Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is the United Kingdom Data Protection Act 2018?
- Who Needs To Comply With the Data Protection Act?
- What Counts as ‘Personal Data’ Under the Act?
- Why Does the United Kingdom Data Protection Act Matter for Businesses?
- What Are the Main Obligations Under the Data Protection Act?
- What Legal Documents Do I Need for Data Protection?
- Are There International Data Transfer Rules?
- Tips for Staying Compliant as Your Business Grows
- Key Takeaways
Data is at the heart of every modern business. Whether you're running a local café or launching a new app, you'll likely handle customer, supplier, or staff data at some point. And in the UK, that means you need to be up to speed with the United Kingdom Data Protection Act 2018 (DPA 2018).
If data compliance feels like an intimidating legal task, don’t stress - with the right approach and some clear guidelines, you can ensure your business is protected from day one. In this guide, we’ll break down exactly what the United Kingdom Data Protection Act means for your business, what steps you need to follow, and how to future-proof your data practices.
Ready to get compliant and build customer trust? Let’s dive in.
What Is the United Kingdom Data Protection Act 2018?
The United Kingdom Data Protection Act 2018 is the cornerstone of UK privacy law. It works alongside the UK General Data Protection Regulation (UK GDPR), setting out rules for how businesses should collect, use, store, and share personal data.
Basically, the Act requires you to keep people’s information safe, use it fairly, and be transparent about how you manage data. Breaching the United Kingdom Data Protection Act can lead to warnings, fines, and damage to your brand reputation - so it’s crucial to understand your obligations.
Who Needs To Comply With the Data Protection Act?
If you’re a UK business or organisation handling personal data (information that can identify an individual), the DPA 2018 almost certainly applies to you. This includes:
- Online retailers collecting customer addresses
- Cafés and restaurants with staff payroll records
- Health and wellness businesses storing client details
- App developers or online platforms with user profiles
- Any business keeping email lists for marketing
The short answer: if your business collects, stores, or processes any personal information from customers, suppliers, or staff, you are expected to comply.
It’s also important to work out whether you’re a data controller or data processor. Each role has its own legal responsibilities, which affect your compliance steps and contracts with third parties.
What Counts as ‘Personal Data’ Under the Act?
Personal data is any information that relates to an identified or identifiable living person. Under the United Kingdom Data Protection Act, this includes obvious details (name, address, phone number) as well as:
- Email addresses (even work email addresses in some cases)
- Online identifiers (IP addresses, cookies)
- Photos and video footage
- Location data
- Financial information
- ‘Special category data’ like health records, biometric data, or information on race, religion, or sexuality
Handling special category data involves higher compliance standards, so it’s crucial to understand the risks before collecting this type of information.
For more on special category data, see our guide on handling special category data under GDPR.
Why Does the United Kingdom Data Protection Act Matter for Businesses?
Getting data protection wrong can have serious consequences for small businesses. Penalties for breaches under the DPA 2018 - and the UK GDPR - can reach up to £17.5 million or 4% of global annual turnover (whichever is higher), depending on the severity of the infringement.
More commonly, non-compliance leads to:
- Enforcement notices from the Information Commissioner’s Office (ICO)
- Mandatory audits or investigations
- Reputational damage and lost customer trust
- Financial compensation claims by affected individuals
Solid data protection is not just about avoiding fines - it reassures your customers and employees that you treat their information responsibly, helping build long-term loyalty and trust.
To learn more about the ICO’s powers and your reporting obligations, see our in-depth guide on the ICO and data protection enforcement.
What Are the Main Obligations Under the Data Protection Act?
The United Kingdom Data Protection Act is built around key principles. Every business must:
- Process data lawfully, fairly, and transparently
- Collect data for specific, legitimate purposes
- Keep personal data accurate and up to date
- Store only as much data as needed (data minimisation)
- Retain data for no longer than necessary
- Protect data with appropriate security measures
- Uphold individuals’ rights (including access, correction, and erasure)
These principles are at the core of both the DPA 2018 and UK GDPR. Ignoring them puts your business at risk of non-compliance.
For a breakdown of the seven key GDPR principles and how to apply them, check out our easy application guide.
How Do I Comply With the United Kingdom Data Protection Act?
It can feel overwhelming, but complying with the DPA 2018 isn’t just a legal exercise - it’s a best practice for any business that wants to grow responsibly. Here are the steps you should follow:
1. Audit Your Data
Start by mapping out what personal data you collect and why. Ask yourself:
- What data do I capture from customers, staff, and suppliers?
- Where is this information stored?
- Who has access to it?
- How long is it kept?
Keeping clear records is essential - it’s the first thing the ICO will ask to see if there’s ever a complaint or breach.
