DPA 2018 vs UK GDPR: Which Law Applies to Your Website?

UK businesses frequently encounter two pieces of legislation when reading about data protection: the Data Protection Act 2018 (DPA 2018) and the UK GDPR. Understanding how they relate to each other is important for working out which rules apply to your website, and when exemptions or special provisions are in play.

The short answer is that they work together. UK GDPR provides the main data protection framework — the lawful bases, the data subject rights, the accountability obligations. The DPA 2018 supplements UK GDPR by providing exemptions, covering processing outside UK GDPR's scope, and establishing the ICO's institutional framework. You cannot read one without the other.

To check your website's compliance position against UK GDPR and the DPA 2018, run a free scan at /uk/en/scan.

How UK GDPR came to exist

When the UK left the European Union, the EU's General Data Protection Regulation could no longer automatically apply in UK law. The European Union (Withdrawal) Act 2018 solved this by "retaining" the GDPR as a piece of UK domestic law at the moment of exit. This retained version is called the UK GDPR.

The UK GDPR was modified by Schedule 1 of the DPA 2018, which made it work as standalone UK legislation — replacing references to "Member States" with "the UK", replacing references to the "European Data Protection Board" with the "Information Commissioner", and so on. The DUAA 2025 subsequently made further amendments, but the fundamental architecture of the UK GDPR as retained law remains in place.

The result is that from a business perspective, UK GDPR looks and reads almost identically to EU GDPR. The same six lawful bases, the same data subject rights, the same breach notification rules. The practical divergences are targeted and specific.

What the DPA 2018 adds

The DPA 2018 does not simply duplicate UK GDPR. It fills three gaps.

Supplementing UK GDPR

UK GDPR contains a number of provisions that require Member States (now the UK) to specify how they apply in domestic law. The DPA 2018 does this for the UK. For example, UK GDPR Article 9 on special category data requires member states to identify the specific conditions under which substantial public interest processing is permitted. Schedule 1 of the DPA 2018 lists 23 conditions in detail, covering areas such as employment, healthcare, research, journalism, and safeguarding.

If your organisation processes special category data — health information, biometric data, religious beliefs, sexual orientation — you need to identify both the lawful basis under UK GDPR Article 9(2) and the specific Schedule 1 DPA 2018 condition that applies. Neither alone is sufficient.

Processing outside UK GDPR scope

UK GDPR explicitly does not apply to certain types of processing: law enforcement processing for the prevention and detection of crime, prosecution of offenders, and execution of penalties; and processing for national security and defence purposes.

These gaps are filled by Parts 3 and 4 of the DPA 2018 respectively. Part 3 implements the EU Law Enforcement Directive for UK police, CPS, courts, and similar authorities. Part 4 covers intelligence services processing. For commercial website operators, these provisions are generally not directly relevant unless you are a data processor providing services to law enforcement agencies.

Exemptions from UK GDPR obligations

Schedule 2 of the DPA 2018 lists exemptions that restrict or modify UK GDPR obligations in specified circumstances. These are the provisions that most directly affect commercial businesses.

The most commonly encountered exemptions for website operators are:

Crime, taxation and other public functions (Schedule 2, paragraph 2): an organisation is exempt from the subject access provisions to the extent that disclosure would prejudice the prevention or detection of crime, or the assessment or collection of tax. This means a business can decline or delay a subject access request if complying would, for example, alert someone that they are under investigation.

Regulatory activity (Schedule 2, paragraph 10): processing in connection with regulatory functions (those carried out by bodies such as the FCA, ICO, or sector regulators) can restrict certain data subject rights.

Journalism, academic, artistic and literary purposes (Schedule 2, paragraphs 26–28): where processing is carried out with a view to publication in the public interest, certain UK GDPR obligations can be disapplied. The exemption requires the controller to have a reasonable belief that publication is in the public interest and that compliance would be incompatible with the journalistic or research purpose. This is relevant for news publishers and research organisations, not for commercial e-commerce sites.

Legal professional privilege (Schedule 2, paragraph 19): material subject to legal professional privilege is exempt from the obligation to disclose in response to a subject access request. This is relevant for solicitors handling personal data in the context of litigation or legal advice.

For most small business websites operating a standard e-commerce or service model, none of these exemptions typically apply to routine data processing. They become relevant in specific situations — handling a subject access request alongside a fraud investigation, for example, or a research-oriented publication protecting source data.

Which law applies: a practical decision tree

For commercial website operators, the starting point in any data protection analysis is UK GDPR. Ask:

Does the processing involve personal data of identified or identifiable individuals? If yes, UK GDPR applies.

Is there a lawful basis for the processing under Article 6 (or Article 9 for special category data, supplemented by a DPA 2018 Schedule 1 condition)? If yes, the processing may be lawful.

Does a DPA 2018 Schedule 2 exemption modify the usual UK GDPR obligations for this particular processing or this particular individual's request? Review Schedule 2 only when a concrete scenario triggers it — not as a general override.

This sequencing — UK GDPR first, DPA 2018 exemptions as modifiers — is how the ICO approaches compliance. Treating DPA 2018 exemptions as a starting point is a common error that understates the breadth of UK GDPR obligations.

Enforcement and remedies

The ICO enforces both UK GDPR and the DPA 2018. Its primary powers are:

Reprimands and enforcement notices (requiring specific corrective action).

Administrative fines: up to £17.5 million or 4% of global annual turnover for the most serious UK GDPR breaches; up to £8.7 million or 2% for lower-tier violations.

Criminal prosecution: the DPA 2018 creates criminal offences for obtaining or disclosing personal data without the controller's consent (section 170), altering records to prevent disclosure in response to a subject access request (section 173), and re-identification of anonymised data without consent (section 171).

Individual data subjects can bring civil claims in the county court under section 168 DPA 2018 for compensation for material or non-material damage caused by a breach of UK GDPR. Several high-profile group litigation cases have been brought under this provision.

After DUAA 2025

The Data (Use and Access) Act 2025 amended both UK GDPR and the DPA 2018 in a number of targeted ways. The ICO has been renamed the Information Commission, the legitimate interests ground has been supplemented by a list of "recognised legitimate interests," and the international transfer framework has been reformed. See DUAA 2025 changes for UK websites for a full account.

For an overview of how UK data protection compares to the EU framework, see UK GDPR versus EU GDPR after Brexit.

For a practical checklist of what your website currently needs to comply with UK GDPR and DPA 2018, run a free scan at /uk/en/scan.