Research · Legislative history

UK GDPR vs the old Data Protection Act 1998

Updated April 2026UK GDPR · DPA 1998 comparison

The Data Protection Act 1998 was the UK’s primary data protection law for twenty years. When UK GDPR replaced it in 2018, the changes were not cosmetic. Accountability, consent, breach notification, data subject rights, and financial penalties all changed significantly. Organisations operating under DPA 1998 assumptions are not compliant with the current framework.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

What replaced what

The DPA 1998 implemented the EU Data Protection Directive 1995 and was enforced by the ICO. On 25 May 2018, EU GDPR applied directly in the UK and was supplemented by the Data Protection Act 2018. The DPA 1998 was repealed. After Brexit, EU GDPR was retained as UK GDPR — the DPA 2018 remains in force alongside it.

Accountability — the fundamental shift

The DPA 1998 required compliance with eight data protection principles. UK GDPR added a seventh: accountability. Under the DPA 1998, an organisation had to comply. Under UK GDPR, it must also be able to demonstrate that it complies. This is the change that drives the entire evidence-based compliance approach — records, policies, procedures, and documented decisions are now legally required, not merely good practice.

Under the DPA 1998, consent could be implied from inaction or pre-ticked boxes. Under UK GDPR, consent must be freely given, specific, informed, and unambiguous. Implied consent and pre-ticked boxes are not valid. The standard has been significantly raised for all processing — organisations relying on legacy consent mechanisms may have no valid consent at all.

Data subject rights — expanded

The DPA 1998 gave individuals the right of access and some limited rights to prevent processing. UK GDPR expanded the rights to eight — adding rectification, erasure, restriction, portability, and rights related to automated decision-making as distinct, enforceable rights with specific timelines.

Breach notification — a new obligation

The DPA 1998 had no mandatory breach notification requirement. UK GDPR introduced the 72-hour notification obligation to the ICO for breaches likely to result in risk, and the obligation to notify affected individuals where high risk is established. Breach notification was the single biggest new procedural obligation for most organisations.

Fines — dramatically higher

Under the DPA 1998, the maximum ICO fine was £500,000. Under UK GDPR, the maximum is £17.5 million or 4% of annual worldwide turnover — 35 times higher for large organisations. The credible threat of significant financial penalties has materially changed the risk calculus for all organisations.

Record this. Organisations that have not reviewed their data protection programme since 2018 are operating under an obsolete framework. The ICO does not accept DPA 1998 as a defence. Every element of the programme — ROPA, lawful basis, notices, rights procedures, breach log — must be reviewed against the current UK GDPR standard.

Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.