What are the Differences Between Data Protection Act 1998 and GDPR?

5 min read
James Mignacca
June 15, 2022
James Mignacca
June 15, 2022
Related Resource
Take Cavelo for a Spin
Screenshot of the Cavelo dashboard
See how our platform can manage your company's digital assets and sensitive data, all through a single pane of glass.

If your business sells products or services to consumers living in EU countries and the UK, or just collects data from EU and UK-based consumers, then your business must comply with relevant regional laws, even if your business is based in North America. The United States, on the other hand, follows a data privacy approach that is guided by various state laws and sector-specific privacy laws

There are two primary data privacy laws in the UK right now, the Data Protection Act 1998 and the European Union’s General Data Protection Regulation.

In this blog we take a look at what both of these regulations are, how they differ and what that means for your organization.

What is GDPR?

The General Data Protection Regulation (GDPR) came into effect in May 2018, and brought in a new era of comprehensive data protection standards for consumers based across the European Union.

Covering all organizations that collect or process the personally identifiable information (PII) of EU consumers, the GDPR was created by the European Union to provide greater transparency and data protection of its citizens.

The GDPR is the toughest privacy and security law in the world. Giving consumers more rights regarding what data is held about them, how it can be used and when it should be deleted, and setting strict guidelines on how businesses collect and process personal information from EU citizens.

There are seven primary principles of GDPR:

  1. Lawfulness, fairness and transparency: The processing of data must be lawful, fair and transparent to the data subject.
  2. Purpose limitation: Businesses must process data for the legitimate purposes specified explicitly to the data subject when the data was collected.
  3. Data minimization: Organizations should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy: All personal data must be kept accurate and up to date.
  5. Integrity and confidentiality: Data processing must be done in such a way as to ensure appropriate security, integrity and confidentiality.
  6. Accountability: Data controllers are responsible for being able to demonstrate GDPR compliance with all of these principles.

Organizations that fail to comply with GDPR regulations can be fined 20 million (euros) or 4 percent of their annual turnover, whichever is greater.

What is the Data Protection Act 1998?

The Data Protection Act 1998 was introduced by the UK’s House of Parliament to protect personal data stored on computers or in organized paper filing systems, taking inspiration from the EU’s Data Protection Directive 1995 on the protection, processing, and movement of data.

All UK businesses holding personal data about third parties (consumers) must comply with the Data Protection Act. The act's principles are as follows:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Differences between Data Protection Act 1998 and GDPR

Sounds pretty similar to GDPR right? There are a few key differences that organizations should know if they are required to comply (or might be in the future) with both GDPR and the Data Protection Act 1998.

Geographic reach

While GDPR applies to both data processing carried out by organizations operations within the EU and to organizations based outside the EU which offer services or goods to individuals based within the EU, the Data Protection Act 1998 only applies to data processing carried out by organizations operating within the UK.

Data protection

Unlike the Data Protection Act 1998, the GDPR mandates organizations with more than 250 employees or firms which process more than 5,000 subject profiles annually to appoint a dedicated Data Protection Officer. Companies also have to demonstrate “data protection by design” measures to comply with GDPR, which essentially means companies must ensure they consider privacy and data protection issues at the design phase of any system, service, product or process and then continue that throughout the entire lifecycle.

Consent policies

One of the defining differences between GDPR and the Data Protection Act 1998, the consent rules between both regulations are completely different. While data collection does not necessarily need an opt-in in the Data Protection Act, GDPR requires clear privacy notices so that consumers can make an informed decision on whether they consent to allow their data to be stored and used.


GDPR places a much greater focus on accountability than the Data Protection Act, requiring organizations to prove they comply with the regulation. Under GDPR, companies must commit to mandatory activities like data audits, staff training and keeping detailed documentation of how they collect, store and process data.

New consumer rights

Under the GPR, consumers have been given substantial new rights; such as the right to be forgotten, the right to object to automated decision making; as well as data portability rights.

Are you looking to improve your data protection strategy and ensure your organization complies with data privacy regulations?

Get a demo of the Cavelo platform today, and learn how we help companies gain complete visibility over their sensitive data, and achieve compliance with regional regulations like GDPR and the Data Protection Act 1998.

Share this post
Our blog. Your inbox.

Receive thought leadership content, advice from industry experts, and news about events with your peers. You can unsubscribe at any time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Want to schedule a demo?

We’re confident you’ll love Cavelo. But if we’re not a good fit for your unique business security needs, no hard feelings.