UK Data Protection Act 2018 Policies

Q: What is an Appropriate Policy Document?

An APD is a document required by DPA 2018 Schedule 1 explaining procedures for processing special-category or criminal-offence data under specific Schedule 1 conditions (e.g. substantial-public-interest conditions, employment conditions). The ICO can require sight of the APD and the controller must review and update it. Our pack includes APD templates aligned to the conditions most UK SMEs rely on.

Q: Is ICO registration the same as DPA 2018 compliance?

No — ICO registration (the annual data protection fee, £40-£2,900 depending on size) is a separate statutory obligation under DPA 2018 sections 137-138. Failing to register is an offence even if you're otherwise compliant. Most UK businesses need to register unless a narrow exemption applies (e.g. not-for-profits with no electronic processing). Check the ICO's self-assessment tool if unsure.

Q: How does DPA 2018 relate to UK GDPR?

UK GDPR is the core data protection rulebook for most processing. DPA 2018 does three things: (1) implements UK GDPR (e.g. specifying the ICO as supervisory authority and converting fines to sterling), (2) adds UK-specific exemptions and conditions (Schedule 1 for special-category, Schedule 2 for research/journalism), and (3) creates separate regimes for law enforcement (Part 3) and intelligence services (Part 4). Most UK SMEs need UK GDPR + DPA 2018 Schedule 1 conditions + ICO registration.

Q: What does the DPA 2018 policy pack include?

10 DPA 2018-aligned policies: Privacy Policy (Parts 3 + 4 aware), Law Enforcement Processing Policy, Intelligence Services Processing Policy, Special-Category Data Policy, Criminal Offence Data Policy, ICO Registration Policy, Appropriate Policy Document template, DSAR Procedure, Breach Notification, and Data Minimisation. Designed to layer on top of our UK GDPR pack for firms that need both. See live pricing on the product page.

10 policies covering the parts UK GDPR doesn't — law-enforcement processing (Part 3), intelligence services (Part 4), special-category data conditions, and the Appropriate Policy Document.

DPA 2018 Parts 3 & 4 ICO Registered

Data Protection & Privacy Essentials pack

12 policies · £350 one-off

UK GDPR + DPA 2018 together · lifetime access

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready

UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is the Data Protection Act 2018?

The UK Data Protection Act 2018 is the UK's primary data-protection statute, sitting alongside UK GDPR. It does three things: it implements UK GDPR (confirming the ICO as the supervisory authority, converting fines into sterling), it supplements UK GDPR with UK-specific exemptions and conditions (Schedules 1–4), and it introduces additional regimes that UK GDPR doesn't reach — Part 3 for competent authorities processing for law-enforcement purposes, and Part 4 for the intelligence services.

For most UK SMEs, the DPA 2018 pieces that matter are Schedule 1 (conditions for processing special-category and criminal-offence data, including when an Appropriate Policy Document is required), section 170 (criminal offence of unlawfully obtaining personal data), and sections 137–138 (mandatory ICO registration fee).

Who needs DPA 2018 policies?

UK employers running DBS checks or equality monitoring — relying on Schedule 1 conditions, APD required.
Healthcare and social-care providers — Article 9 special-category data plus Schedule 1 substantial-public-interest conditions.
Insurance, pensions and financial services processing medical or criminal-offence data.
Competent authorities under Part 3 — police, CPS, certain regulatory bodies with investigatory functions.
Any UK organisation — ICO registration is mandatory under sections 137–138 unless narrowly exempt.

Policies you need for DPA 2018

These 10 policies cover the DPA 2018-specific layer that UK GDPR policies don't reach. They're intended to sit alongside a core UK GDPR pack:

Privacy Policy (DPA 2018 aware)

Aligned to Parts 3 + 4 where applicable, plus Part 2 general processing.

Law Enforcement Processing

Part 3 — law-enforcement purposes, distinction from general processing.

Intelligence Services Processing

Part 4 — for authorised intelligence services operations.

