The Data Protection Act 2018 is the UK’s main data protection legislation. It sets out the legal responsibilities that businesses must follow when handling personal data. The Act works alongside the UK General Data Protection Regulation (UK GDPR), which was retained in UK law after Brexit.
For businesses in the screen sector, the DPA 2018 governs everyday activities such as casting, filming, recording, storing actor information, managing payroll, and using online platforms. This guide explains your legal duties under the Act and how to apply them in practice.
Please note: This guidance does not cover electronic marketing activities (such as promotional emails, newsletters, or marketing texts), which are subject to separate rules under the Privacy and Electronic Communications Regulations 2003 (PECR). PECR sits alongside the Data Protection Act 2018 and gives people additional privacy rights in relation to electronic communications. If your business carries out any kind of direct marketing or uses tracking technologies such as cookies, you must ensure you also comply with PECR. Guidance is available from the ICO.
The Data Protection Act 2018 applies to any business that collects or uses personal data. This includes information gathered from cast, crew, freelancers, job applicants, and anyone else involved in your productions or business activities.
The Act defines personal data as information that relates to an identifiable individual. This can include names, emails, phone numbers, images, video recordings, or even opinions about a person.
Under the Data Protection Act 2018, which incorporates UK GDPR, every business must have a lawful basis for processing personal data. The most relevant for screen sector businesses include:
Consent – where individuals clearly agree to the data being used for a specific purpose.
Contract – where the data is needed to fulfil a contract (e.g. paying cast or crew).
Legal obligation – where you are required to process certain data to comply with the law (e.g. tax or employment laws).
Legitimate interests – where you have a genuine reason to use the data, and doing so does not unfairly impact the individual’s rights.
Vital interests – where using someone’s personal data is necessary to protect life or prevent serious harm, such as in a health emergency on set.
These lawful bases are established under UK GDPR but enforced through the Data Protection Act 2018.
When relying on consent under the Data Protection Act 2018, it must be:
Freely given, specific, informed, and unambiguous
Clearly recorded (e.g. signed release forms)
Easy for the individual to withdraw at any time
Example: An interviewee signs a release form to appear in a film. The form explains how the footage will be used, and the signed copy is stored securely. This satisfies the consent requirements under the Act.
NDAs are often used to protect confidential information such as scripts, budgets, or business plans. While NDAs are separate legal tools, if they involve personal data (e.g. names, salaries, addresses), the handling of that data must still comply with the Data Protection Act 2018.
The Act applies regardless of whether data is covered by a contract or NDA.
Under the Data Protection Act 2018, businesses must:
Only collect data that is necessary and relevant
Keep it only for as long as it is needed
Delete or anonymise it when it is no longer required
This is part of the data minimisation and storage limitation principles in the Act.
Example: If you collect audition tapes or self-tapes or a specific production, you should not keep them longer than necessary. Once the casting process is complete and the production has ended, you should delete these files unless you have clear consent to retain them for future opportunities.
Note: While it may not always be practical to anonymise video files, you can take steps such as renaming files, storing them separately, or using access controls to reduce the risk of unnecessary exposure or use.
The Data Protection Act 2018 requires businesses to put appropriate security measures in place to protect personal data from accidental loss, unauthorised access, or misuse. This includes:
Using passwords, encryption, and secure cloud platforms
Locking physical records
Controlling who can access personal data internally
Backing up data safely
Failure to secure data appropriately may be considered a breach under the Act.
If you use third-party companies to handle data (such as payroll services or cloud storage providers), you must ensure they comply with the Data Protection Act 2018.
The Act requires:
A written agreement setting out how data will be handled
Evidence that the third party meets appropriate security and compliance standards
Clear limits on how data is used or shared
You remain responsible for the data, even if it is processed by someone else.
Under the Data Protection Act 2018, individuals have legal rights over their personal data. These rights include:
The right to access their personal data
The right to correct inaccurate or incomplete data
The right to request erasure of data in some circumstances
The right to restrict or object to certain types of processing
The right to data portability, meaning they can ask for their data in a readable format
Businesses must be able to respond to requests within one month and keep records of any action taken.
A data breach occurs when personal data is lost, stolen, accessed without permission, or disclosed in error.
Under the Data Protection Act 2018, if the breach is likely to harm individuals’ rights or freedoms, the business must:
Report the breach to the Information Commissioner’s Office (ICO) within 72 hours
Notify affected individuals where appropriate
Record all breaches, even minor ones, and the steps taken to resolve them
Having a data breach policy in place is strongly advised.
