Applicability of the UK Data Protection Act 2018 (DPA 2018)

The United Kingdom operates under a statutory data protection framework that governs the processing of personal data. The primary legislation establishing this framework is the Data Protection Act 2018, which serves as the principal data protection statute.

The Data Protection Act 2018 was adopted on May 23, 2018 and became effective on May 25, 2018. The act has been amended by the Data (Use and Access) Act 2025, which was adopted on June 19, 2025 and became effective on June 19, 2025.

Material Applicability

The DPA 2018 establishes its scope through reference to the GDPR's applicability criteria. Article 4(2)(a) directly incorporates the GDPR's material scope, which includes:

1. Automated Processing: The law applies to processing wholly or partly by automated means, adopting the GDPR's technology-neutral approach.
2. Filing Systems: Coverage extends to structured sets of personal data accessible according to specific criteria, whether in digital or non-digital formats.
3. Exemptions:
   • Personal and domestic activities are excluded from the law's scope
   • Processing for national security and law enforcement follows specific provisions
   • State secrets processing may be subject to separate regulations

Article 4(3) establishes a parallel regime for processing activities outside the GDPR's scope, ensuring comprehensive data protection coverage.

Territorial Applicability

The law does not contain information about territorial applicability.