Are you collecting customer emails, employee records, website cookies, payment details, or support tickets without being fully sure what the law expects from you? That is where many businesses get nervous.The Data Protection Act 2018 sets key rules for how UK businesses handle personal data, and many organisations still get nervous about compliance. The answer is not panic. The answer is training, clear systems, and practical action. Our GDPR Data Protection Level 5 course helps you understand the UK’s main data protection rules, how to handle personal data, what to do after a breach, how to manage marketing emails, and what changed in 2025.
Demand is growing fast. UK government GOV.UK statistics show that 43% of businesses and 30% of charities experienced a cyber security breach or attack in the previous 12 months. This means data protection is no longer a “big company only” issue. It is now a core business skill for owners, managers, HR teams, marketers, and compliance staff.
In this guide, you will learn what The Data Protection Act 2018 means, who must comply, what personal data includes, how UK GDPR fits in, how to handle subject access requests, and what changed under the Data Use and Access Act 2025. You will also get checklists you can apply straight away.
Want to protect your business and build a recognised compliance skill? Start learning with our GDPR Data Protection Level 5 course today and learn how to handle personal data with confidence.
This Data Protection Act 2018 Guide explains…
- Data Protection Act 2018 basics: What the Data Protection Act 2018 is, whether it is still in force, and who must comply with it.
- Key law comparisons: DPA 2018 vs UK GDPR, plus DPA 2018 vs UK GDPR vs PECR vs DUAA 2025.
- Personal Data Protection Act 2018 rules: What counts as personal data, special category data, criminal offence data, and the difference between controller vs processor.
- Core compliance principles: The 7 data protection principles explained with real examples, plus lawful bases for processing personal data.
- Individual rights and requests: Individual rights under the DPA 2018 and UK GDPR, including how to respond to a Subject Access Request step by step.
- Policies, marketing and breach response: Privacy notices, cookie policies, data processing agreements, email marketing rules, data breach response and ICO enforcement.
- 2026 business compliance tools: Data Use and Access Act 2025 changes, business-type checklists for SaaS, ecommerce, HR, healthcare and agencies, common DPA 2018 mistakes, final compliance checklist, and downloadable compliance checklist or template.
What Is the Data Protection Act 2018?
Have you ever wondered what happens to your personal information after you share it with a company? Maybe you enter your name on a website, give your email to download a guide, or share your address when shopping online. Businesses should not use that information carelessly. This is where The Data Protection Act 2018 becomes important.
The Data Protection Act 2018 is a UK law that protects people’s personal information. It tells organisations how they should collect, use, store, and share data. This includes businesses, schools, charities, hospitals, government bodies, ecommerce stores, and many other organisations.
In simple words, the Act makes sure that organisations must handle your personal data fairly and safely. It protects information such as names, email addresses, phone numbers, home addresses, payment details, employee records, customer files, health records, and online identifiers.
The law also gives people more control over their data. For example, you have the right to know how organisations use your information. . You can ask an organisation what data it holds about you. You can also ask them to correct wrong information or delete data in some situations.
The Data Protection Act 2018 works together with the UK GDPR. The UK GDPR gives the main data protection rules, while the DPA 2018 adds UK-specific details.
So, this law is not only about avoiding fines. It is about trust. When an organisation protects personal data properly, people feel safer, respected, and more confident sharing their information.
Is the Data Protection Act 2018 Still in Force?
Yes, the Data Protection Act 2018 is still in force. It still applies in the UK and remains an important part of data protection law.
Many people feel confused about this. Some think the GDPR replaced the Data Protection Act 2018. Others think Brexit removed GDPR rules completely from the UK. But that is not true. The UK still has strong data protection laws. Today, organisations must follow the UK GDPR and the Data Protection Act 2018 together.
The UK GDPR gives the main rules for handling personal data. It explains how organisations should collect, use, store, and protect personal information. The Data Protection Act 2018 supports these rules and adds UK-specific details. So, both laws work side by side.
This means businesses, charities, public bodies, schools, healthcare providers, ecommerce stores, and other organisations still have clear duties. They must use personal data lawfully, fairly, and safely. They must also be open with people about how their information is being used.
The Act also gives individuals important rights. For example, people can ask what personal data an organisation holds about them. They can ask an organisation to correct wrong information. In some cases, they can ask an organisation to delete or restrict their data. .
The Data Protection Act 2018 also gives power to the Information Commissioner’s Office, known as the ICO. The ICO can investigate organisations, give guidance, and take action when an organisation breaks data protection rules.
The Data Protection Act 2018 is still active, still important, and still something every UK organisation must understand.
DPA 2018 vs UK GDPR: Key Differences
The UK GDPR and the Data Protection Act 2018 are closely connected, but they are not the same. A simple way to understand them is this: the UK GDPR gives the main data protection rules, while the DPA 2018 adds UK-specific details.
The UK GDPR explains how organisations should collect, use, store, and protect personal data. It covers the data protection principles, lawful bases, individual rights, controller duties, processor duties, and data breach rules.
The Data Protection Act 2018 supports the UK GDPR. It explains how data protection works in the UK in more specific areas. This includes exemptions, law enforcement processing, intelligence services, special category data, criminal offence data, and the powers of the Information Commissioner’s Office.
So, businesses should not ask, “Should I follow the DPA 2018 or UK GDPR?” In most cases, the answer is both.
DPA 2018 vs UK GDPR vs PECR vs DUAA 2025
The DPA 2018, UK GDPR, PECR, and DUAA 2025 are all part of the UK data protection and privacy landscape. They often work together, but each one has a different role.
The Data Protection Act 2018 is the UK’s main data protection law. It supports the UK GDPR and adds UK-specific rules. The UK GDPR sets the main rules for how organisations should process personal data. It covers things like lawful bases, individual rights, data protection principles, security, and breach reporting.
PECR is different. It focuses more on electronic communications. This includes cookies, email marketing, text messages, marketing calls, and similar digital activities. So, if a business sends newsletters or uses cookies on its website, PECR is very important.
The Data Use and Access Act 2025, also called DUAA 2025, brings newer updates to UK data and privacy law. It includes changes linked to subject access requests, automated decision-making, cookies, complaints, PECR, and ICO reforms.
In short, businesses should not look at these laws separately. They should understand how they connect and apply them together.
