Data Protection Act 2018: What UK Businesses Need to Know for GDPR Compliance

If you run a business in the UK, you’ve probably heard about the importance of data protection - especially with all the changes brought in by the DPA 2018 and the UK’s approach to GDPR. But figuring out what practical steps you actually need to take (and what counts as compliant) is where many business owners start to feel overwhelmed.

Don’t worry - you’re not alone. With some clear guidance and a focus on the basics, you can set up your business to handle personal data lawfully, reassure your customers, and steer clear of regulatory headaches.

In this guide, we’ll walk you through everything you need to know about the DPA 2018 as a UK business owner, how it relates to UK GDPR, and exactly what you should do to stay compliant - right from day one.

What Is the Data Protection Act 2018 (DPA 2018)?

The Data Protection Act 2018 (often called “DPA 2018”) is the main law governing how personal data is handled, stored, and processed in the UK. It was brought in to update older privacy laws and to work alongside the General Data Protection Regulation (GDPR), which originally applied to the UK as an EU member.

Since Brexit, the UK has kept a version of GDPR known as the UK GDPR, and the DPA 2018 acts alongside it. Together, these laws set out what you must do whenever your business deals with people's personal information - whether that’s your customers, staff, suppliers, or anyone else.

Essentially, the DPA 2018:

• Implements and supplements GDPR requirements for UK businesses
• Details extra rules for areas like law enforcement, research, children’s data, and more
• Sets out the powers and duties of the Information Commissioner’s Office (ICO)
• Establishes penalties for non-compliance - which can be severe

If you collect, store, or use any info that can identify someone (“personal data”), the DPA 2018 and UK GDPR almost certainly apply to your operations.

Who Does the DPA 2018 Apply To?

The short answer? Almost every UK business or organisation.

You must comply with the DPA 2018 (and UK GDPR) if you:

• Collect information about individuals (like names, email addresses, phone numbers, payment details, or anything else that can identify a living person)
• Operate as a sole trader, partnership, limited company, or any other type of organisation
• Process data either as a “data controller” (making decisions about why and how data is used) or as a “data processor” (working on data on someone else’s behalf)

Whether you run an online shop, a consultancy, or a trade business, if you’re handling personal data - even just for employee payroll - you have obligations under the DPA 2018.

If you’re unsure about your business’ specific status or responsibilities (for example, you use overseas contractors or software tools that process data), have a look at our guide to data controller vs processor definitions and don’t hesitate to get advice.

How Does the DPA 2018 Relate to UK GDPR?

If you’re confused by two seemingly similar regulations, you’re not alone! Here’s how it breaks down:

• UK GDPR is the main framework for how personal data must be processed, granting rights to individuals and imposing duties on businesses
• DPA 2018 acts as the local “rulebook” that fills in gaps, tailors GDPR to the UK context, and adds extra protections in certain areas

In plain English: UK GDPR sets the high-level rules, and the Data Protection Act 2018 details how they apply in the UK, including exemptions, enforcement, and extra requirements in special cases (such as for criminal records, health data, or children).

For most businesses, following the principles and requirements of UK GDPR will mean you’re also ticking the right boxes under the DPA 2018 - but you should always check both, especially if your data practices are non-standard.

For a more practical compliance breakdown, see our guide: Data Protection Act 2018 - An Essential Business Guide.

What Are the Main Duties Under DPA 2018?

Let’s get to the part that matters for businesses: what do you actually have to do to follow the DPA 2018?

1. Follow the Seven Key Principles of Data Protection

You must handle personal data according to these fundamental rules:

• Lawfulness, fairness, and transparency - Only collect and use data for legitimate, fair reasons, and always be clear with people about what you’ll do with their info.
• Purpose limitation - Don’t use data for purposes that aren’t compatible with why you collected it.
• Data minimisation - Only collect what you genuinely need.
• Accuracy - Keep info up-to-date and correct mistakes quickly.
• Storage limitation - Don’t hold onto personal data for longer than necessary.
• Integrity and confidentiality (security) - Keep data safe, secure, and protected from unauthorised access or breaches.
• Accountability - Be able to show the ICO (or anyone else) that you’ve put the right processes in place to meet all these principles.

If you want a deeper dive, check out our guide to the seven GDPR principles and how to apply them.

2. Honour People’s Rights Over Their Data

The DPA 2018 and GDPR grant individuals several powerful rights, including:

• The right to know what personal data you hold about them
• The right to access and receive a copy of their data (often via a Subject Access Request)
• The right to have incorrect data corrected or incomplete data completed
• The right to have data deleted (in certain circumstances: “right to be forgotten”)
• The right to restrict or object to processing in some cases
• The right to data portability (where relevant)

You must have processes in place to respond to requests in a timely, compliant way. If you need help with handling access requests, our guide to responding to subject access requests covers the key steps.

3. Register with the ICO (If Required)

Most businesses who process personal data must register with the Information Commissioner’s Office (ICO) and pay a small annual data protection fee. Not registering when you should is a common compliance pitfall and can lead to unexpected fines.

