Legislation – Data Protection Act 2018

Data Protection Act 2018, Cross Heading: Overview and scope is up to date with all changes known to be in force on or before 04 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.

View outstanding changes

Changes and effects yet to be applied to Part 3 Chapter 4 Crossheading Overview-and-scope:

s. 26(2)(f)(ai) omitted by 2025 c. 18 Sch. 10 para. 9
s. 44(1)(da) inserted by 2025 c. 18 Sch. 10 para. 10(2)(a)
s. 44(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 10(3)(a)
s. 45(2)(ea) inserted by 2025 c. 18 Sch. 10 para. 11(2)(a)
s. 45(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 11(3)(a)
s. 45A(2)(ca) inserted by 2025 c. 18 Sch. 10 para. 12
s. 48(1)(b)(iia) inserted by 2025 c. 18 Sch. 10 para. 13(2)(a)
s. 48(4)(ba) inserted by 2025 c. 18 Sch. 10 para. 13(3)(a)
s. 149(5A) inserted by 2025 c. 18 Sch. 10 para. 16(3)
s. 157(4A) inserted by 2025 c. 18 Sch. 10 para. 18
s. 187(2)(za) inserted by 2025 c. 18 Sch. 10 para. 21(3)(a)
Sch. 3 para. 8(1)(y) added by 2022 c. 18 (N.I.) Sch. 3 para. 78(3)

Changes and effects yet to be applied to the whole Act associated Parts and Chapters:

Whole provisions yet to be inserted into this Act (including any effects on those provisions):

s. 26(2)(f)(ai) omitted by 2025 c. 18 Sch. 10 para. 9
s. 44(1)(da) inserted by 2025 c. 18 Sch. 10 para. 10(2)(a)
s. 44(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 10(3)(a)
s. 45(2)(ea) inserted by 2025 c. 18 Sch. 10 para. 11(2)(a)
s. 45(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 11(3)(a)
s. 45A(2)(ca) inserted by 2025 c. 18 Sch. 10 para. 12
s. 48(1)(b)(iia) inserted by 2025 c. 18 Sch. 10 para. 13(2)(a)
s. 48(4)(ba) inserted by 2025 c. 18 Sch. 10 para. 13(3)(a)
s. 149(5A) inserted by 2025 c. 18 Sch. 10 para. 16(3)
s. 157(4A) inserted by 2025 c. 18 Sch. 10 para. 18
s. 187(2)(za) inserted by 2025 c. 18 Sch. 10 para. 21(3)(a)
Sch. 3 para. 8(1)(y) added by 2022 c. 18 (N.I.) Sch. 3 para. 78(3)

PART 3Law enforcement processing

CHAPTER 4Controller and processor

Overview and scope

55Overview and scope

(1)

This Chapter—

(a)

sets out the general obligations of controllers and processors (see sections 56 to 65);

(b)

sets out specific obligations of controllers and processors with respect to security (see section 66);

(c)

sets out specific obligations of controllers and processors with respect to personal data breaches (see sections 67 and 68);

(d)

makes provision for the designation, position and tasks of data protection officers (see sections 69 to 71);

F1(e)

makes provision about codes of conduct (see section 71A).

(2)

This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.

(3)

Where a controller is required by any provision of this Chapter to implement appropriate technical and organisational measures, the controller must (in deciding what measures are appropriate) take into account—

(a)

the latest developments in technology,

(b)

the cost of implementation,

(c)

the nature, scope, context and purposes of processing, and

(d)

the risks for the rights and freedoms of individuals arising from the processing.