Table of Contents

The 8 principles of The Data Protection Act & GDPR

Reviewed & Written by:

|

Published:

|

Updated:

March 15, 2026
8 principles of The Data Protection Act & GDPR
Table of Contents

Data protection has become a paramount concern for individuals, businesses, and organisations. The United Kingdom has long been at the forefront of safeguarding personal data, with the Data Protection Act 1998 serving as a cornerstone of its efforts. This groundbreaking legislation introduced eight fundamental principles that set the standard for fair and lawful data processing. However, as technology advanced and the need for more robust protection grew, the Act underwent a significant overhaul, resulting in the implementation of the Data Protection Act 2018.

In this article, we will cover these core topics:

  • The 8 Principles of the Data Protection Act 1998: We’ll break down the core principles that guided data protection in the UK and their lasting impact.
  • Why a New Law Was Needed: We’ll discuss the technological changes and EU GDPR, which made an update to the law essential.
  • The Key Changes in the Data Protection Act 2018: We’ll outline the most critical updates, how they align with the GDPR, and how they affect UK businesses.

By the end of this article, you will have a comprehensive understanding of the evolution of data protection laws in the UK, the importance of staying compliant, and the role that the Data Protection Act 2018 plays in safeguarding individuals’ personal data in the digital age.

🔥Let’s get started.

What is the Data Protection Act 2018?

The Data Protection Act is a crucial legislation in the United Kingdom that governs personal data handling, processing, and storage. It sets out the legal framework for data protection and ensures that individuals’ personal information is collected, used, and shared fairly, transparently, and securely.

The Act applies to any organisation or individual that processes personal data, including businesses, government bodies, and charities. Personal data is any information that can be used to identify a living person, such as their name, address, email, phone number, or IP address.

The primary objective of the Data Protection Act is to give individuals control over their data and to protect their privacy rights. It does so by imposing obligations on organisations that process personal data, requiring them to handle the information responsibly and securely. 

This is achieved by:

  • Requiring organisations to handle personal data responsibly and securely.
  • Make sure data is collected with consent and used only for specific purposes.
  • Keeping data accurate and protected from unauthorised access.

The Act also grants individuals certain rights regarding personal data, such as the right to access the information they hold, the right to correct inaccurate data, and the right to object to processing personal data in certain circumstances.

Need for the Data Protection Act 2018

The Data Protection Act 2018 (DPA 2018) was enacted to modernise the UK’s data protection framework in response to technological advancements and privacy rights. These are:

  • Rapid technological advancements: The widespread adoption of the internet, social media, and cloud computing increased the volume and variety of personal data being processed. The Data Protection Act 1998 (DPA 1998) was no longer adequate to address the challenges of the digital age.
  • Introduction of the GDPR: The European Union’s General Data Protection Regulation (GDPR) set a new global standard for privacy rights and required the UK to update its laws to ensure compliance.

7 Data Protection Principles of The DPA 2018 

Lawfulness, fairness, and transparency

The revised first principle of DPA 2018 mandates that organisations and controllers work in a 100% transparency manner while seeking individuals for data collection, processing, and protection.
They must deliver the data collection purposes in clear and plain language to address the data subjects’ consent and individual rights regarding personal data collection.

Purpose limitation

This principle specifies that personal data must be used for the specific purpose for which the data subjects have given consent. The controller cannot use the data for processing outside the mentioned purpose.
Unlike GDPR, DPA 2018 only gives leniency to storing data beyond the defined data processing purpose in some cases, such as for historical, scientific, statistical, or archiving purposes.

Data minimisation

The DPA 2018 conditions collect the necessary, relevant, and not excessive amount of personal data for processing. The controller must not collect more data than they need. Article 5 (1) (c) of GDPR defines data minimisation as “adequate, relevant and limited to what is necessary about the purposes for which they are processed “.

Principles of data protection

Accuracy

The controllers must verify that the data they process and collect is accurate, not misleading, incomplete, or incorrect.
In any case, if the information is found inaccurate, the controller must consider steps, i.e., erase or correct the data as soon as possible.

Storage limitation

The Act makes it necessary for controllers not to keep personal data more than its requirement. They must notify the data subjects on how long they will hold the data.
If any requirements are completed before the retention time, the controller should destroy or erase the data. Controllers can only keep personal data for a long time if it is needed for statistics, scientific, historical, or research purposes.

