Data Protection Act 2018 (UK)

Agent Navigation: For section discovery, use /regulations/uk/dpa-2018/llms.txt

Quick Reference

The Data Protection Act 2018 (DPA 2018) is the UK’s comprehensive data protection law. It works alongside the UK GDPR for general processing, but also covers law enforcement and intelligence services processing which fall outside GDPR scope. It creates criminal offenses and sets out important exemptions.

Applies to: All data controllers and processors in the UK; law enforcement and intelligence services

Key rules:

• Part 2 supplements the UK GDPR for general processing [Part 2]
• Part 3 governs law enforcement processing separately from GDPR [Part 3]
• Schedule 2 contains exemptions from data subject rights [Sch 2]
• Unlawful obtaining of personal data is a criminal offense [s.170]
• Re-identification of de-identified data is an offense [s.171]

Question	Answer	Citation
Does DPA 2018 replace GDPR?	No, works alongside UK GDPR	Part 2
Does GDPR apply to police?	No, Part 3 applies instead	s.29
Are there exemptions?	Yes, Schedule 2	Sch 2
Is unlawful data obtaining criminal?	Yes, unlimited fine	s.170
Who enforces?	ICO	Part 5-6

---

Regulation Map (All Chunks)

Definitions

• DPA 2018: Scope and Application

Requirements

• DPA 2018: Exemptions (Schedule 2)
• DPA 2018: Law Enforcement Processing (Part 3)

Enforcement

• DPA 2018: Enforcement Mechanisms
• DPA 2018: Criminal Offenses

Scenarios

• DPA 2018: Common Scenarios

Full Text — Regulatory Authority

• DPA 2018: The Information Commissioner

Full Text — Framework

• Data Protection Act 2018: Intelligence Services Processing
• Data Protection Act 2018: Supplementary and Final Provisions

Full Text — Exemptions

• Data Protection Act 2018: Special Purposes (Journalism & Academic)

Full Text — Core Requirements

• DPA 2018: UK GDPR Implementation