
  • law enforcement data processing,
  • data processing for national security purposes including processing by the intelligence services, and
  • regulatory oversight and enforcement.

While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force. When the UK leaves the EU, GDPR will be incorporated into the UK’s domestic law under powers in the European Union (Withdrawal) Bill, currently before Parliament.

Don’t forget: Whilst GDPR removes the requirement for data controllers to register with the Information Commissioner’s Office (“ICO”), new UK regulations require all data controllers to provide certain information and pay an annual fee to the ICO to ensure its continued funding.