NorthRow

Data Protection Act 2018 definition and meaning | AML glossary

What is the Data Protection Act 2018? Definition and AML compliance meaning.

Back to AML glossary >

Data Protection Act 2018 definition: What it means in AML compliance.

If you work in AML compliance, the Data Protection Act 2018 (DPA 2018) is something you need to work with every day. This legislation sits alongside the UK General Data Protection Regulation (UK GDPR) and gives it teeth in domestic law. The DPA 2018 sets the rules for how organisations must handle personal data. That means how it’s collected, stored, used, shared, and – perhaps most importantly – protected.

At its core, the DPA 2018 is about fairness, transparency, and accountability. It’s there to stop misuse of personal data and to give people control over how their information is handled. For AML teams, that includes everything from customer onboarding data to transaction histories and suspicious activity reports.

There are specific sections of the Act that directly affect how you manage compliance. For example, the Act introduces six lawful bases for processing personal data. Most AML teams rely on “legal obligation” and “public task” as their foundation for collecting and analysing data for money laundering risks. But it’s not just about having a lawful basis. The way you handle that data – how it’s stored, who can access it, how long it’s retained – has to meet the standards set out in the Act.

One area of the DPA 2018 that can catch people off guard is the principle of data minimisation. You can’t just collect everything ‘just in case’ – you need to show that the data you gather is adequate, relevant, and limited to what’s necessary for your compliance obligations. That means your customer risk assessments, PEP screenings and transaction monitoring setups need to be targeted and justified.

The Act also brought in new requirements around accountability. It’s not enough to comply – you need to be able to prove that you’re complying. That could mean having a data protection policy that’s clearly aligned with your AML procedures, or making sure you’ve logged your legal basis for every bit of customer data you process

Data Protection Act definition

“An Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes.”

Legislation.gov.uk

Data Protection Act 2018

What impact does the Data Protection Act 2018 have on compliance teams?

AML teams often sit on a goldmine of sensitive information – passport scans, bank account details, IP logs, and behavioural data. Under the DPA 2018, holding that kind of data comes with a responsibility to get it right. Not only from a security standpoint but also from a purpose and retention point of view.

One of the first things to get clear is what’s legally required versus what’s simply convenient. It can be tempting to hold on to data just in case it becomes useful later. But retention needs to be tied to legal obligations. Under money laundering regulations, that’s typically five years after a customer relationship ends. But keeping it longer – without a legitimate reason – could land you in hot water with the ICO.

Then there’s the issue of lawful basis. You’ll almost always be relying on “legal obligation” when processing data for KYC, KYB, monitoring, or filing SARs. But if your firm also uses data for analytics or business development, that shifts the lawful basis – and that needs to be reflected in your records and your privacy notices. It’s worth sitting down with your Data Protection Officer (if you have one) or legal team and mapping out what basis applies to each data use case. It’s not something you want to leave to chance.

Another key area where the DPA 2018 and AML work overlap is in data sharing. Think about SARs: you’re expected to share certain information with law enforcement or regulators, but that doesn’t mean you can share it freely within your business or with third parties. Each disclosure needs to be necessary, proportionate, and documented. Blanket data access across departments is a red flag, especially if there’s no clear need-to-know basis.

Encryption, access controls, and audit logs aren’t just IT department concerns – they’re part of your data protection obligations. If a breach happens, and you can’t show that you had adequate technical measures in place, the ICO won’t look kindly on it. For AML managers, that means working closely with your tech and security teams to review how sensitive data is stored and accessed.

Finally, there’s training. Data protection can’t be siloed. If your front-line analysts don’t understand what a subject access request is, or how to respond to a customer who wants their data erased, you’ve got a gap. Regular, practical training – tailored to the AML function – goes a long way to keeping things on track.

Getting DPA 2018 compliance right is about protecting the trust your customers place in you and showing regulators that your AML setup is mature, responsible, and built to last. If you treat data the way you treat financial risk – with precision, accountability, and a clear audit trail – you’re already on solid ground.

We’ve worked with hundreds of regulated businesses. Let’s work together.

Book your free demo of our comprehensive ID&V, KYC, KYB and AML compliance management solution today.

Request Demo
Packages