Data Protection Act 2018 and Drones in the UK
Quick Answer: The Data Protection Act 2018 (DPA 2018) is the UK's primary data protection statute, supplementing and implementing the UK General Data Protection Regulation (UK GDPR). For drone operators, DPA 2018 defines when data protection law applies, sets out the domestic purposes exemption, establishes the Information Commissioner's enforcement powers, and creates the framework for special category data, impact assessments, and record-keeping that affects anyone capturing footage from the air.
How DPA 2018 Relates to UK GDPR
The UK's data protection framework operates on two pillars. The UK General Data Protection Regulation — retained in domestic law from the EU GDPR after Brexit via the European Union (Withdrawal) Act 2018 — sets out the core principles, rights, and obligations. The Data Protection Act 2018 supplements UK GDPR by providing additional detail, exemptions, and procedural rules specific to the UK context.
For drone operators, the interaction between these two instruments is important. UK GDPR establishes the overarching principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. DPA 2018 fills in the gaps: it defines the domestic purposes exemption, sets out conditions for processing special category data, establishes the ICO's powers, and creates rights and remedies for data subjects.
The Domestic Purposes Exemption
Section 2(1)(c) of DPA 2018 provides that the Act does not apply to the processing of personal data by an individual in the course of a purely personal or household activity. This is the exemption most commonly cited by recreational drone operators.
The scope of this exemption is critical for drone users. The ICO interprets it narrowly. Processing qualifies as personal or household only if:
- The footage is kept entirely within a personal or family context.
- It is not shared publicly, including on social media, YouTube, or other platforms.
- It does not involve systematic or extensive monitoring of others.
- It has no commercial purpose whatsoever.
A drone operator who films a family holiday and keeps the footage in a private album is likely within the exemption. A drone operator who uploads scenic footage to a public YouTube channel — even without commercial intent — falls outside it, and the full weight of UK GDPR and DPA 2018 applies.
Special Category Data
Article 9 of UK GDPR, supplemented by Schedule 1 of DPA 2018, imposes additional restrictions on the processing of special category data. This includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, and data concerning sex life or sexual orientation.
Drone footage may inadvertently capture special category data. For example, footage of a place of worship with identifiable attendees could reveal religious beliefs. Footage of a political rally or protest could reveal political opinions. Footage showing individuals in medical situations could reveal health data.
Where special category data is captured, a lawful basis under Article 6 is not sufficient on its own. The drone operator must also meet one of the conditions in Article 9(2) of UK GDPR and, where applicable, the relevant condition in Schedule 1 of DPA 2018. For most drone operators, the practical solution is to avoid capturing such data through careful flight planning and post-production editing.
Data Protection Impact Assessments
Article 35 of UK GDPR requires a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk to the rights and freedoms of natural persons. The ICO has identified several types of processing that require a DPIA, two of which are directly relevant to drone operations:
- Systematic monitoring of a publicly accessible area on a large scale. Drone surveillance of a town centre, beach, park, or other public space may trigger this threshold.
- Use of new technologies where the nature, scope, context, or purposes of the processing are likely to result in a high risk. Drones equipped with advanced cameras, thermal imaging, or facial recognition technology fall squarely within this category.
A DPIA must describe the processing, assess its necessity and proportionality, identify risks to data subjects, and set out measures to mitigate those risks. The assessment must be documented and kept on file. If the DPIA indicates a high risk that cannot be mitigated, the drone operator must consult the ICO under Article 36 before proceeding.
Record-Keeping Requirements
Article 30 of UK GDPR requires controllers to maintain records of processing activities. DPA 2018 reinforces this obligation. For drone operators processing personal data beyond the domestic purposes exemption, this means maintaining a written record that includes:
- The name and contact details of the controller (the drone operator or their organisation).
- The purposes of the processing.
- A description of the categories of data subjects and categories of personal data.
- The categories of recipients to whom the data has been or will be disclosed.
- Where applicable, details of transfers to third countries.
- The envisaged time limits for erasure of different categories of data.
- A general description of technical and organisational security measures.
Small organisations and individual operators may be exempt from this requirement under Article 30(5) if processing is occasional, does not include special category data, and is unlikely to result in a risk to individuals' rights. However, regular or systematic drone operations — such as weekly property surveys or ongoing environmental monitoring — are unlikely to qualify as occasional.
The ICO's Enforcement Powers
The Information Commissioner's Office is the UK's independent supervisory authority for data protection. Under DPA 2018, the ICO has extensive enforcement powers relevant to drone operators:
- Information notices (Section 142): Requiring the drone operator to provide information about their processing activities.
- Assessment notices (Section 146): Allowing the ICO to audit the drone operator's data protection practices.
- Enforcement notices (Section 149): Requiring the drone operator to take or refrain from specific actions to comply with data protection law.
- Penalty notices (Section 155): Imposing financial penalties. The standard maximum is 8.7 million GBP or 2% of annual worldwide turnover. The higher maximum — applicable for breaches of data processing principles, lawful basis requirements, and data subject rights — is 17.5 million GBP or 4% of annual worldwide turnover.
Under Section 170 of DPA 2018, it is a criminal offence to knowingly or recklessly obtain personal data without the consent of the controller. A drone operator who deliberately captures personal data in defiance of data protection requirements may face criminal prosecution in addition to regulatory sanctions.
Exemptions Relevant to Drone Operators
Schedules 2 and 3 of DPA 2018 set out various exemptions from certain UK GDPR provisions. Those most relevant to drone operators include:
- Journalism, academia, art, and literature (Schedule 2, Part 5): Processing for journalistic, academic, artistic, or literary purposes is exempt from certain provisions where compliance would be incompatible with those purposes and the processing is in the public interest. Drone journalists and documentary filmmakers may rely on this exemption.
- Crime prevention and detection (Schedule 2, Part 1): Personal data processed for the prevention or detection of crime, or the apprehension or prosecution of offenders, may be exempt from certain rights provisions where compliance would prejudice those purposes.
- Legal proceedings (Schedule 2, Part 1): Data processed in connection with legal proceedings or for obtaining legal advice may be exempt from certain provisions.
Practical Compliance Checklist for Drone Operators
- Determine whether your drone footage captures or is likely to capture personal data.
- Assess whether the domestic purposes exemption under Section 2(1)(c) genuinely applies to your activity.
- If the exemption does not apply, identify and document your lawful basis under Article 6 of UK GDPR.
- Check whether special category data may be captured and, if so, identify a condition under Article 9(2) and Schedule 1.
- Assess whether a DPIA is required. If in doubt, conduct one — the ICO recommends erring on the side of caution.
- Maintain records of your processing activities as required by Article 30.
- Implement data minimisation, appropriate retention periods, and security measures.
- Prepare to handle data subject requests (access, erasure, objection) within statutory timeframes.
- Consider appointing a Data Protection Officer if your processing is regular and systematic.
- Stay informed of ICO guidance updates relevant to drone use.
Check your flight plan instantly with MmowW Drone — the compliance companion built by a Gyoseishoshi.
Start Free — Your Drone, Legally Clear 0 setup fees · cancel anytime · BigMac Price forever