Who Must Comply With the Data Protection Act 2018?
Any organisation that collects, uses, stores, shares, or deletes personal data must take the Data Protection Act 2018 seriously. This law applies when you handle personal information in the UK or process data about people living in the UK.
Personal data can include names, phone numbers, email addresses, home addresses, payment details, employee records, customer files, IP addresses, and even website cookie data. So, compliance is not only for large companies. It also applies to small businesses, online stores, freelancers, charities, and service providers.
If your organisation handles people’s information, you must use it lawfully, fairly, and safely. You must also be clear about why you collect it and how long you keep it.
Data Protection Act 2018 Compliance for UK Businesses
UK businesses must comply with the DPA 2018 when they handle customer, employee, supplier, or website visitor data. This includes shops, service providers, consultants, online businesses, and local companies. For example, if a business stores customer names, phone numbers, delivery addresses, or payment records, it must protect that data properly. It must also explain how the data is used and keep it secure.
DPA 2018 Rules for Charities
Charities also need to follow the DPA 2018. They often collect donor details, volunteer records, supporter emails, and information about people who receive help. This data can be sensitive, so charities must handle it carefully. They should only collect the data they need and tell people clearly how it will be used.
Data Protection Act 2018 Duties for Public Bodies
Public bodies handle large amounts of personal data every day. This includes councils, government departments, schools, police services, and other public organisations. They may process data for public services, records, applications, complaints, or legal duties. Because they often hold important information about people’s lives, they must follow strong data protection rules.
DPA 2018 Compliance for Ecommerce Stores
Ecommerce stores collect personal data when people browse, order, pay, or sign up for offers. This may include names, addresses, payment information, order history, and marketing preferences. Online stores must protect this data from misuse or unauthorised access. They must also follow privacy and marketing rules when sending emails or using cookies.
UK GDPR and DPA 2018 Checklist for SaaS Companies
SaaS companies often process data for other businesses. This can include user accounts, login details, customer records, analytics, support tickets, and business files. Sometimes a SaaS company acts as a processor, and sometimes it may act as a controller. This depends on how much control it has over the data and why it is being used.
Data Protection Compliance for HR Teams
HR teams must comply because they handle employee and job applicant data. This can include CVs, payroll records, contracts, sickness records, performance reviews, and disciplinary files. Some HR data can be sensitive, especially health or absence information. HR teams must keep this data secure, limit access, and only keep it for as long as needed.
Personal Data Protection Rules for Healthcare Providers
Healthcare providers must take extra care because they handle health data. The law classes health data as special category data, which means it needs stronger protection. Clinics, care homes, dentists, therapists, and private healthcare services must use clear privacy rules and secure systems. They should make sure only authorised staff can access patient information.
DPA 2018 and PECR Compliance for Marketing Agencies
Marketing agencies often handle customer lists, email campaigns, audience data, analytics, and advertising pixels. They may process data for clients, or they may decide how campaigns use data themselves. This means they need to understand whether they are acting as a controller or processor. They also need to follow email marketing, cookie, and consent rules.
DPA 2018 Duties for Accountants and Law Firms
Accountants and law firms collect detailed personal and financial information. This may include tax records, bank details, identity documents, contracts, legal files, and client communications. Because this information can be private and sensitive, they must protect it carefully. They also need strong retention policies, secure storage, and clear client privacy notices.
DPA 2018 Rules for Non-UK Companies Serving UK Residents
A company outside the UK may still need to comply with UK data protection rules if it handles data about UK residents. For example, an overseas ecommerce store selling to UK customers may collect names, addresses, payment details, and marketing preferences. A non-UK app or SaaS platform may also process UK user data. If the business targets or monitors people in the UK, it should check its DPA 2018 and UK GDPR duties.
What Counts as Personal Data Under the Data Protection Act 2018?
Personal data is any information that can identify a living person. It can identify someone directly, such as by their name or email address. It can also identify someone indirectly, such as through an IP address, cookie ID, customer number, or location data.
In simple words, if the information can point back to a real person, it may be personal data. This means businesses must handle it carefully. They should collect only what they need, keep it safe, and explain clearly how they use it.
-
Name
A person’s name is one of the most common types of personal data. On its own, a name may not always identify someone fully, especially if many people share the same name. But when it is combined with other details, such as an address, email, or workplace, it can clearly identify a person. Businesses should treat names as personal information and protect them properly.
-
Email address
An email address is personal data when it can identify a person. For example, an email like [email protected] clearly points to someone. Even a work email can be personal data if it is linked to an individual employee. Businesses must be careful when using email addresses for newsletters, accounts, customer service, or marketing.
-
Phone number
A phone number can identify or contact a person, so it counts as personal data. Businesses may collect phone numbers for deliveries, bookings, customer support, or emergency contact purposes. They should not use phone numbers for marketing unless they have a lawful reason to do so. They should also keep phone numbers secure and up to date.
-
Home address
A home address is personal data because it shows where a person lives. It can also reveal private details about someone’s life, family, or location. Ecommerce stores, service providers, employers, and healthcare providers often collect addresses. They must make sure this information is not shared or exposed without a valid reason.
-
IP address
An IP address can count as personal data because Someone may link it to a device or user. Websites often collect IP addresses through analytics, security tools, or server logs. Even if an IP address does not show a person’s name, it may still help identify or track them. That is why businesses should include IP addresses in their privacy and cookie checks.
-
Cookie ID
A cookie ID can be personal data when it tracks or recognises a user online. Websites use cookies for logins, analytics, advertising, and user preferences. If a cookie can follow someone’s behaviour across a website or across different websites, it needs careful handling. Businesses should explain cookie use clearly and follow cookie consent rules where required.
-
Customer account details
Customer account details are personal data because they are linked to a specific person. This may include usernames, login details, order history, saved addresses, wishlists, and account preferences. These details can show a lot about a person’s activity and choices. Businesses should protect accounts with strong security and limit access to authorised staff only.
-
Payment records
Payment records can include card details, invoices, billing addresses, transaction history, and refund records. This information is personal data because it connects financial activity to a person. It can also be sensitive because misuse may lead to fraud or identity theft. Businesses should only keep payment data for as long as needed and use secure payment systems.
