LegislationGB

Data Protection Act 2018

The UK's primary data-protection statute that implements and supplements the UK GDPR for domestic enforcement purposes.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

Why is the ICO using a 2018 data protection law to fine water companies for 2026 cyberattacks?

Timeline for Data Protection Act 2018

#412 May

ICO fines South Staffs Water £963,900

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is the Data Protection Act 2018 and how does it differ from GDPR?: The DPA 2018 implemented the EU GDPR into UK law before Brexit and supplements the retained UK GDPR. It sets exemptions, special-category rules, and the ICO's enforcement powers. The UK GDPR and DPA 2018 together now form UK data-protection law post-Brexit.
Can the ICO fine a water company under the Data Protection Act 2018 for a cyberattack?: Yes. The ICO fined South Staffordshire Plc and South Staffordshire Water £963,900 in May 2026 under the DPA 2018 and UK GDPR Article 32 for a ransomware breach, demonstrating the Act applies to CNI operators before new cyber legislation reaches Royal Assent.Source: ICO
Is the UK Cyber Security and Resilience Bill a replacement for the Data Protection Act?: No. The CS&R Bill, currently at Commons Report Stage, adds sector-specific cyber obligations for essential-service operators. It sits alongside, not above, the DPA 2018 and UK GDPR, which remain the live enforcement toolkit for data-breach incidents.

Background

The Data Protection Act 2018 (DPA 2018) is the UK's primary data-protection legislation, enacted to implement the EU's General Data Protection Regulation into domestic law ahead of the Brexit transition period. It supplements and tailors the UK GDPR (retained in UK law after Brexit via the European Union (Withdrawal) Act 2018), setting out exemptions, special categories, and the enforcement framework for the Information Commissioner's Office. The Act carries a maximum penalty of £17.5 million or 4% of global annual turnover for the most serious infringements.

The DPA 2018 is the legal instrument underpinning the ICO's enforcement action against South Staffordshire Plc and South Staffordshire Water Plc, fined £963,900 on 12 May 2026 following a 2022 ransomware breach that ran undetected for 20 months. The ICO's enforcement route combined DPA 2018 with UK GDPR Article 32, the security-of-processing obligation, rather than the Cyber Security and Resilience Bill that remains at Commons Report Stage from 2 March 2026. That distinction matters: the water sector's regulatory security baseline is already legally enforceable through the DPA 2018 and UK GDPR before Parliament completes the new statutory cyber regime.

The DPA 2018 sits alongside the Network and Information Systems (NIS) Regulations 2018 for essential-service operators, and is expected to interact with the Cyber Security and Resilience Bill once enacted. Until that Bill receives Royal Assent, the DPA 2018 and UK GDPR represent the live enforcement toolkit the ICO is using to price inadequate security controls at critical national infrastructure operators.

Source Material

UK GDPR Guidance Data Protection Act 2018

How the World Sees Them

The EU's GDPR, which the DPA 2018 originally implemented, continues to apply to EU-resident data and is enforced by EU DPAs, creating a parallel compliance requirement for UK firms with EU customers.

ICO

The DPA 2018 gives the ICO authority to price inadequate cyber controls at CNI operators now, without waiting for the Cyber Security and Resilience Bill.

Parliament

The Cyber Security and Resilience Bill will layer new obligations on top of DPA 2018, not replace it; any organisation subject to the CS&R Bill will also remain subject to DPA 2018 enforcement.

UK Water Sector

The South Staffordshire precedent confirms the DPA 2018 applies to water utilities processing personal data, setting an enforceable security baseline months before new sector-specific legislation arrives.