Category: Compliance & AML · Reviewed by Taylor Watts, Broker · New Business · Last reviewed June 2026
The UK primary data protection statute that supplements UK GDPR, transposes the Law Enforcement Directive, and sets the rules for processing by the intelligence services — together with extensive Schedules of exemptions and supplementary conditions.
The Data Protection Act 2018 (DPA 2018) is the principal UK primary statute on data protection. It works hand-in-hand with the UK GDPR, supplementing its provisions, providing specific Member State derogations (now UK derogations), implementing the Law Enforcement Directive, and providing the statutory framework for processing by the intelligence services. It also makes provision for the Information Commissioner and her powers.
The Data Protection Act 2018 received Royal Assent on 23 May 2018 and came fully into force from 25 May 2018. It implements (now retains) the EU Law Enforcement Directive (Directive (EU) 2016/680) for Part 3 processing. Subsequent amendments have been made by the European Union (Withdrawal) Act 2018 and various statutory instruments.
Part 1 covers preliminary matters. Part 2 supplements the UK GDPR including the special category exemptions and conditions. Part 3 covers law enforcement processing. Part 4 covers intelligence services processing. Part 5 establishes the Information Commissioner and her functions. Part 6 covers enforcement powers including monetary penalty notices, enforcement notices and information notices. Part 7 covers supplementary provisions. Schedule 1 is critical for special category processing — listing additional conditions including substantial public interest, employment, occupational health, insurance, equality monitoring and many others.
Schedule 1 Part 2 paragraph 20 (insurance) and Schedule 1 Part 2 paragraph 11 (preventing or detecting unlawful acts) are particularly important conditions for insurance processing. Schedule 2 sets out exemptions to data subject rights for crime prevention, regulatory compliance, journalism and certain other public-interest purposes.
Apex’s privacy notice signposts the UK GDPR Article 6 lawful basis (contract / legitimate interests / consent) and, for special category data, the Article 9 condition and the corresponding DPA 2018 Schedule 1 paragraph. Records of processing under Article 30 reference both legal frameworks together.
Data Protection Act 2018. UK GDPR. UK retained Law Enforcement Directive (Directive (EU) 2016/680). European Union (Withdrawal) Act 2018.
By Matt Bartlett, Director, on 2026-06-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote