UK DPA 2018
Data Protection Act 2018 (UK GDPR)
The UK's foundational data protection law, incorporating the UK GDPR (retained EU GDPR post-Brexit). Substantively mirrors EU GDPR with ICO as sole enforcer. Article 22 restricts automated decision-making; Article 9 classifies mental health as special category data; children's consent age set at 13. Parent framework for UK Children's Code; amended by DUA Act 2025.
Jurisdiction
United Kingdom
GB
Enacted
May 23, 2018
Effective
May 25, 2018
Enforcement
Information Commissioner's Office (ICO)
UK GDPR (retained EU GDPR) took effect 1 January 2021 post-Brexit; EU adequacy decision valid until 27 December 2025
What It Requires
Who Must Comply
This law applies to:
- • Controllers/processors handling UK personal data
- • Non-UK entities processing UK residents' data (extraterritorial reach)
Who bears obligations:
Safety Provisions
- • Article 22 (UK GDPR): Right not to be subject to solely automated decisions with legal/significant effects
- • Article 9: Mental health data is 'special category' requiring explicit consent or other lawful basis
- • Children's consent threshold: 13 years (lower than EU default of 16)
- • Articles 13/14: Transparency about automated decision-making logic and consequences
- • DPIA mandatory for high-risk processing including AI systems affecting health decisions
- • Data protection by design and by default
- • Data subject rights (access, deletion, objection, portability)
- • 72-hour breach notification to ICO
Compliance Timeline
Dec 27, 2025
EU adequacy decision expires (may be renewed)
Enforcement
Enforced by
Information Commissioner's Office (ICO)
Penalties
£17.5M or 4% revenue (whichever higher)
Up to £17.5 million or 4% global annual turnover (whichever higher). ICO prefers working with organisations to find resolution; focuses formal enforcement on reckless or deliberate harms.
Private Right of Action
Individuals can sue directly without waiting for regulatory action. This significantly increases liability exposure.
Quick Facts
- Binding
- Yes
- Mental Health Focus
- Yes
- Child Safety Focus
- Yes
- Algorithmic Scope
- Yes
- Private Action
- Yes
Why It Matters
Foundation for all UK data protection. If you process UK user data—especially mental health signals or children's data—this is your baseline. The UK Children's Code (AADC) is issued under this Act. Companion AI processing emotional/mental health data triggers special category requirements.
Recent Developments
Data (Use and Access) Act 2025 amends DPA 2018, adding ICO interview notice powers and provisions for AI training transparency. EU adequacy decision due for renewal December 2025.
What You Need to Comply
You need: lawful basis (explicit consent for mental health data under Art. 9); DPIA for high-risk AI processing; data minimisation and retention policies; user rights workflows; Art. 22 posture for significant automated decisions; age verification for children under 13.
NOPE can helpCite This
APA
United Kingdom. (2018). Data Protection Act 2018 (UK GDPR). Retrieved from https://nope.net/regs/uk-dpa-2018
BibTeX
@misc{uk_dpa_2018,
title = {Data Protection Act 2018 (UK GDPR)},
author = {United Kingdom},
year = {2018},
url = {https://nope.net/regs/uk-dpa-2018}
} Related Regulations
DUA Act 2025
Omnibus data legislation covering customer data access, digital verification services, the Information Commission, and AI-related provisions including copyright/training transparency requirements and new criminal offenses for creating AI-generated intimate images (deepfakes).
Ofcom Children's Codes
Ofcom codes requiring user-to-user services and search services to protect children from harmful content including suicide, self-harm, and eating disorder content. Explicitly covers AI chatbots that enable content sharing between users. Requires detection technology, content moderation, and recommender system controls.
Israel Privacy Amendment 13
Israel's most significant privacy reform in 40 years, explicitly covering AI systems. Requires Data Protection Officers (DPOs) for entities processing sensitive data at scale, mandates Data Protection Impact Assessments (DPIAs) before AI deployment, and enhances Protection of Privacy Authority enforcement powers. One of first data protection laws to explicitly require DPIAs before AI development or deployment.
Lebanon Law 81/2018
Lebanon's electronic transactions and data protection law lacking independent supervisory authority, relying on court remedies for enforcement.
UK AI Approach
Sector-specific, principles-based approach using existing regulators. Five cross-sector principles guide regulatory application rather than horizontal AI legislation.
TN ELVIS Act
Protects individuals from unauthorized AI-generated use of their name, photograph, voice, or likeness. Explicitly covers AI-generated voice simulations. Criminal and civil penalties including treble damages for knowing violations.