UK DPA 2018

Data Protection Act 2018 (UK GDPR)

The UK's foundational data protection law, incorporating the UK GDPR (retained EU GDPR post-Brexit). Substantively mirrors EU GDPR with ICO as sole enforcer. Article 22 restricts automated decision-making; Article 9 classifies mental health as special category data; children's consent age set at 13. Parent framework for UK Children's Code; amended by DUA Act 2025.

Jurisdiction

United Kingdom

Enacted

May 23, 2018

Effective

May 25, 2018

Enforcement

Information Commissioner's Office (ICO)

UK GDPR (retained EU GDPR) took effect 1 January 2021 post-Brexit; EU adequacy decision valid until 27 December 2025

legislation.gov.uk

Why It Matters

Foundation for all UK data protection. Processing UK user data - especially mental health signals or children's data - triggers baseline compliance. The UK Children's Code (AADC) is issued under this Act. Companion AI processing emotional/mental health data triggers special category requirements.

Recent Developments

Data (Use and Access) Act 2025 amends DPA 2018, adding ICO interview notice powers and provisions for AI training transparency. EU adequacy decision renewed December 2025. Feb 2026: ICO launched formal investigation into X Internet Unlimited and X.AI LLC over Grok AI generating non-consensual sexual imagery, including images of children. Investigation focuses on data protection violations related to personal data processing and safeguards against illegal content creation.

At a Glance

Requires

Transparency User Rights Data Minimization Incident Reporting

Who Must Comply

Controllers/processors handling UK personal data
Non-UK entities processing UK residents' data (extraterritorial reach)

Obligations fall on:

Safety Provisions

Article 22 (UK GDPR): Right not to be subject to solely automated decisions with legal/significant effects
Article 9: Mental health data is 'special category' requiring explicit consent or other lawful basis
Children's consent threshold: 13 years (lower than EU default of 16)
Articles 13/14: Transparency about automated decision-making logic and consequences
DPIA mandatory for high-risk processing including AI systems affecting health decisions
Data protection by design and by default
Data subject rights (access, deletion, objection, portability)
72-hour breach notification to ICO

Compliance & Enforcement

Key Dates

Dec 27, 2025

EU adequacy decision expires (may be renewed)

Penalties

£17.5M or 4% revenue (whichever higher)

Private Right of Action

Individuals can sue directly without waiting for regulatory action.

Primary Source

legislation.gov.uk

https://www.legislation.gov.uk/ukpga/2018/12/contents

View on map

United Kingdom

Focus Areas

Mental health & crisis

Child safety

Algorithmic accountability

Active safeguards required

Compliance Help

Requires lawful basis (explicit consent for mental health data under Art. 9); DPIA for high-risk AI processing; data minimisation and retention policies; user rights workflows; Art. 22 posture for significant automated decisions; age verification for children under 13.

See how NOPE helps

Cite This

APA

United Kingdom. (2018). Data Protection Act 2018 (UK GDPR).

Related Regulations

In Effect GB

DUA Act 2025

Omnibus data legislation covering customer data access, digital verification services, the Information Commission, and AI-related provisions including copyright/training transparency requirements and new criminal offenses for creating AI-generated intimate images (deepfakes).

In Effect GB

Ofcom Children's Codes

Ofcom codes requiring user-to-user services and search services to protect children from harmful content including suicide, self-harm, and eating disorder content. Explicitly covers AI chatbots that enable content sharing between users. Requires detection technology, content moderation, and recommender system controls.

In Effect IL

Israel Privacy Amendment 13

Israel's most significant privacy reform in 40 years, explicitly covering AI systems. Requires Data Protection Officers (DPOs) for entities processing sensitive data at scale, mandates Data Protection Impact Assessments (DPIAs) before AI deployment, and enhances Protection of Privacy Authority enforcement powers. One of first data protection laws to explicitly require DPIAs before AI development or deployment.

In Effect LB

Lebanon Law 81/2018

Lebanon's electronic transactions and data protection law lacking independent supervisory authority, relying on court remedies for enforcement.

In Effect UK

UK AI Approach

Sector-specific, principles-based approach using existing regulators. Five cross-sector principles guide regulatory application rather than horizontal AI legislation.

In Effect US-SD

SD Deepfakes Act

Prohibits disseminating deepfakes about candidates within 90 days of election with intent to cause injury. Class 1 misdemeanor with up to 1 year imprisonment and $2,000 fine. Affirmative defense for content with AI manipulation disclosure. Civil remedies available to AG, candidates, and depicted individuals.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.