The Data Protection Act 2018 implements the EU General Data Protection Regulation into UK law and creates an "applied GDPR" regime for processing outside the GDPR’s direct scope. It sets out controllers’ and processors’ duties, special‑category and criminal‑offence data rules, the six data‑protection principles, data‑subject rights, requirements for data‑protection impact assessments and prior consultation, and bespoke safeguards for research, archiving and national security.

The Act establishes the Information Commissioner as the UK supervisory authority with investigatory and enforcement powers (information, assessment and enforcement notices, monetary penalties and powers of entry), provides for codes of practice and accreditation, and creates statutory exemptions, transitional arrangements and national‑security certificate procedures to balance privacy with public‑interest and security needs.