Data Protection Act 2018 & UK GDPR: What Businesses Must Know | Sprintlaw UK (2025)

Whether you’re launching an online shop, building your first SaaS startup, or running a bricks-and-mortar business, you’ve probably heard that “data protection law” is something you can’t afford to ignore. In the UK, the main laws are the Data Protection Act 2018 (DPA 2018) and the UK GDPR (the UK’s version of the General Data Protection Regulation). And if you’re handling any customer or employee personal information, these rules absolutely apply to you.

Data protection might sound technical or bureaucratic, but it’s really about doing the right thing with people’s data and protecting your business from nasty legal consequences. In this guide, we’ll break down what the law actually requires, how the DPA 2018 and UK GDPR fit together (and with EU GDPR post-Brexit), and what steps you should take to stay compliant from day one.

Ready to get your head around the essentials? Read on for a practical walkthrough for UK startups and SMEs – no jargon, no panic, just clear advice.

What Is The Data Protection Act 2018 & UK GDPR?

If you’re new to data protection, let’s start with the basics. The Data Protection Act 2018 (DPA 2018) is the UK’s primary data protection law. It sits alongside the UK GDPR, which is the UK’s version of the European GDPR, tailored for life outside the EU following Brexit.

The UK GDPR sets out the core principles, rights and obligations for handling personal data. Meanwhile, the DPA 2018 fills in the gaps (like exemptions, enforcement, and rules about national security or law enforcement processing). So, if you process personal data in the UK – almost every workplace does – you have to comply with both.

For businesses that operate or target customers in the EU, you’ll also need to understand the original EU GDPR rules and how they interact with the UK’s approach.

The main goals? Give people control over their data, protect privacy, and make sure businesses follow fair and secure practices. Non-compliance can lead to stiff penalties, plus serious reputational harm.

What Personal Data Is Protected?

Under both UK GDPR and DPA 2018, personal data means any information relating to an identified or identifiable person. This covers obvious things (like names, emails, phone numbers, home addresses), but also online identifiers (like IP addresses or cookies), HR records, and more.

There are extra rules for ‘special category data’ – things like health information, racial or ethnic origin, religious beliefs, biometric data, and more. You need higher protection and (usually) explicit consent to process this type of data.

What Are The Core Principles Of UK GDPR?

The GDPR – and by extension, the DPA 2018 – is built on seven key principles. They’re at the heart of everything you must do with personal data. Here’s what they mean for your business:

• Lawfulness, Fairness and Transparency: Only collect and process data if you have a valid legal basis, and always explain in clear, simple terms how and why you’re using it
  (learn more about Privacy Policies).
• Purpose Limitation: Collect personal data only for specified, explicit, and legitimate purposes – don’t use data for something unrelated down the track.
• Data Minimisation: Only gather the data you really need – don’t collect extra “just in case”.
• Accuracy: Keep data accurate and up to date. If someone tells you their contact info has changed, update your records.
• Storage Limitation: Don’t keep data longer than necessary. Set retention periods and make sure you delete or anonymise what you no longer need.
• Integrity and Confidentiality: Take “appropriate” steps (technical and organisational) to keep data safe – think access controls, passwords, and staff training.
• Accountability: You must be able to show you comply with these principles – so good documentation and records are essential.

Failing any of these principles puts you at risk of enforcement action – and can erode trust with your customers. Treat them as your data protection checklist.

What Key GDPR Requirements Should My Business Know?

Beyond the core principles, there are some important obligations in GDPR and the Data Protection Act 2018 that every UK business needs to understand and follow. Let’s look at the big ones.

Valid Consent

If you rely on consent to process personal data, it must be:

• Freely given – no pre-ticked boxes or “it’s compulsory if you want to use our product”.
• Specific and informed – you have to explain exactly what data you collect and what you’ll do with it, in clear and plain language.
• Unambiguous – people must take a clear affirmative action (like ticking a box or clicking “I agree”).
• Easy to withdraw consent – and you must make it simple for them to do so at any time.

This matters especially if you run an online business, collect marketing consents, or process sensitive data –
see our guide to data privacy consent forms.

Data Subjects’ Rights

Under GDPR, individuals (your customers, staff, or users) have important rights over their personal data:

• The right to be informed about how their data is used
• The right of access (to see what data you hold on them)
• The right to rectification (to correct errors)
• The right to erasure (“the right to be forgotten”)
• The right to restrict or object to processing
• The right to data portability (getting a copy in a portable format)

You must have clear procedures to respond to these rights within set timeframes (usually one month).
Check out our full overview of GDPR rights and obligations.

Data Protection Impact Assessments (DPIAs)

If you’re planning “high risk” processing – for example, large-scale surveillance, handling sensitive information, or using new technologies – you must conduct a Data Protection Impact Assessment (DPIA). This assesses the risks to individuals and how you’ll address them.
For most startups, DPIAs aren’t an everyday requirement, but if you’re entering health tech, biometrics, or advanced analytics, they become crucial.

Data Protection Officers (DPOs)

Some organisations (mainly larger businesses or those processing large volumes of sensitive data, or as a public authority) must appoint a Data Protection Officer (DPO). The DPO oversees compliance, educates staff, and acts as a point of contact for regulators and data subjects.

Small businesses might not need a formal DPO, but you still have to designate someone responsible for data protection – and make sure they have the knowledge and support needed.

Breach Notification Duties

If you suffer a personal data breach that could risk people’s rights or freedoms – like a hack, leak, or accidental loss – you must report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware. In some cases, you’ll also need to inform affected individuals.
Have a clear data breach response plan in place (and make sure all staff know what to do).