-
Employee files
Employee files contain personal data about staff members. They may include contracts, CVs, payroll details, performance reviews, sickness records, emergency contacts, and disciplinary notes. Some employee data can be sensitive, especially health or absence information. HR teams must store these files securely and only allow access to people who genuinely need it.
-
CRM notes
CRM notes can also be personal data if they relate to a customer, lead, or contact. These notes may include call records, preferences, complaints, buying interests, or personal details shared during a conversation. Even short notes can reveal information about a person. Businesses should train staff to write CRM notes carefully and avoid adding unnecessary or unfair comments.
-
Location data
Location data can identify where a person is or where they have been. It may come from mobile apps, delivery tracking, website logins, GPS tools, or workplace systems. This type of data can be very revealing because it may show someone’s habits, movements, or routine. Organisations should only collect location data when they have a clear and lawful reason.
-
Support chat history
Support chat history can contain personal data because customers often share names, emails, order numbers, account problems, and private details during conversations. These chats may also include complaints, technical issues, or sensitive information. Businesses should store chat records safely and only keep them for a reasonable period. Staff should also avoid asking for unnecessary information during support conversations.
Special Category Data and Criminal Offence Data Under DPA 2018
Some personal data is more private than other data. The law calls this special category data. This type of data needs extra protection because it can affect a person’s safety, dignity, job, reputation, or personal life if it is misused.
Special category data can reveal very personal details about someone. Because of this, organisations must have a strong reason before collecting or using it. They must also use proper safeguards, such as limited access, secure storage, clear policies, and staff training.
-
Health
Health data is one of the most sensitive types of personal data. It can include medical records, sick notes, disability information, mental health details, prescriptions, test results, or appointment records. Employers, clinics, care providers, insurers, and healthcare services may handle this type of data. They must protect it carefully because misuse could cause serious harm or embarrassment.
-
Ethnicity
Ethnicity data relates to a person’s racial or ethnic background. Organisations may collect this information for equality monitoring, research, public services, or legal reporting. However, they should only collect it when they have a clear and lawful reason. They must also explain why they need it and how they will protect it.
-
Religion
Religious belief data is also special category data. It may show a person’s faith, belief system, or religious community. Employers, schools, charities, or public bodies may sometimes collect this information for reasonable adjustments, diversity monitoring, or service planning. But they must handle it with care and avoid using it in a way that could lead to unfair treatment.
-
Political opinions
Political opinion data can show what a person believes, supports, or campaigns for. This may include party membership, political donations, survey answers, or campaign activity. It is sensitive because misuse could lead to discrimination, pressure, or reputational harm. Organisations should only process this data when the law allows it and when proper safeguards are in place.
-
Trade union membership
Trade union membership is protected because it can reveal a person’s workplace views and employment interests. Employers may sometimes need this data for payroll deductions, workplace representation, or legal duties. However, they must not use it unfairly against an employee. You should limit access, and you should keep the data secure.
-
Biometric data
Biometric data includes physical or behavioural features used to identify a person. This can include fingerprints, facial recognition data, voice patterns, or iris scans. It is highly sensitive because it is unique to the individual and cannot easily be changed like a password. Organisations using biometric systems must have a strong lawful reason and strong security controls.
-
Genetics
Genetic data gives information about a person’s inherited characteristics. It may be used in healthcare, medical testing, research, or family-related services. This data can reveal information not only about one person but also about their relatives. Because of this, it needs very careful handling and clear safeguards.
-
Sex life or sexual orientation
Data about a person’s sex life or sexual orientation is deeply private. It may appear in healthcare records, support services, HR records, surveys, or legal cases. Organisations must treat this information with respect and confidentiality. They should never collect it unless there is a clear, lawful, and necessary reason.
-
Criminal offence data
Criminal offence data is not classed as special category data, but it still needs extra protection. It can include DBS checks, criminal convictions, allegations, cautions, investigations, or offence-related records. This type of data can seriously affect a person’s job, reputation, and future opportunities. Organisations should only process it when they have a lawful basis, a clear need, and suitable safeguards in place.
Controller vs Processor Under DPA 2018 and UK GDPR: Which One Are You?
A controller and a processor do different jobs under data protection law. The difference depends on control. If you decide why personal data is used and how it is used, you are usually the controller. If you only handle personal data by following another organisation’s instructions, you are usually the processor.
For example, an ecommerce store collects customer names, addresses, payment details, and order history. It decides why this data is needed, such as to process orders, deliver products, and manage customer accounts. So, the ecommerce store is usually the controller.
An email marketing platform may send newsletters for that store. It does not usually decide why the customer list exists. It simply stores the list and sends emails based on the store’s instructions. So, it is usually the processor.
A digital agency can be either. If it only follows the client’s instructions, it may be a processor. But if it decides the campaign strategy, audience targeting, and data use, it may become a controller.
7 Data Protection Act 2018 Principles Explained With Examples
The 7 data protection principles are the foundation of the Data Protection Act 2018 and UK GDPR. They guide how organisations should collect, use, store, share, and protect personal data. These principles are not just legal ideas. They are practical rules that businesses should follow every day.
If a business handles customer details, employee files, website data, payment records, or marketing lists, these principles help keep that data safe and fair. They also help build trust. When people know their information is being handled properly, they feel more confident sharing it.
A GDPR Data Protection Level 5 course can help businesses and staff understand these principles in a pragmatic way, so they can apply them in real workplace situations.
1. Lawfulness, Fairness and Transparency
This principle means you must use personal data in a lawful, fair, and open way. You should have a valid reason for collecting and using someone’s data. You should also explain clearly what you are doing with it.
For example, if a customer signs up for an online account, you should tell them what information you collect, why you need it, and how long you will keep it. You should not hide important details in confusing legal language.
Fairness also means you should not use data in a way that surprises or harms people. If someone gives you their email for an order receipt, they may not expect you to send marketing emails unless you have the right permission.
In simple words, be honest with people. Tell them what you do with their data and only use it in ways they would reasonably expect.
2. Purpose Limitation
Purpose limitation means you should collect personal data for a clear reason and only use it for that reason. You should not collect data for one purpose and then use it for something completely different without a proper legal reason.
For example, if someone applies for a job, they give you their CV, contact details, work history, and sometimes references. You collect that information to assess their job application. You should not then add their email address to your marketing list or use their CV details for sales activity.
