Anyone holding personal data for other purposes was legally obliged to comply with this Act, subject to some exemptions.

The Act defined eight data protection principles to ensure that information was processed lawfully.

The DPA 2018 supplements the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018.

Exemptions remain for the marketing of "similar products and services" to existing customers and enquirers, which can still be permitted on an opt-out basis.

[4] In some cases, paper records could have been classified as a relevant filing system, such as an address book or a salesperson's diary used to support commercial activities.

If an organisation "intends to continue to hold or use personal data after the relationship with the individual ends, then the consent should cover this."

[26] The Act also impacted the way in which organisations conducted business in terms of who should have been contacted for marketing purposes, not only by telephone and direct mail, but also electronically.

[28] The Information Commissioner's Office website stated regarding subject access requests:[29] "You have the right to find out if an organisation is using or storing your personal data.

Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organisations could have charged a specified fee for responding to a SAR of up to £10 for most requests.

[30][31] In January 2017, the Information Commissioner's Office invited public comments on the EU's Article 29 Working Party's proposed changes to data protection law and the anticipated introduction of extensions to the interpretation of the Act, the Guide to the General Data Protection Regulation.