Data Protection Act 2018

The Data Protection Act 2018 replaces the Act of 1998, though in reality most of the legal rights and obligations for data protection are contained within the General Data Protection Regulation (GDPR). This is now known as the UKGDPR.

The Data Protection Act 2018 covers a limited number of areas where the GDPR does not apply:

The key areas are:

1. Data processing outside the GDPR, for example, immigration data collated by organisations and government departments.


2. The processing of data for criminal "law enforcement purposes".


3. Processing of data relating to national security.


4. The powers of the Information Commissioner’s Office (ICO).


As the Data Protection Act 1998 has been replaced these powers need to be included within the 2018 Act.

For both employers and employees, the most relevant area is law enforcement. The police and other organisations with relevant powers can request data on individuals when investigating a crime.

As a practical example where the police request details of who was driving a company vehicle on a specific day, the employer has to comply with this request and does not have to consider the implications of handing over the personal details/data of the driver. Furthermore, the employer should not actually notify the person of the data request in case this hampers the criminal process.

If however, an employee is a victim of crime and the police require the information we would recommend seeking the permission of the victim first. Strictly, this is not necessary, but we would recommend it as a "belt & braces" approach. It also reassures the victim that matters are being handled correctly and offers them some degree of control.

So the Data Protection Act 2018 will replace and incorporate parts of the 1998 Act. But, importantly it provides for exceptions to the GDPR, where it would be counter-productive for the GDPR to apply.