This principle helps stop organisations from misusing information. It also helps people understand why their data is being collected.
Before collecting data, ask yourself: “Why do we need this?” and “Will we use it only for that purpose?” If the answer is unclear, you may need to review your process.
A clear purpose makes data handling safer and more trustworthy.
3. Data Minimisation
Data minimisation means you should only collect the personal data you really need. You should not ask for extra details “just in case” they may be useful later.
For example, if someone signs up for a basic email newsletter, you may only need their email address. You probably do not need their date of birth, home address, phone number, job title, and full postal address. Collecting too much information increases risk. If there is a data breach, more breach could expose personal information.
This principle is very important for websites, forms, booking systems, HR records, and customer accounts. Every field should have a clear reason.
A good question to ask is: “Can we provide this service without collecting this data?” If the answer is yes, you may not need to collect it.
Less data means less risk. It also makes customers feel more comfortable because you are not asking for unnecessary personal details.
4. Accuracy
Accuracy means personal data should be correct and kept up to date where needed. If data is wrong, organisations should take reasonable steps to correct it or delete it.
For example, if a customer tells you they have moved house, you should update their address in your system. If you continue using the old address, you may send private documents, invoices, or products to the wrong place. This could create a data protection risk.
Accuracy matters in many areas. HR teams need correct employee records. Healthcare providers need accurate patient details. Ecommerce stores need the right delivery information. Financial teams need accurate billing records.
This principle also protects individuals. Wrong data can lead to poor service, missed communication, unfair decisions, or serious mistakes.
Businesses should make it easy for people to update their information. They should also review records regularly, especially when businesses use data for important decisions.
5. Storage Limitation
Storage limitation means you should not keep personal data for longer than necessary. Once the data is no longer needed, it should be deleted, anonymised, or securely destroyed.
For example, a company may receive CVs from job applicants. It may need to keep them during the hiring process. It may also keep them for a short period afterwards in case there are questions or legal claims. But it should not keep unsuccessful applicant CVs forever without a valid reason.
This principle helps reduce risk. The more old data you keep, the more data you must protect. Old data can also become inaccurate or unnecessary.
Businesses should create a data retention policy. This policy should explain how long different types of data are kept. For example, customer records, employee files, invoices, support tickets, and marketing lists may all have different retention periods.
Good data protection is not just about storing data safely. It is also about knowing when to let it go.
6. Security
Security means you must protect personal data against loss, misuse, unauthorised access, damage, or disclosure. This principle is about keeping data safe.
For example, a business may use passwords, two-factor authentication, encryption, secure cloud storage, access controls, staff training, and regular backups. These steps help stop personal data from being stolen, leaked, changed, or lost.
Security is not only an IT issue. It is also a people issue. Staff should know how to spot phishing emails, use strong passwords, avoid sending data to the wrong person, and report mistakes quickly.
For example, if an employee sends a customer file to the wrong email address, that could be a personal data breach. A clear breach response plan can help the business act quickly and reduce harm.
Every organisation should ask: “Who can access this data?” and “Do they really need access?” Strong security protects both the business and the people whose data it holds.
7. Accountability
Accountability means you must be able to prove that you follow data protection rules. It is not enough to say, “We protect data.” You need records, policies, training, and clear processes to show it.
For example, a business should keep records of its lawful bases, privacy notices, data processing agreements, breach logs, subject access request records, staff training, and data retention schedule. These documents show that the business takes data protection seriously.
Accountability is important because regulators may ask for evidence. Customers, clients, or partners may also want to know how you protect personal data.
This principle encourages businesses to build data protection into everyday work. It should not be something you only think about after a complaint or breach.
A GDPR Data Protection Level 5 course can help staff understand what evidence to keep, how to follow the rules, and how to create safer data handling habits across the organisation.
Lawful Bases for Processing Personal Data Under UK GDPR and DPA 2018
Before an organisation collects or uses personal data, it must have a lawful basis. A lawful basis is the legal reason that allows the organisation to process someone’s information. Without a lawful basis, the processing may be unfair or unlawful.
Many businesses make one common mistake. They think they always need consent. But consent is only one lawful basis. In many cases, another lawful basis may be more suitable, such as contract, legal obligation, or legitimate interests.
The important thing is to choose the right lawful basis before using the data. You should also record your reason and explain it clearly in your privacy notice.
Consent
Consent means a person gives clear permission for their data to be used for a specific purpose. For example, someone may tick a box to receive your email newsletter. Consent should be freely given, specific, informed, and easy to withdraw. You should not hide consent inside long terms and conditions.
Contract
Contract applies when you need to process personal data to provide a product or service. For example, an online store needs a customer’s name, address, and payment details to complete an order. A business may also need data to create a customer account or manage a booking. Without this data, the contract cannot be properly carried out.
Legal obligation
Legal obligation applies when an organisation must process data because the law requires it. For example, a business may need to keep invoices, tax records, payroll records, or employee right-to-work documents. In this case, the business is not using the data by choice only. It is processing the data to meet a legal duty.
Vital interests
Vital interests apply when personal data is needed to protect someone’s life or safety. This lawful basis is usually used in emergencies. For example, a hospital may need to share a patient’s medical details during urgent treatment. It may also apply if someone is seriously injured and important information must be used quickly.
Public task
A public task applies when data is processed to carry out an official function or public duty. This is often used by public bodies, councils, schools, police services, and government departments. For example, a council may use personal data to provide local services. The organisation must show that the task has a clear basis in law.
Legitimate interests
Legitimate interests can apply when an organisation has a real business reason to use personal data, and that reason does not unfairly harm the person. For example, a business may use it for fraud prevention, some B2B marketing, customer support, or basic website security. However, you should balance your interest against the person’s rights. You should also document your reasoning in a legitimate interest assessment.
Individual Rights Under the DPA 2018 and UK GDPR
Under the Data Protection Act 2018 and the UK GDPR, individuals have important rights over their personal data. These rights help people understand how organisations use their information and give them more control over it.
For example, people have the right to be informed. This means organisations must clearly explain what data they collect, why they collect it, and how it will be used. People also have the right of access, which means they can ask an organisation what personal data it holds about them.
They can also ask for incorrect data to be corrected. This is called the right to rectification. In some cases, they can ask for their data to be deleted. This is known as the right to erasure or the “right to be forgotten.”
