In advance of the EU’s General Data Protection Regulation (GDPR) going into effect on May 25, the UK’s Data Protection Bill received Royal Assent on May 23, to become the Data Protection Act 2018 (DPA 2018).

The DPA 2018 is designed to:

  • ensure that the standards set out in the GDPR have effect in the UK and to provide for certain derogations permitted by the GDPR;
  • repeal and replace the Data Protection Act 1998 as the primary piece of domestic data protection legislation in the UK; and
  • ensure that the UK and EU data protection regimes are aligned post-Brexit and that the UK will continue to be able to freely exchange personal data with the EU.

The GDPR is directly applicable in all EU member states, including the UK; however, the DPA 2018 supplements the GDPR and includes provisions relating to, for instance, the Information Commissioner’s Office, which is the data protection supervisory authority in the UK. The DPA 2018 also extends domestic data protection laws to areas that are not covered by the GDPR.

The DPA 2018 is available here.