Data Protection Act 2018
The UK's primary data-protection statute that implements and supplements the UK GDPR for domestic enforcement purposes.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Why is the ICO using a 2018 data protection law to fine water companies for 2026 cyberattacks?
Timeline for Data Protection Act 2018
ICO fines South Staffs Water £963,900
Cybersecurity: Threats and DefencesWhat is the Data Protection Act 2018 and how does it differ from GDPR?
Can the ICO fine a water company under the Data Protection Act 2018 for a cyberattack?
Is the UK Cyber Security and Resilience Bill a replacement for the Data Protection Act?
Background
The Data Protection Act 2018 (DPA 2018) is the UK's primary data-protection legislation, enacted to implement the EU's General Data Protection Regulation into domestic law ahead of the Brexit transition period. It supplements and tailors the UK GDPR (retained in UK law after Brexit via the European Union (Withdrawal) Act 2018), setting out exemptions, special categories, and the enforcement framework for the Information Commissioner's Office. The Act carries a maximum penalty of £17.5 million or 4% of global annual turnover for the most serious infringements.
The DPA 2018 is the legal instrument underpinning the ICO's enforcement action against South Staffordshire Plc and South Staffordshire Water Plc, fined £963,900 on 12 May 2026 following a 2022 ransomware breach that ran undetected for 20 months. The ICO's enforcement route combined DPA 2018 with UK GDPR Article 32, the security-of-processing obligation, rather than the Cyber Security and Resilience Bill that remains at Commons Report Stage from 2 March 2026. That distinction matters: the water sector's regulatory security baseline is already legally enforceable through the DPA 2018 and UK GDPR before Parliament completes the new statutory cyber regime.
The DPA 2018 sits alongside the Network and Information Systems (NIS) Regulations 2018 for essential-service operators, and is expected to interact with the Cyber Security and Resilience Bill once enacted. Until that Bill receives Royal Assent, the DPA 2018 and UK GDPR represent the live enforcement toolkit the ICO is using to price inadequate security controls at critical national infrastructure operators.