Individuals may also ask an organisation to limit how their data is used. People may request a copy of their data in a usable format. They can also object to certain types of processing, such as direct marketing. The law also gives them rights around automated decision-making.
Good data protection is not only about policies and paperwork. It is about respect. When a person asks, “What information do you hold about me?” your organisation should be ready to answer clearly, fairly, and on time.
How to Respond to a Subject Access Request Under DPA 2018: Step-by-Step Workflow
A subject access request, also called a SAR, is when a person asks an organisation for a copy of the personal data it holds about them. This right helps people understand what information is being collected, why it is being used, and who it may be shared with.
A SAR can be made in writing, by email, through a form, by social media, or even verbally. So, staff should know how to recognise one. If a customer, employee, or client asks, “What personal data do you have about me?” your organisation should treat it seriously and follow a clear process.
Most Organisations must answer most subject access requests within one calendar month. , so timing is very important.
-
Record the request date
As soon as you receive the request, write down the date. This helps you track the deadline and avoid late responses. You should also note how the request was received, such as by email, phone, letter, or social media.
-
Verify identity if needed
Before sharing personal data, make sure the person is who they say they are. This is especially important if the data is sensitive. Ask only for reasonable proof of identity and do not request unnecessary documents.
-
Clarify scope if the request is broad
Sometimes a person may ask for “all data” you hold about them. If the request is very broad, you can ask them to clarify what they are looking for. This may help you find the right information faster and avoid sending irrelevant data.
-
Search emails, CRM, HR systems, cloud folders, and databases
You should search all places where personal data may be stored. This may include emails, customer systems, HR files, cloud storage, support tickets, and spreadsheets. Make sure the search is complete and not limited to one system only.
-
Review exemptions
Not all information must always be shared. Some data may be exempt, especially if it includes legal privilege, confidential references, or information about other people. Review the data carefully before sending it.
-
Remove third-party data where needed
If the records include personal data about another person, you may need to remove or hide that information. This is called redaction. The aim is to protect the requester’s rights without unfairly exposing someone else’s data.
-
Send the response securely
Send the personal data in a safe way. Use secure email, password protection, encrypted files, or another safe method where needed. Avoid sending sensitive information to the wrong address.
-
Keep a record of your decision-making
Keep notes of what you searched, what you shared, what you removed, and why. This record can help if the person complains or the ICO asks questions later. Good records show that your organisation handled the SAR responsibly.
DPA 2018 Fines, Penalties and ICO Enforcement
The ICO can investigate organisations. It can also issue warnings, require changes, and impose fines. For serious infringements, the higher maximum fine can be £17.5 million or 4% of worldwide annual turnover, whichever is higher. The standard maximum can be £8.7 million or 2% of worldwide annual turnover, depending on the breach.
But fines are not the only risk. A data protection failure can damage trust. It can lead to lost customers, upset staff, and negative publicity. For many businesses, reputation is the real cost.
The best defence is not fear. It is preparation. Train your people. Document your decisions. Secure your systems. Respond quickly when problems happen.
Data Protection Act 2018 Documents: Privacy Notices, Cookie Policies and DPAs
Good data protection is not only about keeping data safe. It is also about explaining clearly what you do with people’s information. Your documents should show what data you collect, why you collect it, how you use it, how long you keep it, and who you share it with.
These documents help people trust your organisation. They also help your staff follow the same rules. When your policies are clear, your business can respond better to customer questions, subject access requests, marketing checks, and data breaches.
-
Website privacy notice
A website privacy notice explains how your organisation collects and uses personal data through your website. It should cover things like contact forms, newsletter sign-ups, customer accounts, payments, and analytics tools.
It should also explain your lawful basis, how long you keep the data, who you share it with, and what rights people have. This notice should be easy to find and written in simple language.
-
Cookie policy
A cookie policy explains what cookies your website uses and why. Cookies may be used for website function, analytics, advertising, personalisation, or remembering user settings.
Your cookie policy should tell users what each cookie does and whether it is essential or optional. If you use non-essential cookies, such as analytics or marketing cookies, you may need clear consent before placing them.
-
Employee privacy notice
An employee privacy notice explains how you use staff and job applicant data. This may include payroll details, contracts, sickness records, performance reviews, emergency contacts, and recruitment information.
It should tell employees why the data is needed, who can access it, and how long it will be kept. HR data can be sensitive, so this notice is very important.
-
Data processing agreements
A data processing agreement is needed when another organisation processes personal data for you. For example, this could include payroll providers, email marketing platforms, cloud software providers, or IT support companies.
The agreement should explain what the processor can do with the data and what security steps they must follow. It helps protect your organisation and the people whose data is being handled.
-
Data retention policy
A data retention policy explains how long your organisation keeps different types of personal data. For example, customer records, invoices, job applications, HR files, and support tickets may all have different retention periods.
This policy helps you avoid keeping data forever. Once data is no longer needed, it should be deleted, anonymised, or securely destroyed.
-
Breach response policy
A breach response policy explains what your organisation should do if personal data is lost, stolen, exposed, or sent to the wrong person. It gives staff a clear process to follow during a stressful situation.
The policy should cover how to report a breach internally, how to assess the risk, when to contact the ICO, and when to inform affected people. Acting quickly can reduce harm and protect your business.
-
Internal data protection policy
An internal data protection policy gives staff clear rules for handling personal data. It may cover passwords, access control, email use, file sharing, remote working, data deletion, and reporting concerns.
This policy helps turn data protection into daily practice. It also shows that your organisation takes accountability seriously.
Email Marketing Rules Under DPA 2018, UK GDPR and PECR
Marketing is one area where many businesses make mistakes. Sending emails, texts, newsletters, offers, and automated campaigns may seem simple, but these activities often involve personal data. This means the DPA 2018, UK GDPR, and PECR can all apply.
PECR focuses on electronic marketing, such as emails, texts, marketing calls, and cookies. UK GDPR and the DPA 2018 apply when you collect and use personal data, such as names, email addresses, customer profiles, buying history, and marketing preferences.
Before sending marketing messages, businesses should check whether they have the right permission or legal reason. They should also make it easy for people to opt out.
-
Do you need consent?