Privacy by Design and Default

The law requires you to embed privacy and security into every stage of your operations (‘privacy by design’). This means:

• Limiting what data you collect and how you use it right from the start of any new project, service, or app
• Making sure access is restricted (only those who really need it get it)
• Building in safeguards for sensitive or high-risk data

Don’t tack on privacy as an afterthought. It should be part of your business planning, tech builds, marketing, and team training.

What Practical Steps Do Businesses Need To Take?

So how do these laws actually affect your day-to-day work? Whether you’re a founder, operations lead, or managing a small team, here’s a practical compliance checklist:

• Review and update your Privacy Policy. Your Privacy Policy must be up to scratch, easy to find, and written in simple language. Clearly explain what data you collect, how you use it, who you share it with, and people’s rights.
• Audit your processes and data flows. Map what personal data you collect, what it’s used for, where it’s stored, and who has access to it. This includes physical records and digital files (cloud storage counts).
• Limit and secure access. Use passwords, encryption, firewalls, and train staff about not sharing logins or sending sensitive info by email. Consider “least privilege” access – staff only see the data they need to do their job.
• Train your team. Make data protection part of your onboarding process and provide refreshers so everyone understands their responsibilities.
• Have contracts with third party processors. If you work with third party vendors (like SaaS providers, payroll or marketing agencies) who handle your data, have a data processing agreement in place that covers legal requirements.
• Be ready to respond to data subject requests. Have simple procedures for access, correction, and deletion requests – and meet the deadlines!
• Plan for data breaches. Document who is responsible and your process for reporting and managing breaches quickly. Communicate with the ICO and affected customers where necessary.
• Review marketing practices. Double-check rules for email marketing and customer consent (see our guide on email marketing laws).

For more, see our quick tips for GDPR compliance – a handy starting point for any business.

What About Cookie Consent And ePrivacy Rules?

If your business website uses cookies (and let’s face it, almost all do), you have extra responsibilities under UK law, including the Privacy and Electronic Communications Regulations (PECR).

You must:

• Inform users about the cookies you use and what each type does
• Obtain clear, affirmative consent before using most cookies (except those strictly necessary to run the site)
• Make it easy for users to accept or reject non-essential cookies

This goes beyond an “OK to cookies?” banner – it means a properly designed cookie consent notice and transparent information about use. For practical advice, read our guide: Do I Need A Cookie Pop-Up?

If you’re running an e-commerce platform, a subscription model, or a digital marketplace, be sure to review your online terms and privacy/cookie policies carefully – see our Website Terms and Conditions service for more details.

What Are The Penalties And Enforcement Risks?

The Information Commissioner’s Office (ICO) is the UK’s regulator for data protection law. They have power to investigate, inspect, and enforce compliance.

Failure to comply with the DPA 2018 and UK GDPR can lead to:

• Warnings or reprimands – an early intervention, but can escalate
• Enforcement notices – ordering you to change your practices
• Hefty fines – up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious breaches
• Reputational harm and loss of business

In reality, very large fines tend to hit bigger companies with repeated or wilful breaches. But even small businesses can get into trouble for mishandling data, nondisclosure, or ignoring people’s rights – so don’t take any chances.

How Has Brexit Changed Data Protection?

With the UK’s exit from the EU, GDPR was “retained” in UK law as the UK GDPR, with some small tweaks (mainly, references to UK regulators instead of “EU” ones). The key principles and rules remain the same.

However, if you trade with, have staff in, or target customers in the EU, you’ll also need to follow the EU GDPR – and may need to appoint a European representative. International data transfers (for example, using cloud providers outside the UK or EU) now require careful contract terms called Standard Contractual Clauses (SCCs) or that you check the adequacy of overseas protections.

If in doubt, ask a data protection specialist or lawyer about your specific cross-border risks.

What Legal Documents Will I Need?

To comply with the DPA 2018 and UK GDPR, most businesses will need:

• Privacy Policy (and possibly a separate Employee Privacy Notice)
• Cookie Policy for your website
• Data Processing Agreements with any third parties handling data for you
• Internal data protection procedures and breach response plan
• Consent wording and forms (if relying on consent for any processing)
• DPIA template for high-risk processing reviews

You can get a GDPR-compliant Privacy Policy or tailored bundle for your business from Sprintlaw, or chat to us for help reviewing your setup.

Key Takeaways

• The Data Protection Act 2018 and UK GDPR set the ground rules for how every business (big or small) can lawfully process personal data in the UK.
• Understand and follow the core data protection principles: lawfulness, transparency, data minimisation, accuracy, storage limitation, security, and accountability.
• Meet GDPR obligations around valid consent, data subjects’ rights, breach notification, DPIAs, and privacy by design – with robust internal procedures to match.
• Handle cookies and marketing activity in line with ePrivacy and PECR, including using appropriate cookie pop-ups and opt-in mechanisms.
• Penalties for non-compliance can be severe. Prioritise training, audit your processes, and keep your legal documents up to date.
• Post-Brexit, you must carefully manage international data transfers and may need to comply with both UK and EU GDPR if your business operates across those borders.
• Getting tailored advice and the right documents in place early protects your business and builds trust with customers.

If you’d like help with UK data protection compliance or need tailored legal documents, you can reach us at 08081347754 or [emailprotected] for a free, no-obligations chat. We’re here to help you get your business set up for success and privacy compliance from day one.