What is the Data Protection Act 1998?

Coby McKinley Profile image

Written by:

Updated January 5, 2023

Internet users concerned with consumer privacy policies and data protection rights should understand the scope of the data protection 1998 act. Parliament updated the Data Protection Act 1998 in 2018 to match European data protection laws, expanding accountability and consent requirements. That said, you can find many of the basic principles of the GDPR 2018 in the 1998 data protection law. So, keep scrolling to learn what is the Data Protection Act 1998.


  • The Data Protection Act 1998 outlines the lawful processing, use, and storage of consumer data.
  • The DPA 1998 limits the amount of user data companies collect and sets time limits on how long companies can store subject data.
  • The UK House of Parliament replaced the DPO 1998 with the General Data Protection Regulation (GDPR) Act in 2018.

For more information, read up on what the Data Protection Act covers, how to register under the DPA, what enterprise data protection is, the problems with net neutrality, and Microsoft’s AIP vs DLP.

Insider Tip

Consumers based in the UK and EU can submit a Data Subject Access Request (DSAR) to see what information private, and public bodies have about them.

Data Protection Principles

The DPA 1998 refers to individuals whose personal data is being collected as data subjects. The eight data protection principles in the DPA 1998 are designed to ensure that subject data is processed fairly and used for lawful purposes. Additionally, these guidelines apply to official authorities, health services, and private companies.

Fair and Lawful

Companies must obtain explicit consent to collect subject data and only use it for lawful purposes. The DPA includes a Fair Processing Notice that requires data-collecting organizations to disclose who they are, what the data is for, and who can access the data.


Data collectors cannot use subject data for unlawful purposes or unfair business practices. Additionally, information should not be used for purposes other than the reason disclosed to data subjects.


Entities should only collect the subject data they need for their intended and disclosed business goals. In other words, companies should only collect the minimum amount of data for their stated purpose. For example, a company should not store your name, credit card, or phone number if all they need is your email address.


Subject data must be accurate, and companies must delete the data when it is no longer up to date. All inaccurate and outdated information must be deleted, and it is no longer eligible for business or marketing purposes.


Companies cannot keep subject data for longer than necessary to accomplish the originally intended purpose. This principle places a limit on how long data processors can keep personal data.


Companies that collect personal data must respect the rights of individuals over their own information. Additionally, data processors must prevent damaging processing, direct marketing, and direct marketing. Organizations must correct inaccurate data and grant access to data subjects.


Companies that process personal data without explicit consent or fail to implement adequate privacy practices are subject to legal proceedings and fines.


This principle states that data controllers must prevent subject data’s accidental damage, destruction, or loss. Additionally, they must prevent unlawful and unauthorized access to subject data.

International Transfers

Companies cannot transfer information outside of the EU unless the destination territory guarantees similar subject data rights and regulations.

STAT: A 2019 Pew Research Center survey showed that 81% of Americans thought the potential risk of companies collecting data outweighs the benefits. (source)

What is the Data Protection Act 1998 FAQs

What is a Data Protection Officer?

The GDPR mandates that data-collecting businesses of a certain size must hire a Data Protection Officer (DPO) to oversee compliance with consumer data laws. The DPO acts in an independent manner, and they are the first contact for data-related requests.

What’s the difference between the GDPR vs. the DPA 1998?

The UK GDPR 2018 has seven principles instead of eight, but it expands data subject rights and organizational oversight.

Are the UK and EU GDPR different?

The EU and UK GDPR 2018 offer a nearly identical level of protection for personal records, but the UK GDPR uses language specific to the British people. The UK GDPR outlines how business owners can collect data for lawful purposes, and it provides expanded data subject access rights for consumers. The UK and EU GDRPs have similar consequences for unfair business practices and unlawful processing, a maximum fine exceeding $20 million.
Coby McKinley Profile image