2. Establish a Lawful Basis for Processing
You must have a lawful reason for every use of personal data. Common lawful bases include:
- Consent (individuals give clear permission)
- Contract (data is necessary to fulfil a contract)
- Legal obligation (processing required by law, e.g. payroll records)
- Legitimate interests (data processing that’s necessary for your business - as long as it doesn’t override people’s rights)
If you rely on consent, make sure it’s freely given, informed, and easy to withdraw. For more on getting and recording consent properly, see our guide on GDPR consent forms.
3. Update Your Privacy Notices and Policies
Under the DPA 2018, you must clearly tell people:
- What data you collect and why
- How it will be used, stored, and shared
- How long you will keep their data
- What rights they have (like accessing or deleting their data)
- How to contact you or complain about misuse
A solid Privacy Policy is non-negotiable if you want to comply, attract customers, and avoid trouble. Avoid copy-pasting templates online - tailoring your policy to your business is essential.
4. Put Strong Security Measures in Place
The law expects you to protect data from loss, theft, or hacking. This means:
- Using password protection and encryption
- Restricting access to staff on a need-to-know basis
- Regularly reviewing access and security settings
- Training your team on how to handle data securely
Remote working and cloud storage introduce new risks, so be sure to review your protocols regularly and adapt as technology evolves. For practical tips, see our guide on building a cybersecurity policy.
5. Be Prepared for Data Breaches
Even with best efforts, breaches happen. The DPA 2018 requires you to:
- Have a plan for identifying and responding to breaches
- Notify the ICO within 72 hours if the breach risks people’s rights
- Inform affected individuals when necessary
- Keep records of all breaches (including ‘near misses’)
You don’t want to be caught off-guard - have a clear data breach response plan and rehearse what to do if something goes wrong. Learn more about reporting and handling breaches in this ICO compliance guide.
6. Respond To Data Subject Rights
People can request access to their data, ask for corrections, object to processing, or request deletion (the “right to be forgotten”). You must respond within one month.
- Have a process to recognise and track data subject access requests (DSARs)
- Know when you can (and must) refuse or limit requests (e.g. legal obligations may prevent deletion)
Not sure where to start? Check our practical guide on handling subject access requests.
7. Register With the ICO If Needed
Many UK businesses must register with the Information Commissioner’s Office (ICO) and pay a small annual fee, unless they qualify for an exemption.
Failure to register can result in fines. For more about fees, exemptions, and how to register, see our explainers on ICO fee exemptions and ICO registration requirements.
What Legal Documents Do I Need for Data Protection?
Depending on your business, you may need some or all of the following:
- Privacy Policy: Sets out how you use, store, and share personal data.
- Cookie Policy: Required if your website uses cookies for tracking or analytics.
- Data Processing Agreements: Contracts with suppliers or partners who process data on your behalf.
- Internal Data Protection Policy: Guidance for your staff on how to handle data correctly.
- Employee Privacy Notices: Written explanation to staff of how their data is handled.
- Data Breach Response Plan: Checklist for what to do in case of a data incident.
Having these documents professionally drafted and kept up to date is one of the strongest steps you can take to protect your business - and your peace of mind. Read more about essential GDPR/DPA documents here.
Are There International Data Transfer Rules?
If you transfer personal data outside the UK (for example, by using cloud services with overseas servers or working with international suppliers), there are extra compliance steps under the United Kingdom Data Protection Act.
You’ll need to ensure “adequate protection” is in place - this often means putting a data transfer agreement in place with your overseas provider. Some countries (like EU members) are deemed “adequate,” but others are not, requiring more checks. Breaching transfer rules can lead to severe penalties.
Tips for Staying Compliant as Your Business Grows
Data protection isn’t a one-time job. As your business evolves, make compliance part of your daily processes:
- Review your data audit and policies at least annually
- Update privacy notices when you change data practices
- Train staff regularly on new data protection risks
- Keep up with ICO guidance and industry best practices
- Don’t ignore complaints - handle them promptly and professionally
If data protection still feels daunting, consider a quick check-up from a legal expert - it’s a smart investment that keeps your business future-ready.
Key Takeaways
- The United Kingdom Data Protection Act 2018 sets strict rules for how businesses must handle personal data.
- If you collect any personal information from individuals in the UK, the Act applies to your business.
- You must follow core data protection principles like fairness, transparency, security, and respecting individual rights.
- Policies such as Privacy Policies and Data Processing Agreements are crucial for compliance.
- Be ready to respond to requests for access, correction, or deletion of personal data from customers or staff.
- Most businesses need to register with the ICO and pay an annual fee.
- Ongoing compliance is essential - review and update your processes regularly and seek professional help where needed.
If you’d like tailored legal advice about the United Kingdom Data Protection Act or need help with your privacy compliance, reach out to our friendly team at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat. We’re here to help you protect your business and your customers, every step of the way.
