DPA 2018
The UK Data Protection Act 2018 is the domestic legislation that implemented GDPR into UK law before Brexit — and continues to govern data protection in the UK alongside UK GDPR.
The Data Protection Act 2018 (DPA 2018) is the UK's primary data protection legislation. It implemented EU GDPR into UK law before Brexit, supplemented it with UK-specific provisions, and addressed processing activities not covered by GDPR — including law enforcement processing (Part 3) and intelligence services processing (Part 4). Since Brexit, the DPA 2018 continues in force alongside UK GDPR, which is the retained EU GDPR incorporated into UK law by the European Union (Withdrawal) Act 2018.
For most commercial organizations, practical compliance requirements flow primarily from UK GDPR — with the DPA 2018 providing supplementary provisions including: the list of conditions for processing special category data under Schedule 1, the research and statistics exemptions in Part 6, and the provisions governing ICO powers and enforcement. The DPA 2018 and UK GDPR must be read together — neither operates independently for commercial data processing.
The DPA 2018 includes provisions that diverge from EU GDPR in ways that matter for engineering teams. Schedule 1 created a broader set of conditions for processing special category data — including employment and social security purposes, preventive or occupational medicine, and substantial public interest conditions. Organizations processing special category data in the UK must verify which Schedule 1 condition applies, maintain documentation of that condition, and in some cases have an Appropriate Policy Document (APD) in place — a requirement with no direct EU GDPR equivalent.
We design UK data protection compliance for the DPA 2018 and UK GDPR together — implementing the appropriate Schedule 1 conditions for special category processing, building Appropriate Policy Documents into the governance framework where required, and designing systems that satisfy ICO enforcement expectations across all UK data processing activities.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.