The main elements of the Data Protection Act 2018 are:

General data processing

● Implements GDPR standards across all general data processing.

● Provides clarity on the definitions used in the GDPR in the UK context.

● Ensures that sensitive health, social care and education data can continue to be processed while making sure that confidentiality in health and safeguarding situations is maintained.

● Provides appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes.

● Sets the age from which parental consent is not needed to process data online at age 13, supported by a new age-appropriate design code enforced by the Information Commissioner.

Law enforcement processing

● Provides a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes.

● Allows the unhindered flow of data internationally whilst providing safeguards to protect personal data. Intelligence services processing

● Ensures that the laws governing the processing of personal data by the intelligence services remain up-to-date and in-line with modernised international standards, including appropriate safeguards with which the intelligence community can continue to tackle existing, new and emerging national security threats.

Regulation and enforcement

● Enacts additional powers for the Information Commissioner who will continue to regulate and enforce data protection laws.

● Allows the Commissioner to levy higher administrative fines on data controllers and processors for the most serious data breaches, up to £17m (€20m) or 4% of global turnover for the most serious breaches.

● Empowers the Commissioner to bring criminal proceedings against offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request.