The legal regime you will be processing under will depend on whether you are a competent authority and your purposes for processing personal data. The Data Protection Act 2018 (DPA) sets out the UK’s data protection framework, alongside the General Data Protection Regulation (GDPR). It comprises the following data protection regimes:
- Part 2 – supplements and tailors the GDPR in the UK;
- Part 3 – sets out a separate regime for criminal law enforcement processing; and
- Part 4 – sets out a separate regime for the three intelligence services.
We are currently developing our guidance on the separate data protection regime that applies to intelligence services. It will cover the provisions in part 4 of the Data Protection Act 2018 (DPA 2018).