Data Protection Bill receives Royal Assent

May 22, 2018

The Data Protection Bill received Royal Assent on 23 May 2018 and
will come into force as the
Data Protection Act 2018.

The Act covers those parts of the GDPR that allow for Member
States to make provision for how it applies in the UK, such as setting the age
of consent for children at 13 when it comes to consent for online services. It
also implements
the Law Enforcement Directive.

The new Act covers several other related areas, for example, processing
related to immigration, the powers of the ICO themselves and application of
data protection standards to national security agencies.

Section 1 of the Act (Overview), in part 1 of the Act (ss. 1 to 3)
provides as follows:

(1) This
Act makes provision about the processing of personal data.

(2) Most
processing of personal data is subject to the GDPR.

(3) Part 2
[ss 4 to 28] supplements the GDPR (see Chapter 2) and applies a broadly
equivalent regime to certain types of processing to which the GDPR does not
apply (see Chapter 3).

(4) Part 3
[ss 29 to 81] makes provision about the processing of personal data by
competent authorities for law enforcement purposes and implements the Law
Enforcement Directive.

(5) Part 4
[ss 82 to 113] makes provision about the processing of personal data by the
intelligence services.

(6) Part 5
[ss 114 to 141] makes provision about the Information Commissioner.

(7) Part 6
[ss 142 to 181] makes provision about the enforcement of the data protection

(8) Part 7
[ss 182 to 215] makes supplementary provision, including provision about the
application of this Act to the Crown and to Parliament.

There are 20 schedules to the Act.


By virtue of s 212 of the Act and the Data
Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions)
Regulations 2018
(SI 2018 No 625), the following provisions are in force on
the dates in 2018 shown below.

  • s 1 (overview) – 23 May
  • s 2 (protection of personal data) – 25 May
  • s 3 (terms relating to the processing of personal data) – 23 May
  • ss 4 to 28 (general processing), including schs 1 to 6 (except sch
    6, para 62) – 25 May
  • ss 29 to 81 (law enforcement processing), including schs 7 and 8 –
    25 May
  • ss 82 to 92, 94 to 101, 106 and 107 and 109 to 113 (intelligence
    service processing), including schs 9 to 11 – 25 May
  • ss 114 to 120 (Information Commissioners’ continuation, her
    general functions and international role), including schs 12 to 14 – 25 May
  • ss 121 and 122 (Commissioner’s duty to prepare data sharing code
    and direct marketing code) – 25 May
  • ss 123 (Commissioner’s duty to prepare age-appropriate design
    code) – 23 July
  • s 124 (Commissioners’ duty to prepare a data protection and
    journalism code of practice) – 23 July
  • ss 125 to 127 (approval, publication and review and effect of
    codes) – 25 May in respect of data sharing code and direct marketing codes and
    23 July in respect of the age-appropriate design and data protection and
    journalism codes
  • s 128 (Secretary of State’s power to require Commissioner to prepare
    other codes of practice) – 25 May
  • ss 129 to 141 (consensual audits, records of national security
    certificates, information provided to the Commissioner, fees, charges and
    Commissioner’s reports) – 25 May
  • ss 142 to 173 (enforcement, insofar as it covers information
    notices, assessment notices, enforcement notices, powers of entry and
    inspection, penalties, guidance, appeals, complaints, court remedies and
    offences relating to personal data), including schs 15 and16 – 25 May
  • ss 174 to 176 (defining the special purposes, assisting with
    special purposes proceedings and staying such proceedings) – 25 May
  • ss 177 to 179 (Commissioner’s guidance on redress against media
    organisations and review of processing of personal data for journalism and
    Secretary of State’s report on the effectiveness of media’s dispute resolution
    procedures), including sch 17 – 23 July
  • ss 180 and 181 (court jurisdiction and interpretation of part 6) –
    25 May
  • ss 182 to 186 (regulation-making power, power to reflect changes
    to Data Protection Convention, prohibition of requirement to produce records,
    contract terms relating to health records and effect of data subject’s rights
    on disclosure), including sch 18 – 25 May
  • s 187 (representation of data subjects with their authority) – 25
  • ss 188 to 190 (other provisions relating to representation of data
    subjects) – 23 July
  • ss 191 to 194 (Framework for Data Processing by Government and
    related provisions) – 23 July
  • s 195 (reserve forces: data sharing by HMRC) – 23 July
  • ss 196 to 203 (offences and tribunals) – 25 May
  • ss 204 to 206 (interpretation) – 23 May
  • ss 207 and 208 (territorial application and children in Scotland)
    – 25 May
  • ss 209 and 210 (application to the Crown and application to
    Parliament) – 23 May
  • s 211 (minor and consequential provision), including sch 19 but
    excepting paras 76, 201, 211 and 227 of sch 19 – 25 May
  • s 212 (commencement) – 23 May
  • s 213(1) (transitional provision), including sch 20 – 25 May
  • s 213(2) and (3) (power to make further transitional provision) –
    23 May
  • ss 214 and 215 (extent and short title) – 23 May.

Note that, presumably to cover anything overlooked, s
212(2)(f) provides that ‘any other provision of this Act so far as it confers
power to make regulations or Tribunal Procedure Rules or is otherwise necessary
for enabling the exercise of such a power on or after the day on which this Act
is passed’.

Provisions not in force

It follows from the above provisions that, as of 6 June, the
following are not in force and not subject to any commencement provision:

  • Sch 6, para 62 (which appears to make a technical amendment
    to the GDPR, Article 89 (safeguards and derogations relating
    to processing for archiving purposes etc)
  • In part 4 (intelligence service processing):

s 93 (right to information)

s 102 (general obligations of the controller)

s 103 (data protection by design)

s 104 (joint controllers)

s 105 (processors)

s 108 (communication of a personal data breach)

  • In sch 19 (minor and consequential amendments), paras 76,
    201, 211 and 227 (which appear to relate to (i) investigatory powers and (ii) social

It is however worth noting that where provisions are brought
into force requiring the Information Commissioner to prepare a code of
practice, such as the age-verification code under s 123 (in force from 23
July), the obligation includes an obligation to consult. Post-consultation and
preparation, there is a procedure for approval of the code (including a 40-day
period after laying the code before Parliament). So the date on which such
codes bite remains uncertain and is certainly well beyond 23 July.

Note too the very detailed transitional provision in sch 20
to the Act and the esoteric transitional and saving provisions relating to the
Electronic Identification and Trust Services for Electronic Transactions
Regulations 2016 in reg 4 of SI2018/625.

The text of the Act as enacted is available on
at You can trace the
history of the proceedings on the Parliament website at