UK Data Protection Act 2018 Policies

Q: What does DPA 2018 cover that UK GDPR doesn't?

DPA 2018 implements and supplements UK GDPR but also covers areas UK GDPR does not. Part 3 applies to competent authorities processing personal data for law-enforcement purposes (e.g. police, CPS, HMRC investigations). Part 4 applies to processing by the intelligence services. Schedule 1 sets out conditions for processing special-category and criminal-offence data under Article 9/10 UK GDPR. The Act also adds UK-specific exemptions (journalism, immigration, research) and creates specific offences like unlawful obtaining of personal data (section 170).

Q: Who needs DPA 2018 policies beyond UK GDPR?

Any UK controller relying on Article 9 (special-category) or Article 10 (criminal-offence) data — e.g. HR teams running DBS checks, healthcare providers, insurers processing medical information, employers handling equality monitoring data. Part 3 applies only to 'competent authorities' in law enforcement. Appropriate Policy Documents (APDs) are mandatory for most Schedule 1 conditions and for all Part 3 processing.

Q: What is an Appropriate Policy Document?

An APD is a document required by DPA 2018 Schedule 1 explaining procedures for processing special-category or criminal-offence data under specific Schedule 1 conditions (e.g. substantial-public-interest conditions, employment conditions). The ICO can require sight of the APD and the controller must review and update it. Our pack includes APD templates aligned to the conditions most UK SMEs rely on.

Q: Is ICO registration the same as DPA 2018 compliance?

No — ICO registration (the annual data protection fee, £40-£2,900 depending on size) is a separate statutory obligation under DPA 2018 sections 137-138. Failing to register is an offence even if you're otherwise compliant. Most UK businesses need to register unless a narrow exemption applies (e.g. not-for-profits with no electronic processing). Check the ICO's self-assessment tool if unsure.

Q: How does DPA 2018 relate to UK GDPR?

UK GDPR is the core data protection rulebook for most processing. DPA 2018 does three things: (1) implements UK GDPR (e.g. specifying the ICO as supervisory authority and converting fines to sterling), (2) adds UK-specific exemptions and conditions (Schedule 1 for special-category, Schedule 2 for research/journalism), and (3) creates separate regimes for law enforcement (Part 3) and intelligence services (Part 4). Most UK SMEs need UK GDPR + DPA 2018 Schedule 1 conditions + ICO registration.

Q: What does the DPA 2018 policy pack include?

10 DPA 2018-aligned policies: Privacy Policy (Parts 3 + 4 aware), Law Enforcement Processing Policy, Intelligence Services Processing Policy, Special-Category Data Policy, Criminal Offence Data Policy, ICO Registration Policy, Appropriate Policy Document template, DSAR Procedure, Breach Notification, and Data Minimisation. Designed to layer on top of our UK GDPR pack for firms that need both. See live pricing on the product page.

10 policies covering the parts UK GDPR doesn't — law-enforcement processing (Part 3), intelligence services (Part 4), special-category data conditions, and the Appropriate Policy Document.

DPA 2018 Parts 3 & 4 ICO Registered

Data Protection & Privacy Essentials pack

12 policies · £350 one-off

UK GDPR + DPA 2018 together · lifetime access

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready

UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is the Data Protection Act 2018?

Quick answer. The Data Protection Act 2018 (DPA 2018) is the UK statute that supplements UK GDPR. It implements the GDPR through Schedule 1, sets out UK-specific exemptions (Schedule 2–4), establishes the Information Commissioner’s powers, and applies the law-enforcement and intelligence-services regimes that GDPR itself does not cover. The DPA 2018 + UK GDPR sit together — you cannot meet one without meeting the other.

The UK Data Protection Act 2018 is the UK's primary data-protection statute, sitting alongside UK GDPR. It does three things: it implements UK GDPR (confirming the ICO as the supervisory authority, converting fines into sterling), it supplements UK GDPR with UK-specific exemptions and conditions (Schedules 1–4), and it introduces additional regimes that UK GDPR doesn't reach — Part 3 for competent authorities processing for law-enforcement purposes, and Part 4 for the intelligence services.

For most UK SMEs, the DPA 2018 pieces that matter are Schedule 1 (conditions for processing special-category and criminal-offence data, including when an Appropriate Policy Document is required), section 170 (criminal offence of unlawfully obtaining personal data), and sections 137–138 (mandatory ICO registration fee).

Who needs DPA 2018 policies?

