UK Data Protection Act 2018 + UK GDPR
UK Data Protection Act 2018 plus the UK GDPR (retained EU GDPR with UK amendments).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (8)
Controller Obligations
| Code | Title |
|---|---|
| DPA s.17A-17C | Transfers based on adequacy regulations |
| UK GDPR Art.24-25 | Controller responsibility; data protection by design and default |
| UK GDPR Art.26 | Joint controllers |
| UK GDPR Art.28 | Processor contracts and obligations |
| UK GDPR Art.30 | Records of processing activities |
| UK GDPR Art.32 | Security of processing |
| UK GDPR Art.33 | Notification of personal data breach to the ICO |
| UK GDPR Art.34 | Communication of personal data breach to the data subject |
| UK GDPR Art.35 | Data protection impact assessment (DPIA) |
| UK GDPR Art.36 | Prior consultation with the ICO |
| UK GDPR Art.37-39 + DPA s.69-71 | Data Protection Officer |
| UK GDPR Ch.V Arts 44-49 | International data transfers |
ICO Powers
| Code | Title |
|---|---|
| DPA Part 5-6 (ss.115-181) | ICO functions, codes of practice, enforcement powers |
Intelligence Services (Part 4)
| Code | Title |
|---|---|
| DPA Part 4 | Intelligence services processing |
Law Enforcement (Part 3)
| Code | Title |
|---|---|
| DPA s.34 + Part 3 | Application of Part 3 to competent authorities (law enforcement processing) |
| DPA s.35 | First data protection principle (lawful and fair) for law enforcement |
| DPA s.36 | Second data protection principle (purposes) for law enforcement |
| DPA s.37 | Third data protection principle (data minimisation) for law enforcement |
| DPA s.38 | Fourth data protection principle (accuracy) for law enforcement |
| DPA s.39 | Fifth data protection principle (storage limitation) for law enforcement |
| DPA s.40 | Sixth data protection principle (security) for law enforcement |
| DPA s.42 | Safeguards: archiving |
| DPA s.43-44 | Rights of the data subject: information |
| DPA s.45 | Right of access by data subject (law enforcement) |
| DPA s.46-47 | Rights to rectification, erasure and restriction (law enforcement) |
| DPA s.49-50 | Automated decision-making (law enforcement) |
| DPA s.55-57 | Controller and processor obligations: data protection by design, joint controllers, processor contracts (law enforcement) |
| DPA s.61-65 | Logging, ROPA, security, breach notification (law enforcement) |
| DPA s.66-68 | Cooperation with the ICO; transfers of LE data to third countries |
Lawful Basis
| Code | Title |
|---|---|
| DPA s.8 | Lawfulness of processing: public interest etc. |
| UK GDPR Art.10 + DPA s.10-11 | Criminal convictions and offences data |
| UK GDPR Art.6 | Lawfulness of processing |
| UK GDPR Art.7 + DPA s.9 | Conditions for consent |
| UK GDPR Art.9 + DPA Sch.1 | Processing of special category data |
Other
| Code | Title |
|---|---|
| DPA s.110, Sch.11 | National security and defence exemptions |
| DPA s.170-173, 184 | Criminal offences under the DPA |
Principles
| Code | Title |
|---|---|
| UK GDPR Art.5 | Principles relating to processing of personal data |
Rights
| Code | Title |
|---|---|
| UK GDPR Art.12 | Transparent information and modalities |
| UK GDPR Art.13-14 | Information to be provided to data subjects |
| UK GDPR Art.15 + DPA s.45 (LE equivalent) | Right of access by the data subject |
| UK GDPR Art.16-21 | Rectification, erasure, restriction, portability, objection |
| UK GDPR Art.22 + DPA s.14 | Automated decision-making including profiling |
Frequently Asked Questions
What is UK Data Protection Act 2018 + UK GDPR?
UK Data Protection Act 2018 + UK GDPR is a compliance framework from United Kingdom with 8 domains and 42 controls. UK Data Protection Act 2018 plus the UK GDPR (retained EU GDPR with UK amendments). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does UK Data Protection Act 2018 + UK GDPR have?
UK Data Protection Act 2018 + UK GDPR has 42 controls organised across 8 domains. The largest domains are Law Enforcement (Part 3) (15 controls), Controller Obligations (12 controls), Lawful Basis (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does UK Data Protection Act 2018 + UK GDPR map to?
UK Data Protection Act 2018 + UK GDPR does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.
How do I get started with UK Data Protection Act 2018 + UK GDPR compliance?
Start your UK Data Protection Act 2018 + UK GDPR compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about UK Data Protection Act 2018 + UK GDPR requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.
Get Started Free →Free forever — no credit card required