Special-Category Data Policy

Article 9 + Schedule 1 Part 1–2 conditions.

Criminal Offence Data Policy

Article 10 + Schedule 1 Part 3 conditions.

ICO Registration Policy

Sections 137–138 — calculating the correct tier and annual renewal.

Appropriate Policy Document

Mandatory for most Schedule 1 conditions & all Part 3 processing.

DSAR Procedure

Part 2 + Part 3 rights — response timelines, Part 3 exemptions.

Breach Notification

72-hour ICO reporting + Part 3 specific breach rules.

Data Minimisation

Ongoing review and section 170 offence awareness.

Realistic timeline for DPA 2018 readiness

If you already have a UK GDPR pack, adding DPA 2018-specific documentation is a 1–2 week exercise. From scratch, expect 3–4 weeks to combined readiness.

Day 1: Confirm ICO registration tier and pay the fee if not already done.
Day 2–3: Buy the pack, receive bespoke policies in 48 hours.
Week 2: Map Schedule 1 conditions you rely on; complete the Appropriate Policy Document template.
Week 3: Publish/update external privacy notice, distribute internal policies, train staff.
Ongoing: Annual APD review, updates when new Schedule 1 conditions come into play.

Policy packs for DPA 2018

Data Protection & Privacy Essentials

12 policies · £350 · UK GDPR + DPA 2018 foundation

Incident Notification & Breach Reporting

8 policies · £250 · ICO 72-hour reporting readiness

NHS IG Essentials

10 policies · £400 · for NHS IG Toolkit / DSPT

Charity Safeguarding & Fundraising

10 policies · £300 · charity-specific DPA considerations

Frequently asked questions

What does DPA 2018 cover that UK GDPR doesn't?

DPA 2018 implements and supplements UK GDPR but also covers areas UK GDPR does not. Part 3 covers competent-authority law-enforcement processing; Part 4 covers the intelligence services. Schedule 1 sets conditions for processing special-category and criminal-offence data. The Act also adds UK exemptions (journalism, immigration, research) and creates specific offences like unlawful obtaining (section 170).

Who needs DPA 2018 policies beyond UK GDPR?

Any UK controller relying on Article 9 (special-category) or Article 10 (criminal-offence) data — HR teams running DBS checks, healthcare providers, insurers, employers handling equality monitoring. Part 3 applies only to competent authorities. Appropriate Policy Documents (APDs) are mandatory for most Schedule 1 conditions and all Part 3 processing.

What is an Appropriate Policy Document?

An APD is required by DPA 2018 Schedule 1, explaining how you comply when processing special-category or criminal-offence data under specific conditions. The ICO can require sight of the APD and you must review/update it periodically. Our pack includes APD templates aligned to the most common SME conditions.

Is ICO registration the same as DPA 2018 compliance?

No. ICO registration (£40–£2,900/year) is a separate statutory obligation under DPA 2018 sections 137–138. Failing to register is an offence even if you're otherwise compliant. Most UK businesses need to register unless a narrow exemption applies.

How does DPA 2018 relate to UK GDPR?

UK GDPR is the core rulebook for most processing. DPA 2018 implements UK GDPR (ICO as supervisory authority, sterling fines), adds UK-specific exemptions and Schedule 1 conditions, and creates separate regimes for law enforcement (Part 3) and intelligence services (Part 4). Most UK SMEs need both — see our UK GDPR framework page for the other half.

What does the DPA 2018 policy pack include?

10 DPA 2018-aligned policies covering Privacy Policy (Parts 3 + 4 aware), Law Enforcement Processing, Intelligence Services Processing, Special-Category Data, Criminal Offence Data, ICO Registration, Appropriate Policy Document, DSAR, Breach Notification, and Data Minimisation. Designed to layer on top of our UK GDPR pack.

Cover UK GDPR + DPA 2018 in one pack

Get 12 bespoke policies for UK GDPR and DPA 2018 — lifetime access, no renewal.

Get Started — £350