DPA 2018: Scope and Application
Scope and Application [Part 1-2]
Rule: The DPA 2018 supplements the UK GDPR for general processing, provides a complete regime for law enforcement and intelligence services, and sets out exemptions and enforcement mechanisms.
Structure of the DPA 2018
| Part | Coverage | Relationship to UK GDPR |
|---|---|---|
| Part 1 | Preliminary (definitions) | Foundational |
| Part 2 | General processing | Supplements UK GDPR |
| Part 3 | Law enforcement processing | Standalone (not GDPR) |
| Part 4 | Intelligence services processing | Standalone (not GDPR) |
| Part 5 | Information Commissioner | Applies to all parts |
| Part 6 | Enforcement | Applies to all parts |
| Part 7 | Supplementary provisions | Applies to all parts |
How Part 2 Works with UK GDPR [s.4-5]
Part 2 applies the UK GDPR with supplementary provisions:
“The GDPR, the applied GDPR and this Part of this Act apply in relation to the processing of personal data.”
Supplementary provisions include:
- Lawful bases for special category data (Schedule 1)
- Exemptions from data subject rights (Schedule 2)
- Accreditation of certification providers
- Codes of practice
When Part 3 Applies Instead [s.29-30]
Part 3 applies to processing by competent authorities for law enforcement purposes:
| Term | Definition |
|---|---|
| Competent authority | Person listed in Schedule 7 (police, prosecution, courts, etc.) |
| Law enforcement purpose | Prevention, investigation, detection, prosecution of criminal offenses; execution of criminal penalties |
Key differences from UK GDPR:
| Aspect | UK GDPR (Part 2) | Part 3 (Law Enforcement) |
|---|---|---|
| Legal bases | 6 lawful bases | Different bases (s.35) |
| Special categories | Explicit consent or conditions | Strict necessity + conditions |
| International transfers | Adequacy or safeguards | Adequacy or specific conditions |
| Right to erasure | Applies with exceptions | More limited |
Territorial Scope [s.207]
The DPA 2018 applies to:
- Controllers/processors established in the UK
- Processing of UK residents’ data by non-UK controllers (for Part 2)
- UK law enforcement bodies (for Part 3)
Key Definitions [s.3]
| Term | Definition |
|---|---|
| Personal data | Same as UK GDPR Art 4(1) |
| Processing | Same as UK GDPR Art 4(2) |
| Controller | Same as UK GDPR Art 4(7) |
| Processor | Same as UK GDPR Art 4(8) |
| The Commissioner | Information Commissioner |
Relationship Summary
General Processing (businesses, public sector):
UK GDPR + DPA 2018 Part 2
Law Enforcement Processing (police, prosecutors):
DPA 2018 Part 3 only
Intelligence Services (MI5, MI6, GCHQ):
DPA 2018 Part 4 only