In many cases, you need clear consent before sending marketing emails to individuals. You should, specific, and easy to understand. You should also keep a record of when and how the person gave consent.
-
Can you rely on soft opt-in?
Soft opt-in may apply when someone has bought something from you or shown interest in a similar product or service. It allows you to send marketing emails in limited situations. However, you must give the person a clear chance to opt out when you collect their details and in every message you send.
-
Did the person buy or enquire about similar products?
Soft opt-in usually works only when the marketing relates to similar products or services. For example, if someone bought a training course, you may be able to email them about related courses. But you should not use that contact to promote something completely unrelated.
-
Did you offer a clear unsubscribe?
Every marketing email should include a clear and simple unsubscribe option. People should not have to search for it or log in through a long process. Once someone unsubscribes, you should stop sending marketing messages as soon as possible.
-
Are cookies used for tracking?
If your emails or website use tracking cookies, pixels, or analytics tools, you may need cookie consent. These tools can track opens, clicks, visits, and user behaviour. You should explain this clearly in your cookie policy and privacy notice.
-
Is your CRM list clean?
Your CRM list should be accurate, up to date, and legally collected. Remove old, inactive, incorrect, or unsubscribed contacts. A clean list reduces risk and helps your marketing reach people who actually want to hear from you.
The ICO explains soft opt-in can apply where customer data was gathered during a sale or negotiation, but only if conditions are met.
Data Breach Response Under the Data Protection Act 2018
A personal data breach is not only a cyberattack or hacking incident. It can also happen when an employee sends an email to the wrong person, loses a work laptop, exposes a customer database, shares files without permission, or deletes important personal data by mistake.
When a breach happens, the organisation must act quickly. A slow or confused response can make the problem worse. A clear breach response plan helps your team reduce harm, protect affected people, and show the ICO that you handled the situation responsibly.
-
Contain it
The first step is to stop the breach from getting worse. This may mean removing public access to a file, recalling an email, changing passwords, disabling an account, or taking a system offline. The faster you contain the breach, the easier it is to reduce damage.
-
Assess risk
Next, look at what happened and who may be affected. Ask what type of data was involved, how sensitive it is, and whether people could suffer harm. A breach involving health data, financial details, or identity documents is usually higher risk.
-
Decide whether to report to the ICO
You do not need to report every breach to the ICO. You should report it if it is likely to create a risk to people’s rights and freedoms. In many cases, reportable breaches must be reported within 72 hours of becoming aware of them.
-
Decide whether affected people must be told
If the breach is likely to create a high risk to individuals, you may need to tell the affected people directly. The message should explain what happened, what data was involved, what you are doing, and what steps they can take to protect themselves.
-
Record everything
You should keep a clear record of the breach, even if you decide not to report it. Record what happened, when it happened, what data was affected, what decisions you made, and what actions you took. These records can help if the ICO asks questions later.
-
Fix the root cause
After the immediate problem is controlled, find out why it happened. You may need better staff training, stronger passwords, access controls, safer email processes, or improved security tools. The aim is not only to close the incident, but to prevent it from happening again.
2026 Data Protection Act 2018 Update: Data Use and Access Act 2025 Changes
The Data Use and Access Act 2025, also known as the DUAA 2025, brings important updates to UK data and privacy law. It received Royal Assent on 19 June 2025 and is designed to modernise how data is used, shared, and regulated in the UK.
For businesses, this means data protection is still changing. The DPA 2018 and UK GDPR remain important, but organisations should also understand how the DUAA 2025 may affect their policies, systems, and daily data practices.
Some changes may come into force at different times. So, businesses should not treat compliance as a one-time task. They should review official guidance regularly and update their processes when needed.
For 2026, businesses should watch:
-
Complaint-handling duties
Businesses may need clearer processes for handling data protection complaints. This means people should know how to complain if they are unhappy with how their data is used. Organisations should respond fairly, keep records, and deal with complaints before they become bigger problems.
-
SAR changes
The DUAA 2025 includes changes linked to subject access requests, also known as SARs. Businesses should review how they receive, check, search, and respond to these requests. A clear SAR workflow will help teams respond on time and avoid mistakes.
-
Cookie rule updates
Cookie rules are also changing in some areas. Businesses should check how they use website cookies, analytics tools, tracking pixels, and advertising technologies. They should make sure their cookie notices and consent tools are clear and up to date.
-
PECR changes
PECR covers electronic marketing, cookies, calls, texts, and emails. The DUAA 2025 updates some parts of this area, so marketing teams should pay close attention. Businesses should review email marketing, unsubscribe links, consent records, and tracking practices.
-
Automated decision-making rules
Automated decision-making means using systems or software to make decisions about people with little or no human involvement. This may affect areas like recruitment, finance, insurance, and online services. Businesses should check whether automated decisions are fair, explainable, and properly controlled.
-
ICO reform into the Information Commission
The DUAA 2025 also reforms the UK data protection regulator. The Information Commissioner’s Office is expected to move towards a new structure called the Information Commission. Businesses should watch for updated guidance, new processes, and any changes in how data protection rules are supervised.
DPA 2018 Compliance Checklists for SaaS, Ecommerce, HR, Healthcare and Agencies
Different businesses handle different types of personal data. This means their data protection risks are not always the same. A SaaS company may worry about user access and international transfers, while an ecommerce store may focus more on payment data, cookies, and marketing emails. HR teams may deal with employee records, and healthcare providers may handle sensitive health information.
That is why every business should build a checklist based on its own work. A general policy is helpful, but it is not enough on its own. Your compliance process should match the type of data you collect and the way your organisation uses it. This is where structured training, such as a GDPR Data Protection Level 5 course, can help teams apply the law to real situations.
-
SaaS
SaaS companies often process personal data for their customers. This may include user accounts, login details, customer records, usage data, support tickets, and analytics. They should have strong processor contracts, clear access controls, audit logs, and a proper breach response process. They should also check whether a company transfers personal data outside the UK and make sure the right safeguards are in place.
-
Ecommerce
Ecommerce businesses collect personal data during browsing, checkout, payment, delivery, returns, and customer support. They should protect payment data, explain data use clearly in the checkout privacy notice, and manage marketing consent properly. Abandoned cart emails should also be reviewed because they may count as marketing. Ecommerce stores should also check cookie banners, tracking tools, and customer account security.