Integrity and confidentiality (Security)

The sixth DPA 2018 principle, also known as the security principle, orders organisations and controllers to have security controls and measures to protect the confidentiality or integrity of stored and processed personal data so no one can alter or steal the data subjects’ information. Read more about the CIA triad (confidentiality, integrity, and availability) here.

Regarding data protection, the controller must implement controls to prevent

  • Unauthorised access to personal data
  • Unauthorised processing of personal data
  • Unlawful processing of personal data
  • Accidental destruction, damage or loss of personal data

Accountability

This principle is relatively new, in contrast to DPA 1998. With this newly added principle in DPA 2018, every organisation that stores or processes personal data must comply with regulatory obligations.
Controllers and businesses must design data protection principles to secure the use of personal data by UK citizens in accordance with the legislation.

Individuals can demand or access copies of their collected personal data and other information. This request is known as a simple SAR or Data Subject Access Request. We have covered this topic in detail in Article 15 – the Right of Access.

How to implement the Data Protection principles?

The Data Protection Act 2018 (DPA 2018) can feel daunting, especially for businesses. But fear not; it doesn’t have to be a minefield. Consider the rules to keep your customers’ information safe and build trust. Here’s the lowdown on how to implement the DPA 2018 effectively, with a focus on practical steps you can take:

1. Risk Assessment: Know Your Enemy

Before tackling any challenge, you need to understand the landscape. That’s where risk assessments come in.

  • Avoid guesswork: Don’t rely on gut feelings without doing actual work. Conduct thorough assessments to identify potential threats and vulnerabilities. Verify the assumptions about data breaches, leakages or accidental data losses.
  • Prioritise the threats: Focus on what matters most – the most serious ones should be the ones to think about first, followed by lesser prioritised threats.
  • Data protection is key: Ensure data protection is a central part of every risk assessment.

2. Gap Analysis 

The gap analysis exercise will help you find out gaps between the current situation and where your organisation should be. 

  • Compare your practices: Compare your current data handling practices with the requirements of the DPA 2018.
  • Find the gaps: Identify any shortcomings preventing you from achieving your objectives.  
  • Fix the problems: Create a plan to address the gaps you’ve identified. This plan could involve process, people, or tech controls requirements, such as new policies, improved security measures, or even staff training.

3. Tech It Up 

Optimum technological performance of your technology usage is your friend regarding data protection.

  • Authentication: Strong authentication mechanisms are the key to keeping unauthorised users out.
  • Encryption: Encrypting data in transit, data at rest, and data at the end of life is critical to protecting sensitive data.
  • Logging and Monitoring: Without adequate event logging, you can’t monitor what is happening or about to happen. Therefore, strong logging and monitoring controls are essential at various asset levels.
  • Regular check-ups are essential. Conduct regular security audits, such as yearly IT health checks and ongoing penetration tests, to find and fix any weaknesses. This will improve your cyber hygiene while advising your IT investments.

4. Policies and Procedures 

Clear rules are essential for any successful operation, and data protection is no exception.

  • Data handling: Develop comprehensive data protection policies and procedures that cover every aspect of data handling.
  • Educate: Make sure all staff (no exceptions) understand their data protection responsibilities.
  • Keep it updated: Regularly review and update your policies to reflect changes in technology and legislation.

5. Incident Response 

Security incidents are unwanted surprises. Your preparedness at the people, process, and technology levels defines your readiness.

  • Incident Response Plan: Develop an incident response plan that outlines how you’ll respond to a data breach, from identifying the problem to notifying affected individuals, regulatory bodies and law enforcement.
  • Drills: To test your plans and make improvements, run simulation drills in crisis and incident response plan-specific areas, including communications.
  • Learn from your mistakes: After a data breach (hopefully not!), conduct a thorough review to identify lessons learned and improve your future response.

6. The DPO

If you need to appoint a Data Protection Officer (DPO), use them to improve your policies and procedures first. These are important because people are replaceable, but processes and policies keep your organisational systems efficient.

  • Work closely with your DPO: Involve your DPO in all aspects of your data protection activities and give them the required support.
  • Seek their advice: Don’t hesitate to seek advice from your DPO on any data protection matters.

7. Ongoing validation of your work

Navigating the world of data protection can be challenging and you could easily be on a more efficient track if you validate your work. This means any security and privacy changes and controls must be validated to check their effectiveness. 

  • Don’t go it alone: Engage with experienced cybersecurity professionals to help you implement the DPA 2018 effectively.
  • Embrace the tech: Leverage cutting-edge solutions to enhance your data protection capabilities.

