We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

How to use the Data Protection Act 2018 alongside the GDPR

In all the hyperbole surrounding the General Data Protection Regulation (GDPR) it may have been easy to miss the UK passing its own updated data protection legislation – the Data Protection Act 2018 (the Act). This came into force at the same time as GDPR on 25th May and replaces the Data Protection Act 1998.

The GDPR allowed individual EU states some flexibility to add their own detail in relation to specific areas. The Act fills in some of those gaps as well as bringing the GDPR into UK law. It is important to note that GDPR applies in the UK unless government choses to get rid of this legislation after it exits the EU. 

Here are some of the most important points, outlined in the Act:


Processing special categories of personal data

One of the major gaps in the GDPR was the full list of reasons (conditions) for processing “sensitive” data.

Schedule 1 of the Act provides the long list of conditions that organisations can use to justify their use of special categories of personal data.

Details of the appropriate conditions should be recorded when creating or updating your Record of Processing Activities (ROPA), and in your privacy information.


Seeking childrens' consent

GDPR states children can give consent for online services to use their personal data from the age of 16 years in section 9(a). The Act lowers this to 13 years old in the UK.   


Exemptions to data subject rights

Section 15 provides information about the exemptions that may apply to data subject rights in specific scenarios.


Considerations for penalty notices

Fines of €20m (or 4% of global turnover) can be issued for breaching GDPR legislation.

Section 155(3) of the Act sets out the issues that ICO will take into consideration when issuing a Penalty Notice. 


Claims for compensation

People can make claims for compensation if their rights to data protection are broken.

Sections 168 and 169 of the Act refer to any 'distress' caused by a breach as being within scope of such claims. This follows recent case law on the issue (Vidal-Hall v Google), where compensation was given to a claimant for distress.


Introducing new offences

Unlawfully obtaining data without permission is still an offence, as outlined in the 1998 Act.

The Act outlines new offenses in relation to data, where an individual 'knowingly or recklessly re-identifies information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data' or for 'altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure of information that a person would have been entitled to receive' in section 171 and 173.  


Taking group actions

Section 187 of the Act means data subjects can now bring a 'group action' when making a complaint and when making a claim for compensation. This is a new development, and was not possible before.

Further information

Gary Shipsey, Managing Director of Protecture, is approaching 13 years of practical experience turning information law into practice. Gary is co-author of the Fundraising Regulator’s Guidance Personal Information and Fundraising: Consent, Purpose and Transparency and regularly speaks and advises on all things GDPR, data protection and privacy related.


Page last edited Oct 14, 2019 History

Help us to improve this page – give us feedback.