-
HR
HR teams handle a large amount of employee and applicant data. This can include CVs, contracts, payroll details, sickness records, performance notes, disciplinary records, and emergency contacts. HR should set clear retention periods so HR should not keep old records longer than needed . Access to payroll and sensitive employee files should be limited to authorised staff only.
-
Healthcare
Healthcare providers handle some of the most sensitive personal data. This includes health records, treatment notes, appointment details, prescriptions, test results, and patient history. Because health data is special category data, it needs stronger protection and strict access controls. You must inform patients clearly how their data is used, stored, shared, and protected.
-
Agencies
Agencies may act as controllers, processors, or sometimes both. For example, if an agency only follows a client’s instructions, it may be a processor. But if it decides campaign strategy, targeting, or data use, it may become a controller. Agencies should check their role in each project, use proper data processing agreements, manage campaign consent carefully, and review analytics cookies before launching campaigns.
Common Data Protection Act 2018 Mistakes Businesses Make
Many businesses do not break data protection rules on purpose. Most mistakes happen because there is no clear process. A team may collect too much data, keep records for too long, forget to update privacy notices, or fail to train staff properly.
These mistakes may look small at first. But over time, they can create serious risks. Poor data protection can lead to complaints, data breaches, loss of customer trust, and possible ICO action. That is why businesses should treat compliance as a daily habit, not a one-time task.
-
Collecting too much data
Some businesses ask for more personal data than they really need. For example, a simple newsletter form may only need an email address, not a date of birth, home address, and phone number. Collecting less data reduces risk and makes customers feel more comfortable.
-
Using consent when another lawful basis is better
Many businesses think consent is always required, but this is not true. Sometimes contract, legal obligation, or legitimate interests may be more suitable. Using the wrong lawful basis can make your data processing unclear and harder to manage.
-
Copying privacy notices from other websites
Copying a privacy notice from another website is risky. That notice may not match your business, your systems, your suppliers, or your lawful bases. A good privacy notice should reflect what your organisation actually does with personal data.
-
Ignoring old data
Old data can become inaccurate, unnecessary, and risky. For example, old customer files, outdated spreadsheets, and inactive accounts may still contain personal information. Businesses should review old data regularly and delete or anonymise it when it is no longer needed.
-
Keeping CVs forever
CVs contain personal data such as names, contact details, work history, education, and sometimes sensitive information. Keeping unsuccessful applicant CVs forever is usually unnecessary. Businesses should set a clear retention period and delete recruitment data when it is no longer needed.
-
No SAR workflow
A subject access request can come by email, letter, phone, or even social media. If staff do not recognise it, the business may miss the deadline. A clear SAR workflow helps teams record requests, search systems, review data, and respond on time.
-
Weak supplier contracts
Many businesses use suppliers that handle personal data, such as payroll providers, email platforms, cloud software, or IT support. If the contract is weak, it may not clearly explain how the supplier must protect the data. A proper data processing agreement helps reduce risk.
-
Poor cookie banners
Some cookie banners do not give users a real choice. Others place non-essential cookies before consent is given. Businesses should make cookie banners clear, fair, and easy to use, especially when using analytics, advertising, or tracking tools.
-
No breach response plan
A data breach can happen at any time. Without a plan, staff may panic, delay action, or fail to report the issue correctly. A breach response plan helps the business contain the problem, assess risk, record decisions, and report when required.
-
No staff training
Data protection is not only the job of managers or IT teams. Any staff member who handles personal data needs basic training. Regular training helps employees avoid mistakes, spot risks, and understand what to do if something goes wrong.
Final DPA 2018 Compliance Checklist
The Data Protection Act 2018 is not something a business should deal with once and then forget. Compliance is a living system. It needs regular checks, clear documents, trained staff, and safe working habits.
This checklist can help your business review the main areas of data protection. It covers what data you collect, why you use it, how you protect it, and how you respond when people use their rights. Use it as a simple starting point for building stronger DPA 2018 and UK GDPR compliance.
-
Map what personal data you collect
Start by listing all the personal data your business collects. This may include names, emails, phone numbers, addresses, payment details, employee files, website data, and customer records. You should also note where the data comes from and where it is stored.
-
Identify your lawful basis
Every use of personal data needs a lawful basis. This could be consent, contract, legal obligation, legitimate interests, public tasks, or vital interests. Choose the right lawful basis before using the data and record your reason clearly.
-
Update your privacy notice
Your privacy notice should explain what data you collect and why you collect it. It should also tell people how long you keep their data, who you share it with, and what rights they have. Keep the wording simple so customers and staff can understand it easily.
-
Review cookie compliance
Check what cookies your website uses. Some cookies are essential, but others, such as analytics or advertising cookies, may need consent. Your cookie banner and cookie policy should be clear, fair, and easy to use.
-
Sign processor contracts
If another company handles personal data for you, you may need a data processing agreement. This applies to suppliers such as payroll providers, email platforms, cloud software, and IT support companies. The contract should explain how the supplier must protect the data.
-
Create a SAR workflow
A subject access request, or SAR, allows people to ask for a copy of their personal data. Your team should know how to recognise, record, verify, search, review, and respond to these requests. Most SARs must be answered within one calendar month.
-
Create a breach response plan
A data breach can happen through hacking, human error, lost devices, wrong emails, or exposed files. Your breach plan should explain who to contact, how to contain the issue, and when to report it. A clear plan helps your team act quickly and calmly.
-
Set retention periods
Do not keep personal data forever. Set clear retention periods for customer records, invoices, employee files, job applications, support tickets, and marketing lists. When data is no longer needed, delete it, anonymise it, or destroy it securely.
-
Train staff
Staff training is one of the most important parts of compliance. Employees should know how to handle personal data, spot risks, avoid mistakes, and report breaches. A GDPR Data Protection Level 5 course can help your team build practical knowledge and confidence.
-
Improve passwords and access controls
Use strong passwords, two-factor authentication, and secure systems. Give staff access only to the data they need for their role. This reduces the chance of personal data being seen, changed, lost, or shared by the wrong person.
-
Review compliance yearly
Data protection is not a one-time job. Your business systems, suppliers, staff, and marketing tools may change over time. Review your policies, data map, privacy notice, cookie tools, contracts, and training at least once a year.
