Data Protection Act 2018 and Drones in the UK

Quick Answer: The Data Protection Act 2018 (DPA 2018) is the UK's primary data protection statute, supplementing and implementing the UK General Data Protection Regulation (UK GDPR). For drone operators, DPA 2018 defines when data protection law applies, sets out the domestic purposes exemption, establishes the Information Commissioner's enforcement powers, and creates the framework for special category data, impact assessments, and record-keeping that affects anyone capturing footage from the air.

How DPA 2018 Relates to UK GDPR

The UK's data protection framework operates on two pillars. The UK General Data Protection Regulation — retained in domestic law from the EU GDPR after Brexit via the European Union (Withdrawal) Act 2018 — sets out the core principles, rights, and obligations. The Data Protection Act 2018 supplements UK GDPR by providing additional detail, exemptions, and procedural rules specific to the UK context.

For drone operators, the interaction between these two instruments is important. UK GDPR establishes the overarching principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. DPA 2018 fills in the gaps: it defines the domestic purposes exemption, sets out conditions for processing special category data, establishes the ICO's powers, and creates rights and remedies for data subjects.

Key Legislation: Data Protection Act 2018 (c. 12). UK General Data Protection Regulation (UK GDPR), retained via European Union (Withdrawal) Act 2018. Information Commissioner's Office (ICO) guidance on drone use and data protection.

The Domestic Purposes Exemption

Section 2(1)(c) of DPA 2018 provides that the Act does not apply to the processing of personal data by an individual in the course of a purely personal or household activity. This is the exemption most commonly cited by recreational drone operators.

The scope of this exemption is critical for drone users. The ICO interprets it narrowly. Processing qualifies as personal or household only if:

A drone operator who films a family holiday and keeps the footage in a private album is likely within the exemption. A drone operator who uploads scenic footage to a public YouTube channel — even without commercial intent — falls outside it, and the full weight of UK GDPR and DPA 2018 applies.

Special Category Data

Article 9 of UK GDPR, supplemented by Schedule 1 of DPA 2018, imposes additional restrictions on the processing of special category data. This includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, and data concerning sex life or sexual orientation.

Drone footage may inadvertently capture special category data. For example, footage of a place of worship with identifiable attendees could reveal religious beliefs. Footage of a political rally or protest could reveal political opinions. Footage showing individuals in medical situations could reveal health data.

Where special category data is captured, a lawful basis under Article 6 is not sufficient on its own. The drone operator must also meet one of the conditions in Article 9(2) of UK GDPR and, where applicable, the relevant condition in Schedule 1 of DPA 2018. For most drone operators, the practical solution is to avoid capturing such data through careful flight planning and post-production editing.

Data Protection Impact Assessments

Article 35 of UK GDPR requires a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk to the rights and freedoms of natural persons. The ICO has identified several types of processing that require a DPIA, two of which are directly relevant to drone operations:

A DPIA must describe the processing, assess its necessity and proportionality, identify risks to data subjects, and set out measures to mitigate those risks. The assessment must be documented and kept on file. If the DPIA indicates a high risk that cannot be mitigated, the drone operator must consult the ICO under Article 36 before proceeding.

Record-Keeping Requirements

Article 30 of UK GDPR requires controllers to maintain records of processing activities. DPA 2018 reinforces this obligation. For drone operators processing personal data beyond the domestic purposes exemption, this means maintaining a written record that includes:

Small organisations and individual operators may be exempt from this requirement under Article 30(5) if processing is occasional, does not include special category data, and is unlikely to result in a risk to individuals' rights. However, regular or systematic drone operations — such as weekly property surveys or ongoing environmental monitoring — are unlikely to qualify as occasional.

The ICO's Enforcement Powers

The Information Commissioner's Office is the UK's independent supervisory authority for data protection. Under DPA 2018, the ICO has extensive enforcement powers relevant to drone operators:

Under Section 170 of DPA 2018, it is a criminal offence to knowingly or recklessly obtain personal data without the consent of the controller. A drone operator who deliberately captures personal data in defiance of data protection requirements may face criminal prosecution in addition to regulatory sanctions.

Exemptions Relevant to Drone Operators

Schedules 2 and 3 of DPA 2018 set out various exemptions from certain UK GDPR provisions. Those most relevant to drone operators include:

Practical Compliance Checklist for Drone Operators

  1. Determine whether your drone footage captures or is likely to capture personal data.
  2. Assess whether the domestic purposes exemption under Section 2(1)(c) genuinely applies to your activity.
  3. If the exemption does not apply, identify and document your lawful basis under Article 6 of UK GDPR.
  4. Check whether special category data may be captured and, if so, identify a condition under Article 9(2) and Schedule 1.
  5. Assess whether a DPIA is required. If in doubt, conduct one — the ICO recommends erring on the side of caution.
  6. Maintain records of your processing activities as required by Article 30.
  7. Implement data minimisation, appropriate retention periods, and security measures.
  8. Prepare to handle data subject requests (access, erasure, objection) within statutory timeframes.
  9. Consider appointing a Data Protection Officer if your processing is regular and systematic.
  10. Stay informed of ICO guidance updates relevant to drone use.

Check your flight plan instantly with MmowW Drone — the compliance companion built by a Gyoseishoshi.

Start Free — Your Drone, Legally Clear 0 setup fees · cancel anytime · BigMac Price forever