For more on how to register, check out our article: ICO Registration - What UK Businesses Need to Know.

4. Have the Right Documents and Policies

Being compliant means documenting what you do and explaining it to the people whose data you process. You’ll need:

• A clear, easily accessible Privacy Policy (sometimes called a notice) that tells people what info you collect, how you use it, and their rights
• Internal procedures for data security, retention, and how you handle requests and breaches
• Appropriate data processing or sharing agreements with any suppliers, freelancers, or partners who handle personal data for you
• A data breach response plan outlining what you’ll do if something goes wrong

Templates won’t always cover your specific needs - properly drafted and tailored documents are your best protection if something goes wrong.

5. Report Data Breaches Quickly

If personal data is lost, stolen, or accessed unlawfully, you may need to report the breach to the ICO within 72 hours, and sometimes inform affected individuals. Not all breaches require notification, but many do, and delays can turn minor problems into major legal trouble.

Read more in our segment on how to report data breaches and handle the 72-hour notification rule.

What Kinds of Data Are Covered by the DPA 2018?

The DPA 2018 applies to any information that relates to an identifiable living person ("personal data"). This could include:

• Full names and contact details (email, phone, address)
• Financial information and payment data
• Staff records (such as HR files or payroll)
• Customer lists or marketing data
• IP addresses, cookies, or usage stats (if tied to an individual)
• Special categories: racial/ethnic origin, health, biometrics, sexual orientation, or criminal records (“special category data” needs extra security and care)

If your business deals with children’s data, health records, or sensitive information, there are additional rules and safeguards - it’s especially important to get tailored advice here.

What Happens if My Business Doesn’t Comply?

It’s crucial to understand the risks of ignoring your obligations under the DPA 2018:

• The ICO can investigate complaints and audit your business
• Non-compliance can lead to hefty fines (potentially millions of pounds for serious breaches, though most small businesses face lower penalties)
• Negative publicity and lost customer trust
• Legal claims from affected individuals

Most issues come from not having proper systems in place or being reactive instead of proactive. That’s why it’s so important to get your legal foundations right before there’s a problem.

How Can I Make My Business Compliant With DPA 2018?

The good news is - most of what you need to do is straightforward, once you know what’s required. Here’s a basic checklist for UK small businesses:

1. Map the personal data you hold (what, why, where it is, and how you secure it)
2. Limit data collection to what you truly need, and keep everything accurate
3. Draft and display a compliant Privacy Policy and ensure team members understand their responsibilities
4. Register with the ICO and pay the data protection fee, unless you qualify for a clear exemption
5. Put contracts in place with anyone else who processes data for you - staff, contractors, or software suppliers
6. Have a process for responding to subject access and deletion requests
7. Plan for data security and know what to do if a breach occurs

If you aren’t sure where to begin or feel like your processes haven’t kept pace with changing laws, it’s wise to have a data protection/GDPR audit and update everything as needed. Remember, compliance isn’t a one-off - it’s an ongoing responsibility as your business grows.

Do I Need Any Special Documents or Help?

Templates and generic forms can sometimes create more risk than they solve, and regulators are increasingly looking for evidence that your processes are fit for your business, not just "copied and pasted."

You may need:

• Privacy Policy - Clearly explaining to customers and staff how data is used (order a GDPR-compliant privacy policy)
• Data Processing Agreements - For anyone outside your business (like SaaS providers or freelancers) handling data on your behalf
• Internal Policies and Staff Training Materials - To show you’re ensuring compliance within your organisation
• Records of Processing Activities - Evidence of what you collect, why, and how it’s used/kept secure

Having your documents reviewed or drafted by a legal expert can prevent you from falling short if the ICO, a client, or a major supplier asks you to prove your compliance.

Where To Get More Guidance

The world of data protection can feel intimidating - but starting with the basics of DPA 2018 and building good habits is a huge step towards keeping your business safe and trusted.

If you want further information, explore our related guides:

• Essential Guide To Data Protection And Security Compliance Under UK GDPR
• Building A Strong Privacy Culture
• DPIAs Made Simple

And remember: if you aren’t sure if your business is compliant or need help drafting any of the documents mentioned, we’re here to help.

Key Takeaways

• The DPA 2018 is the main UK law for handling personal data, and it works together with the UK GDPR
• Most UK small businesses must comply if they collect, store or process personal information
• Key duties include being fair and transparent, only collecting necessary data, keeping it secure, and respecting people’s rights
• You’ll probably need to register with the ICO and pay a small data protection fee
• Having proper, professionally drafted documents and robust internal processes is essential for compliance
• Non-compliance can lead to serious fines and reputational damage, but the right steps and advice will keep you protected from day one
• Getting tailored legal help is the best way to make sure your business meets all requirements and minimises your risks

---

If you have questions about the DPA 2018 or how data protection law affects your business, you can reach our friendly legal team at team@sprintlaw.co.uk or call 08081347754 for a free, no-obligations chat. We’re here to help you get protected and stay compliant - right from the start.