The Business Guide to UK Privacy Laws: The DPA & the UK GDPR

Batja Huisman
Batja Huisman
Aug 2, 2022
min read
The Business Guide to UK Privacy Laws: The DPA & the UK GDPR

Left unsure about the relevant privacy laws following Brexit? Read on to learn more about the UK's Data Protection Act 2018 (DPA), and the United Kingdom’s General Data Protection Regulation (UK GDPR).


The DPA (Data Protection Act) is the primary data protection legislation in the United Kingdom. It establishes a legal framework for all organizations to adhere to for users’ data protections.

The Data Protection Act (DPA) came into force on May 25, 2018, to replace the DPA 1998. It represents a significant shift in the British approach to data protection laws, introducing far-reaching changes to how businesses, organizations, and the government use people's personal information.

Key Principles of the DPA

The DPA has a set of principles that protect personal data from misuse. They are:

Lawfulness, fairness, and transparency

Data must be collected and processed in accordance with the applicable privacy laws. The law requires businesses to be fully transparent when seeking consumers’ consent. They must be clear about what data is collected and why.

Purpose limitation

Data collected must be processed only for the purposes it was collected.

Data minimization

The DPA requires controllers to collect only the minimum data required.


One of data controllers’ duties is to confirm the accuracy of all data they process and its completeness and correctness. If any of the data has inaccuracies or a user notices a mistake, the controller is obligated to rectify it.

Storage limitation

Data controllers must only save users’ personal data as long as needed. It is best to keep track of a given category of data and delete it after the necessary amount of time (read more about retention policies here.)

Security (integrity and confidentiality)

Businesses must implement the needed security measures to safeguard data from unauthorized access.


This principle requires businesses to take responsibility for how they use consumer data and ensure they abide by all DPA measures.

What the DPA means for businesses

Data controllers must;

  • Know their purpose for processing data.
  • Understand the legal basis for processing data.
  • Get explicit consent of data users to collect data from them.
  • Keep comprehensive records of consent.
  • Process only required data for the purpose it was collected.
  • Not keep users’ data any longer than needed.
  • Ensure that they have a privacy and cookie policy in place.
  • Ensure they do not violate any laws when they transfer personal information internationally. Businesses should make sure they always send customer data to countries that provide sufficient data protection.
  • Respond quickly to consumers’ rights as they are obliged to respond to data users’ requests concerning their data.


The DPA is not the only user data protection law in the United Kingdom. Businesses must also comply with the UK GDPR.

The UK General Data Protection Regulation is a UK privacy law that emphasizes data protection and privacy. It's a vital component of the UK's modern data protection legislation. The new United Kingdom’s General Data Protection Regulation was enforced on January 31, 2020.

There are many similarities between the new GDPR proposed for the UK and the GDPR currently in place in the EU. It requires data controllers to obtain consent from data subjects before processing their personal information, safely store and document the consent, and enables users to delete or correct already collected personal data.

Ensuring your website's compliance with UK GDPR requires that users explicitly consent to the processing of their personal data, just like in the EU GDPR.

Brexit and the UK GDPR

When the UK officially parted from the EU on December 31, 2020, the EU GDPR ceased to apply to the processing of the United Kingdom’s citizen’s personal data.

The UK GDPR, an updated version of EU GDPR aimed at the UK, has been implemented to ensure data protection laws are being enforced and adopted in the country. 

The UK stopped being regulated by the EU's GDPR, which was introduced to protect individuals' personal data in the European Union. Nonetheless, for UK-based entities that process the personal data of European Union residents, the EU GDPR still applies.

Who is subject to the DPA and the UK GDPR?

UK’s DPA applies to all commercial and professional businesses that process consumers’ personal data in the United Kingdom. 

All data processors and data controllers based in the UK are subject to the UK GDPR. The law also applies to establishments outside the United Kingdom that offer goods and services to UK citizens.

What businesses should know about consumer rights

The Data Protection Act and the General Data Protection Regulation come with a lot of consumer rights for citizens that shouldn't be overlooked by businesses. Consumers have certain rights with regard to how their data is handled. They include:

The right to be informed

Businesses need to notify individuals if they wish to collect or process their personal data. The right to be informed means that companies must inform individuals about the data they are collecting and how they will use it. 

The right to access personal data

These laws are designed to give consumers better control over their personal data. People have the right to access and receive a copy of their data and also the right to obtain supplementary information such as the retention period or purpose of processing.

The right to have incorrect personal data sorted out

Consumers have the right to correct their inaccurate data, and if their data is incomplete, they can also have it completed.

The right to erasure

The right to erasure, also known as the right to be forgotten, gives users the right to have their personal data deleted.

The right to restrict processing

People can request to have their data restricted or suppressed. Businesses can only store restricted data but cannot use it.

The right to data portability

This allows data users to obtain, copy, move, or transfer their data from one entity to another without impacting usability.

The right to object to processing

Data subjects have the right to object to the processing of their data in certain situations. For instance, they can stop their personal data from being used for a direct marketing campaign.

The rights with respect to automated decision-making and profiling

Users now have the right not to be subjected to decisions based on automated processing such as profiling.

How the DPA and UK GDPR affect businesses

The GDPR and DPA 2018 are already affecting businesses that deal with the personal data of UK citizens, including companies outside the UK. All organizations are expected to be compliant with the data privacy laws. Failure to comply with the regulations will result in a fine of up to 4% or £17.5 million of an organization’s annual global turnover.

Stay compliant with the DPA and the UK GDPR 

You don’t need to reinvent the wheel to meet regulation requirements. With established data privacy platforms like Mine PrivacyOps, you can easily set up an automated privacy program that handles daily privacy operations while reducing manual and repetitive work on the part of engineering and legal teams.