Quick answer. Every UK organisation processing personal data — identical scope to UK GDPR, which means almost every employer, every B2B SaaS firm, every charity. Specific extra duties apply to law-enforcement processors (Part 3) and intelligence services (Part 4). Children’s services and online providers must additionally observe the Age Appropriate Design Code (Children’s Code).

UK employers running DBS checks or equality monitoring — relying on Schedule 1 conditions, APD required.
Healthcare and social-care providers — Article 9 special-category data plus Schedule 1 substantial-public-interest conditions.
Insurance, pensions and financial services processing medical or criminal-offence data.
Competent authorities under Part 3 — police, CPS, certain regulatory bodies with investigatory functions.
Any UK organisation — ICO registration is mandatory under sections 137–138 unless narrowly exempt.

Policies you need for DPA 2018

Quick answer. Same 12-policy backbone as UK GDPR (privacy notice, ROPA, DPIA, DSAR, breach notification, lawful basis register, retention schedule, processor DPA, marketing consent, cookie policy, international transfer, subject-access response templates) plus DPA-specific add-ons where relevant: a special-category-data handling policy, criminal-offence-data conditions, Schedule 2/3 exemption decisions, and (for in-scope firms) a law-enforcement processing addendum.

These 10 policies cover the DPA 2018-specific layer that UK GDPR policies don't reach. They're intended to sit alongside a core UK GDPR pack:

Privacy Policy (DPA 2018 aware)

Aligned to Parts 3 + 4 where applicable, plus Part 2 general processing.

Law Enforcement Processing

Part 3 — law-enforcement purposes, distinction from general processing.

Intelligence Services Processing

Part 4 — for authorised intelligence services operations.

Special-Category Data Policy

Article 9 + Schedule 1 Part 1–2 conditions.

Criminal Offence Data Policy

Article 10 + Schedule 1 Part 3 conditions.

ICO Registration Policy

Sections 137–138 — calculating the correct tier and annual renewal.

Appropriate Policy Document

Mandatory for most Schedule 1 conditions & all Part 3 processing.

DSAR Procedure

Part 2 + Part 3 rights — response timelines, Part 3 exemptions.

Breach Notification

72-hour ICO reporting + Part 3 specific breach rules.

Data Minimisation

Ongoing review and section 170 offence awareness.

Realistic timeline for DPA 2018 readiness

Quick answer. 2–4 weeks for documentary readiness once policies are drafted. PolicySuite compresses the drafting phase from the traditional 4–8 weeks to 48 hours. Week 1: bespoke policies generated from structured questions. Week 2: ROPA populated, lawful-basis assessments completed. Week 3–4: DSAR and breach workflows embedded operationally; DPA-specific exemptions documented per processing activity.

If you already have a UK GDPR pack, adding DPA 2018-specific documentation is a 1–2 week exercise. From scratch, expect 3–4 weeks to combined readiness.

Day 1: Confirm ICO registration tier and pay the fee if not already done.
Day 2–3: Buy the pack, receive bespoke policies in 48 hours.
Week 2: Map Schedule 1 conditions you rely on; complete the Appropriate Policy Document template.
Week 3: Publish/update external privacy notice, distribute internal policies, train staff.
Ongoing: Annual APD review, updates when new Schedule 1 conditions come into play.

Policy packs for DPA 2018

Data Protection & Privacy Essentials

12 policies · £350 · UK GDPR + DPA 2018 foundation

Incident Notification & Breach Reporting

8 policies · £250 · ICO 72-hour reporting readiness

NHS IG Essentials

10 policies · £400 · for NHS IG Toolkit / DSPT

Charity Safeguarding & Fundraising

10 policies · £300 · charity-specific DPA considerations

PolicySuite vs GRC platforms vs consultant vs DIY

Quick answer. Privacy consultancies charge £3k–£15k for a DPA 2018 / UK GDPR policy set with 4–8 weeks turnaround. OneTrust and similar GRC platforms automate DSAR ticketing but expect bring-your-own policies at £15k–£60k/year. DIY templates rarely capture the Schedule 1–4 exemptions correctly. PolicySuite produces ICO-defensible DPA 2018 policies in 48 hours from £400.

UK SMEs typically compare four routes when sourcing compliance policies. Here's how they stack up on the decisions that matter.