Downloadable Data Protection Act 2018 Compliance Checklist Template
A downloadable compliance checklist or template can help your business manage data protection in a simple and organised way. Instead of keeping everything in different emails, folders, and spreadsheets, you can use one clear document to track your main DPA 2018 and UK GDPR tasks.
This template should be easy for managers, HR teams, marketing teams, and business owners to use. It should help you record what data you collect, why you use it, who you share it with, how long you keep it, and when you last reviewed your compliance process.
Data Mapping for DPA 2018 Compliance
Data mapping helps you understand what personal data your business collects. You should record where the data comes from, where it is stored, who can access it, and who it is shared with. This gives you a clear picture of your data flow.
Lawful Basis Table for UK GDPR and DPA 2018
A lawful basis table records the legal reason for each type of data processing. For example, you may use contracts for customer orders, legal obligation for invoices, and consent for newsletters. This helps you prove that your data use is lawful and properly considered.
Privacy Notice Review for Data Protection Compliance
This section helps you check whether your privacy notice is clear and up to date. It should explain what data you collect, why you collect it, how long you keep it, and what rights people have. Review it whenever your services, tools, or suppliers change.
Cookie Audit for UK Data Protection Compliance
A cookie audit lists the cookies used on your website. It should show which cookies are essential and websites use cookies for analytics , advertising, or tracking. This helps you decide whether consent is needed and whether your cookie banner is working properly.
SAR Log for Data Protection Act 2018 Requests
A SAR log helps you track subject access requests. You should record the request date, the requester’s name, the deadline, the systems searched, and the response sent. This helps your business respond on time and keep evidence of your process.
Data Breach Response Form for DPA 2018 Compliance
A breach response form helps your team record what happened during a personal data breach. It should include the date, type of breach, data affected, people affected, risk level, and actions taken. This makes it easier to decide whether the ICO or affected individuals must be informed.
Supplier Checklist for DPA 2018 Processor Contracts
A supplier checklist helps you review companies that handle personal data for you. This may include payroll providers, cloud software, email platforms, payment processors, and IT support. You should check whether contracts, security measures, and data processing agreements are in place.
Data Retention Schedule for DPA 2018 Compliance
A retention schedule explains how long we should keep different types of personal data. For example, invoices, employee records, CVs, support tickets, and marketing data may all have different retention periods. It helps you avoid keeping data longer than necessary.
Marketing Compliance Check Under DPA 2018 and PECR
This section helps you review email marketing, newsletters, customer lists, unsubscribe links, and consent records. It should also check whether soft opt-in applies and whether your CRM list is clean. This reduces the risk of sending unlawful marketing messages.
Annual Data Protection Compliance Review Date
An annual review date reminds your business to check its data protection process at least once a year. During the review, update your policies, supplier records, cookie tools, training, and data map. This helps keep compliance active instead of forgotten.
Final Thought
The Data Protection Act 2018 is not just a legal rule. It is a trust rule. Every time someone gives you their data, they are saying, “Please handle this carefully.”
If your business can answer that with clear policies, trained staff, secure systems, and honest communication, you do more than avoid penalties. You build trust. And trust is one of the strongest assets any business can own.
Want a guided way to build these documents? Join our GDPR Data Protection Level 5 course and learn how to create practical compliance workflows for real business situations.
Frequently Asked Questions
What is the Data Protection Act 2018 in simple terms?
The Data Protection Act 2018 is the UK law that controls how organisations use personal data. It protects people by making businesses, charities, public bodies, and other organisations handle data fairly, lawfully, securely, and transparently.
Is the Data Protection Act 2018 the same as GDPR?
No. The UK GDPR sets the main data protection rules, while the Data Protection Act 2018 supports, supplements, and customises those rules for the UK. Most UK organisations need to follow both.
Does the Data Protection Act 2018 still apply after Brexit?
Yes. The Data Protection Act 2018 still applies after Brexit. The UK now uses the UK GDPR alongside the DPA 2018, so businesses must still follow data protection duties when handling personal information.
Who does the Data Protection Act 2018 apply to?
It applies to organisations that process personal data, including businesses, charities, public authorities, ecommerce stores, SaaS firms, HR teams, healthcare providers, agencies, and some non-UK organisations handling UK residents’ data.
What are the 7 principles of the Data Protection Act 2018?
The seven principles are lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security; and accountability. They guide how personal data should be collected, used, protected, stored, and reviewed.
What is personal data under the Data Protection Act 2018?
Personal data is information that can identify a living person. It includes names, emails, addresses, phone numbers, IP addresses, customer records, employee files, payment details, cookie IDs, and location data.
What are special categories of personal data?
Special category data is sensitive personal data. It includes health data, racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, biometric data, sex life, and sexual orientation.
What rights do individuals have under DPA 2018?
Individuals have rights including the right to be informed, access their data, correct inaccurate data, request deletion, restrict processing, move data, object to processing, and challenge certain automated decisions.
What happens if a business breaks the Data Protection Act 2018?
A business may face complaints, ICO investigation, enforcement action, reputational damage, customer loss, and possible fines. The outcome depends on the seriousness of the breach, harm caused, and how the business responded.
Do small businesses need to comply with DPA 2018?
Yes. Small businesses must comply if they handle personal data. Even a small company with customer emails, invoices, employee records, website forms, analytics cookies, or marketing lists has data protection responsibilities.
Do I need consent to send marketing emails in the UK?
Sometimes. Consent is often needed for email marketing, but the soft opt-in may apply to existing customers if strict conditions are met. You must also provide a clear unsubscribe option and follow PECR and UK GDPR rules.
How long do I have to respond to a subject access request?
In most cases, you must respond to a subject access request within one calendar month. You should record the request date, verify identity when needed, search systems carefully, and send the response securely.
How does the Data Use and Access Act 2025 affect DPA 2018?
The Data Use and Access Act 2025 updates parts of UK data and privacy law, including areas such as automated decision-making, subject access, cookies, complaints, PECR, and ICO reform. Businesses should review guidance and update compliance processes.
" alt="The 6 Principles of Safeguarding: Protect Before Harm Happens" />
" alt="Personal Development Goals: 5 Meaningful Examples That Work" />
" alt="TILE in Manual Handling: Meaning, Checklist & Safer Lifting Guide" />