NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

Data Protection Act 1998

type
Regulation
Jurisdiction
Full Name
Data Protection Act 1998
Official Name
Data Protection Act 1998

Description

Description
Source

The Data Protection Act 1998 (DPA 1998) was a landmark UK legislation that established fundamental principles for protecting personal data and individual privacy rights. This comprehensive framework regulated how organizations could collect, process, and store personal information, setting the standard for data protection in the UK for nearly two decades until it was replaced by the Data Protection Act 2018.

The Act implemented the EU Data Protection Directive 95/46/EC and introduced several key concepts that remain relevant in modern data protection law:

Key Objectives and Scope:

  • Protection of individual privacy rights
  • Regulation of personal data processing
  • Establishment of data protection principles
  • Creation of the role of Data Protection Commissioner (later renamed Information Commissioner)

Core Requirements:

  1. Data Protection Principles:

    • Fair and lawful processing
    • Purpose limitation
    • Data minimization
    • Accuracy
    • Storage limitation
    • Rights of data subjects
    • Security measures
    • International transfer restrictions
  2. Technical Requirements:

    • Implementation of appropriate security measures
    • Systems for responding to subject access requests
    • Data processing notification requirements

Compliance Mechanisms:

  • Mandatory registration with the Information Commissioner's Office
  • Regular audits and assessments
  • Documentation of processing activities
  • Staff training requirements

Key Privacy Protections:

Individual rights included access to personal data, correction of inaccurate data, and prevention of processing likely to cause damage or distress.

Territorial Scope:

  • Applied to all data controllers established in the UK
  • Extended to data controllers outside the UK using equipment in the UK

Implementation Timeline:

  • Enacted: July 1998
  • Full Effect: March 2000
  • Superseded: May 2018 (by DPA 2018)

The Act's significance lies in establishing the foundational framework for data protection in the UK, introducing concepts like data controller, data processor, and personal data that remain central to modern privacy legislation.

Projects Following this Regulation

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page