	PolicySuite	GRC platforms (Vanta, Drata, SecureFrame)	Compliance consultant	DIY templates
Typical cost	£250–£1,500 one-off	£10k–£40k per year	£5k–£30k one-off	£0 + your time
Pricing model	Lifetime purchase	Annual seat-based	Project fee	Free (indefinite effort)
Time to policies ready	48 hours	4–8 weeks setup	8–16 weeks	Months — rarely finished
UK-specific content	✓ Built for UK SMEs	Partial — US-originated	✓ If UK consultant	Partial — ICO templates only
Bespoke to your business	✓ LLM-tailored from your answers	Partial — fill-in-the-blank	✓ Yes — manual	✗ Generic template
Framework coverage	197 frameworks · 8 jurisdictions	20–50 frameworks	Whatever the consultant knows	Up to you to find
Audit-ready evidence	✓ Acknowledgements, distributions, version history	✓ Strong — but seat-priced	✗ You track it yourself	✗ You track it yourself
Suits <50-person SMEs	✓ Designed for UK SMEs	✗ Price-prohibitive at SME scale	Sometimes — depends on scope	✓ If you have the time
Cost to switch away	✓ You own the docs — export anytime	✗ Lose access on cancellation	✓ You own the docs	✓ You own the docs

See full head-to-head comparisons →

Frequently asked questions

What does DPA 2018 cover that UK GDPR doesn't?

DPA 2018 implements and supplements UK GDPR but also covers areas UK GDPR does not. Part 3 covers competent-authority law-enforcement processing; Part 4 covers the intelligence services. Schedule 1 sets conditions for processing special-category and criminal-offence data. The Act also adds UK exemptions (journalism, immigration, research) and creates specific offences like unlawful obtaining (section 170).

Who needs DPA 2018 policies beyond UK GDPR?

Any UK controller relying on Article 9 (special-category) or Article 10 (criminal-offence) data — HR teams running DBS checks, healthcare providers, insurers, employers handling equality monitoring. Part 3 applies only to competent authorities. Appropriate Policy Documents (APDs) are mandatory for most Schedule 1 conditions and all Part 3 processing.

What is an Appropriate Policy Document?

An APD is required by DPA 2018 Schedule 1, explaining how you comply when processing special-category or criminal-offence data under specific conditions. The ICO can require sight of the APD and you must review/update it periodically. Our pack includes APD templates aligned to the most common SME conditions.

Is ICO registration the same as DPA 2018 compliance?

No. ICO registration (£40–£2,900/year) is a separate statutory obligation under DPA 2018 sections 137–138. Failing to register is an offence even if you're otherwise compliant. Most UK businesses need to register unless a narrow exemption applies.

How does DPA 2018 relate to UK GDPR?

UK GDPR is the core rulebook for most processing. DPA 2018 implements UK GDPR (ICO as supervisory authority, sterling fines), adds UK-specific exemptions and Schedule 1 conditions, and creates separate regimes for law enforcement (Part 3) and intelligence services (Part 4). Most UK SMEs need both — see our UK GDPR framework page for the other half.

What does the DPA 2018 policy pack include?

10 DPA 2018-aligned policies covering Privacy Policy (Parts 3 + 4 aware), Law Enforcement Processing, Intelligence Services Processing, Special-Category Data, Criminal Offence Data, ICO Registration, Appropriate Policy Document, DSAR, Breach Notification, and Data Minimisation. Designed to layer on top of our UK GDPR pack.

Cover UK GDPR + DPA 2018 in one pack

Get 12 bespoke policies for UK GDPR and DPA 2018 — lifetime access, no renewal.

Get Started — £350

References and primary sources

Quick answer. The framework guidance on this page is reviewed against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so an auditor, procurement reviewer or DPO can verify the alignment without taking the page on trust.

Data Protection Act 2018 (legislation.gov.uk) — the UK statute text.
ICO for organisations — guidance, codes and statutory codes of practice.
ICO enforcement actions — precedent on monetary penalties and undertakings.
GDPR (EU) 2016/679 — the EU regulation that the UK GDPR mirrors post-Brexit.

In our experience working with UK SMEs and similar organisations across the EU and US, the framework pages that survive enterprise vendor reviews are the ones that cite primary sources rather than secondary blog posts. Many UK SMEs typically discover this only after their first failed vendor questionnaire — the reviewer asked for a clause-to-source map and the standard reply pointed at a marketing page rather than the relevant regulator. The references above are the standing set we cite from inside the policies themselves so the chain stays intact end-to-end.