Data Protection Bill receives Royal Assent

Royal Assent received 23 May 2018 - just in time for GDPR

The Data Protection Bill received Royal Assent on 23 May 2018 and will come into force as the Data Protection Act 2018.

The Act covers those parts of the GDPR that allow for Member States to make provision for how it applies in the UK, such as setting the age of consent for children at 13 when it comes to consent for online services. It also implements the Law Enforcement Directive.

The new Act covers several other related areas, for example, processing related to immigration, the powers of the ICO themselves and application of data protection standards to national security agencies.

Section 1 of the Act (Overview), in part 1 of the Act (ss. 1 to 3) provides as follows:

(1) This Act makes provision about the processing of personal data.

(2) Most processing of personal data is subject to the GDPR.

(3) Part 2 [ss 4 to 28] supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).

(4) Part 3 [ss 29 to 81] makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.

(5) Part 4 [ss 82 to 113] makes provision about the processing of personal data by the intelligence services.

(6) Part 5 [ss 114 to 141] makes provision about the Information Commissioner.

(7) Part 6 [ss 142 to 181] makes provision about the enforcement of the data protection legislation.

(8) Part 7 [ss 182 to 215] makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

There are 20 schedules to the Act.


By virtue of s 212 of the Act and the Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018 (SI 2018 No 625), the following provisions are in force on the dates in 2018 shown below.

  • s 1 (overview) – 23 May
  • s 2 (protection of personal data) – 25 May
  • s 3 (terms relating to the processing of personal data) – 23 May
  • ss 4 to 28 (general processing), including schs 1 to 6 (except sch 6, para 62) – 25 May
  • ss 29 to 81 (law enforcement processing), including schs 7 and 8 – 25 May
  • ss 82 to 92, 94 to 101, 106 and 107 and 109 to 113 (intelligence service processing), including schs 9 to 11 – 25 May
  • ss 114 to 120 (Information Commissioners’ continuation, her general functions and international role), including schs 12 to 14 - 25 May
  • ss 121 and 122 (Commissioner’s duty to prepare data sharing code and direct marketing code) – 25 May
  • ss 123 (Commissioner’s duty to prepare age-appropriate design code) – 23 July
  • s 124 (Commissioners’ duty to prepare a data protection and journalism code of practice) – 23 July
  • ss 125 to 127 (approval, publication and review and effect of codes) – 25 May in respect of data sharing code and direct marketing codes and 23 July in respect of the age-appropriate design and data protection and journalism codes
  • s 128 (Secretary of State’s power to require Commissioner to prepare other codes of practice) – 25 May
  • ss 129 to 141 (consensual audits, records of national security certificates, information provided to the Commissioner, fees, charges and Commissioner’s reports) – 25 May
  • ss 142 to 173 (enforcement, insofar as it covers information notices, assessment notices, enforcement notices, powers of entry and inspection, penalties, guidance, appeals, complaints, court remedies and offences relating to personal data), including schs 15 and16 – 25 May
  • ss 174 to 176 (defining the special purposes, assisting with special purposes proceedings and staying such proceedings) – 25 May
  • ss 177 to 179 (Commissioner’s guidance on redress against media organisations and review of processing of personal data for journalism and Secretary of State’s report on the effectiveness of media’s dispute resolution procedures), including sch 17 – 23 July
  • ss 180 and 181 (court jurisdiction and interpretation of part 6) – 25 May
  • ss 182 to 186 (regulation-making power, power to reflect changes to Data Protection Convention, prohibition of requirement to produce records, contract terms relating to health records and effect of data subject’s rights on disclosure), including sch 18 – 25 May
  • s 187 (representation of data subjects with their authority) – 25 May
  • ss 188 to 190 (other provisions relating to representation of data subjects) – 23 July
  • ss 191 to 194 (Framework for Data Processing by Government and related provisions) – 23 July
  • s 195 (reserve forces: data sharing by HMRC) – 23 July
  • ss 196 to 203 (offences and tribunals) – 25 May
  • ss 204 to 206 (interpretation) – 23 May
  • ss 207 and 208 (territorial application and children in Scotland) – 25 May
  • ss 209 and 210 (application to the Crown and application to Parliament) – 23 May
  • s 211 (minor and consequential provision), including sch 19 but excepting paras 76, 201, 211 and 227 of sch 19 – 25 May
  • s 212 (commencement) – 23 May
  • s 213(1) (transitional provision), including sch 20 – 25 May
  • s 213(2) and (3) (power to make further transitional provision) – 23 May
  • ss 214 and 215 (extent and short title) – 23 May.

Note that, presumably to cover anything overlooked, s 212(2)(f) provides that ‘any other provision of this Act so far as it confers power to make regulations or Tribunal Procedure Rules or is otherwise necessary for enabling the exercise of such a power on or after the day on which this Act is passed’.

Provisions not in force

It follows from the above provisions that, as of 6 June, the following are not in force and not subject to any commencement provision:

  • Sch 6, para 62 (which appears to make a technical amendment to the GDPR, Article 89 (safeguards and derogations relating to processing for archiving purposes etc)
  • In part 4 (intelligence service processing):

s 93 (right to information)

s 102 (general obligations of the controller)

s 103 (data protection by design)

s 104 (joint controllers)

s 105 (processors)

s 108 (communication of a personal data breach)

  • In sch 19 (minor and consequential amendments), paras 76, 201, 211 and 227 (which appear to relate to (i) investigatory powers and (ii) social workers).

It is however worth noting that where provisions are brought into force requiring the Information Commissioner to prepare a code of practice, such as the age-verification code under s 123 (in force from 23 July), the obligation includes an obligation to consult. Post-consultation and preparation, there is a procedure for approval of the code (including a 40-day period after laying the code before Parliament). So the date on which such codes bite remains uncertain and is certainly well beyond 23 July.

Note too the very detailed transitional provision in sch 20 to the Act and the esoteric transitional and saving provisions relating to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 in reg 4 of SI2018/625.

The text of the Act as enacted is available on at You can trace the history of the proceedings on the Parliament website at

Published: 2018-05-23T16:51:50

    This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

    Please wait...