---
title: "UK GDPR vs Data Protection Act 2018"
canonical_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/uk-gdpr-vs-data-protection-act-2018"
source_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/uk-gdpr-vs-data-protection-act-2018"
author: "Sorena AI"
description: "Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it."
keywords:
  - "UK GDPR vs Data Protection Act 2018"
  - "DPA 2018 vs UK GDPR"
  - "UK privacy law comparison"
  - "UK GDPR vs DPA 2018"
  - "Data Protection Act 2018"
  - "UK privacy law"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK GDPR vs Data Protection Act 2018

Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it.

*Comparison* *UK GDPR*

## UK GDPR vs Data Protection Act 2018

Understand how the UK GDPR and DPA 2018 fit together in practice.

The UK GDPR carries the general rules, while the Data Protection Act 2018 fills in UK specific details and additional regimes.

Many teams cite the UK GDPR and the Data Protection Act 2018 interchangeably, but they do different jobs. Good compliance work knows which source answers which question.

## What the UK GDPR does

The UK GDPR is the main framework for principles, lawful basis, rights, transparency, security, records, transfers, and breaches. It is the starting point for most private sector compliance work.

- Use the UK GDPR for principles, lawful basis, rights, security, and transfers
- Treat Articles 30, 32, 33, 34, and 35 as core operational requirements
- Use ICO guidance to interpret how those duties work
- Build your control matrix around the UK GDPR first

## What the DPA 2018 adds

The Data Protection Act 2018 supplements the UK GDPR with UK specific exemptions, conditions for certain processing, regulator powers, and separate regimes such as law enforcement processing.

- Check the DPA 2018 for exemptions and restrictions to rights
- Use it for law enforcement and intelligence services processing regimes
- Review it when assessing regulator powers and procedural issues
- Use it with the UK GDPR rather than instead of the UK GDPR

## Operational implication

The practical lesson is simple: write policies, notices, and workflows so they reference the right authority. A weak legal map leads to weak exception handling and weak complaint responses.

- Keep a legal interpretation log that cites the correct source
- Train support teams on when a request is refused under a DPA 2018 exception
- Escalate unusual sector specific processing for specialist review
- Retain the legal rationale behind any rights restriction or exemption

*Recommended next step*

*Placement: after the comparison section*

## Use UK GDPR vs Data Protection Act 2018 as a cited research workflow

Research Copilot can take UK GDPR vs Data Protection Act 2018 from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on UK GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for UK GDPR vs Data Protection Act 2018](/solutions/research-copilot.md): Start from UK GDPR vs Data Protection Act 2018 and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through UK GDPR](/contact.md): Review your current process, evidence gaps, and next steps for UK GDPR vs Data Protection Act 2018.

## Primary sources

- [UK GDPR on legislation.gov.uk](https://www.legislation.gov.uk/eur/2016/679/contents?ref=sorena.io) - UK legislative text.
- [Data Protection Act 2018](https://www.legislation.gov.uk/ukpga/2018/12/contents?ref=sorena.io) - UK statute supplementing the UK GDPR.
- [ICO UK GDPR guidance and resources](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/?ref=sorena.io) - Primary ICO guidance hub.
- [ICO guide to accountability and governance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Accountability, records, and contracts guidance.

## Related Topic Guides

- [IDTA vs EU SCCs | UK GDPR Transfer Tool Comparison](/artifacts/uk/uk-gdpr/idta-vs-eu-sccs.md): Compare the UK IDTA, UK Addendum, and EU standard contractual clauses for UK GDPR transfer compliance, contract selection, and transfer risk assessments.
- [UK GDPR Applicability Test | Territorial Scope and Roles](/artifacts/uk/uk-gdpr/applicability-test.md): Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test.
- [UK GDPR Breach Notification | 72 Hour ICO Reporting Guide](/artifacts/uk/uk-gdpr/breach-notification.md): Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging.
- [UK GDPR Checklist | Practical Compliance Checklist](/artifacts/uk/uk-gdpr/checklist.md): Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness.
- [UK GDPR Children and Age Appropriate Design](/artifacts/uk/uk-gdpr/children-and-age-appropriate-design.md): Implement the UK Children's Code with grounded guidance on likely to be accessed tests, high privacy defaults, profiling limits, geolocation, age assurance.
- [UK GDPR Compliance Program | Operating Model Guide](/artifacts/uk/uk-gdpr/compliance.md): Build a UK GDPR compliance program with accountability, Article 30 records, DPIAs, controller processor contracts, rights operations, transfer controls.
- [UK GDPR Data Subject Rights | One Month Response Guide](/artifacts/uk/uk-gdpr/data-subject-rights.md): Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection.
- [UK GDPR Deadlines and Compliance Calendar](/artifacts/uk/uk-gdpr/deadlines-and-compliance-calendar.md): Calendar view of UK GDPR milestones, including January 1, 2021 applicability, March 2022 transfer tools, one month rights deadlines.
- [UK GDPR FAQ | Practical Questions and Answers](/artifacts/uk/uk-gdpr/faq.md): Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure.
- [UK GDPR Penalties and Fines | Enforcement Exposure Guide](/artifacts/uk/uk-gdpr/penalties-and-fines.md): Guide to UK GDPR penalties and fines, including the 17.5 million pounds or 4 percent upper tier, the 8.7 million pounds or 2 percent standard tier.
- [UK GDPR Requirements | Control Level Requirements Guide](/artifacts/uk/uk-gdpr/requirements.md): Control level UK GDPR requirements covering principles, lawful basis, transparency, rights, Article 30 records, security, contracts, transfers, and DPIAs.
- [UK GDPR Transfers, IDTA, and UK Addendum](/artifacts/uk/uk-gdpr/transfers-idta-and-uk-addendum.md): Detailed UK GDPR international transfers guide covering adequacy, UK IDTA, UK Addendum, transfer risk assessments, vendor governance, and UK bridge reliance.
- [UK GDPR vs EU GDPR | Practical Comparison](/artifacts/uk/uk-gdpr/uk-gdpr-vs-eu-gdpr.md): Practical comparison of the UK GDPR and EU GDPR, including scope, transfers, regulators, adequacy, and operational divergence for multinational programmes.
- [UK vs EU GDPR Differences | Operational Differences List](/artifacts/uk/uk-gdpr/uk-vs-eu-differences.md): Operational differences between the UK and EU privacy regimes, including transfer tools, adequacy lists, regulators, notices, and programme governance.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/uk-gdpr/uk-gdpr-vs-data-protection-act-2018