The Data Protection Act 2018 classifies certain data as “special category” data. This includes:
Racial or ethnic background
Health and medical data
Sexual orientation
Religious or political beliefs
Processing this data requires stronger safeguards, including explicit consent or a clear legal justification.
Example: If a production collects allergy information or mental health disclosures for safety reasons, the data must be securely stored and access limited.
The Data Protection Act 2018, together with the UK GDPR, gives children extra protections when it comes to how their personal data is collected and used.
If your business collects personal data from children, for example, through casting, filming, or digital services, you must make sure the child understands what’s happening with their data, and that your approach is fair and appropriate for their age.
If your lawful basis is consent and the service is offered online (such as a streaming platform or website), you must get parental consent for children under 13. This rule comes from the UK GDPR and is reflected in the DPA 2018.
For non-digital services, such as participation in a film or live production, children may be able to give consent themselves if they are mature enough to understand the data being collected and how it will be used. If they are not able to understand, you must get consent from a parent or guardian.
Regardless of the situation, privacy information aimed at children must be clear, age-appropriate, and easy to understand. You should also explain how children can later withdraw their consent if they become able to make that decision themselves.
Example: A production team collecting health or allergy information for a child actor must assess whether the child can understand what is being asked. If not, consent should be obtained from a parent or guardian, and the information must be kept securely with limited access.
If your business needs to transfer personal data to a country outside the UK, for example, by using overseas cloud storage, editing services, or production partners, the Data Protection Act 2018 and UK GDPR require you to ensure that the data remains properly protected.
There are legal limits on transferring personal data internationally, but transfers can still take place if certain safeguards are in place.
You must:
Check if the country has an ‘adequacy decision’ from the UK government. This means the country’s data protection laws have been officially recognised as offering adequate protection.
If there is no adequacy decision, you must:
Use a recognised safeguard, such as UK-approved Standard Contractual Clauses (SCCs).
Carry out a transfer risk assessment to decide whether the safeguard actually protects the data in practice.
Apply technical and organisational measures, such as encryption or access controls, to reduce the risks.
Example: If your business stores personal data on a cloud server based in the US, and the US does not have an adequacy decision, you must use a UK-approved contract and assess the risks of that data being accessed or mishandled.
It’s important to review international data transfers regularly, especially if your providers change locations or if the law in the destination country changes.
For more information, see the ICO’s Guide to International Transfers.
The accountability principle under the Data Protection Act 2018 means businesses must be able to show they comply with the law. This includes:
Documenting what data you collect and why
Keeping a record of who has access to personal data
Writing and following data protection policies
Providing staff training on privacy responsibilities
Keeping good records will help you demonstrate compliance if challenged.
The Information Commissioner’s Office (ICO) enforces the Data Protection Act 2018. It has the power to:
Investigate complaints and breaches
Issue warnings or enforcement notices
Impose fines of up to £17.5 million or 4% of annual global turnover
Complying with the Act protects your business from reputational damage, legal claims, and financial penalties.
The Data Protection Act 2018 requires businesses to carry out a Data Protection Impact Assessment (DPIA) when new or changed data processing could pose a high risk to individuals’ rights.
This applies to:
Workplace surveillance or performance tracking
Using new technologies to process data
Collecting sensitive data from employees
Installing CCTV or audio recording in the workplace
A DPIA helps identify risks and record how you plan to reduce or eliminate them. It must be completed before the data processing begins.
Further reading: BECTU – Data Protection Impact Assessments: A Union Guide
The Data Protection Act 2018 is a key piece of legislation that all businesses in the screen sector must understand and follow. Whether you are handling sensitive production data, or working with third-party service providers, your legal responsibilities around data protection are ongoing and wide-ranging.
By putting clear processes in place, around consent, security, retention, and accountability, you not only comply with the law but also help to build trust with cast, crew, clients, and collaborators. Where the UK GDPR adds further detail, it complements and reinforces the duties set out in the DPA 2018.
If you are unsure whether a particular activity is covered by the law, or whether your current practices are compliant, it is always worth seeking further guidance or completing a Data Protection Impact Assessment.
A proactive approach to data protection is not only a legal requirement, but also good business practice.
Further Resources
Information Commissioner’s Office (ICO) – Guide to Data Protection
ICO – PECR Guidance – Guide to Privacy and Electronic Communications Regulations (PECR)
Data Protection Act 2018 – Legislation.gov.uk