Complying with the DPA 2018 isn’t just about ticking boxes. It’s about building trust with your customers and protecting their information. By following these steps and taking a proactive approach to data protection, you can comply with the law and strengthen your overall security posture.

How to Monitor Data Protection Compliance?

An organisation must proactively monitor and stay compliant with the data protection regulatory and compliance requirements. The main areas to monitor in this area are:

1. Subprocessor Compliance

  • Understand your subprocessor relationships: If you utilise third-party service providers (subprocessors) to process personal data on your behalf (e.g., cloud storage, customer support), carefully review your contracts with these providers.
  • Monitor for changes: Regularly review subprocessor agreements for any changes to their data processing activities or compliance with data protection regulations.
  • Verify compliance: Ensure that your subprocessor agreements include robust data protection clauses that comply with applicable regulations.

2. Website Review

  • Maintain transparent privacy practices: Review your website regularly to ensure that your Privacy Policy and Terms of Service are clear and concise and comply with applicable data protection regulations.
  • Enable data subject rights: Ensure that your website provides individuals with easy access to their data subject rights, such as the right to access, rectify, or erase personal data.
  • Facilitate data subject requests: Establish and maintain clear procedures for handling data subject requests efficiently and effectively.

3. Monitor Enforcement Actions

  • Stay informed about enforcement trends: Monitor recent enforcement actions related to data protection. This can provide valuable insights into regulators’ areas of focus and help you identify potential risks within your organisation. Analyse enforcement actions to understand common compliance pitfalls and implement measures to mitigate these risks within your operations.

4. Track Regulatory Changes

  • Stay informed about legislative updates: Keep a close eye on any updates or amendments to data protection legislation.
  • Proactively adapt to changes: Review and update your data protection policies and procedures to respond proactively to any changes in legislation.

With a proactive approach, your organisation can maintain ongoing compliance with applicable data protection regulations, build trust with your customers, and minimise the risk of data breaches and regulatory penalties.

Data That Are Protected Under Data Protection Act & GDPR

Under the GDPR rights, data is classified into two categories, i.e., personal and sensitive personal data. Personal data is information that helps identify the person related to some degree of accuracy.
In contrast to GDPR breaches, sensitive personal information is information that, if disclosed or misused, can result in data theft or identity fraud. Both data and sensitive personal information need to be protected at all costs. However, to keep it secure, sensitive personal information requires an extra layer of security controls, such as encryption, password protection, etc.
Any organisation that uses or stores personal data (personal or sensitive personal data) must comply with the law and its rules.

GDPR Sensitive Data examples

Biometric data

This sensitive data includes individuals’ physical characteristics, such as fingerprints, DNA, hand geometry, facial patterns, retina and ear shape recognition, palm recognition, and iris scanning.

Health data

This is linked to an individual’s health condition and medical history, including health diagnosis information, disability data, medical insurance, fitness data, etc. See why data protection of sensitive health data is essential in health and social care.

Genetic data

This sensitive data is associated with inherited characteristics through DNA,  RNA, and chromosomal information analysis.

Individual data

Under GDPR, personal data includes sexual orientation, political views, cultural background, religion, race, and ethnicity.

Financial data

This involves individuals’ financial information, including credit card details, security codes, banking details, income statements, digital card pins, retained earnings, and cash flow.

Classified data

It includes any personal information classified explicitly for non-public disclosure or identifiable information.

Business-related data

Any information related to the business intellectual property, trade secrets, employees’ PII, financial accounts, etc., is sensitive data in the GDPR.

Web data

Any information that reveals an individual’s online identification, including location, IP address, cookies, and RFID tags.

Following the DPA is a technical and organisational requirement as per compliance. To abide by the law, you must follow the fundamental principles and notify the ICO about your activities because you will have to face legal challenges in minor glitches or security incidents.

Like GDPR data breach reporting, the Data Protection Act requires the controller to notify the ICO within 72 hours if personal data gets breached or accessed in any cyber attack.
Under the DPA 2018 compliance, the ICO can fine the controller up to 17m GBP or 4% of global turnover consistent with GDPR.

Another good source is the Data Protection Act 2018 article, written by BBC Bit-Size

What are the eight main principles of The Data Protection Act?

The eight data protection principles, also known as core privacy principles, of The Data Protection Act 1998 are outlined below: 

Principle 1 – Fair and lawful

The first data protection principle directs the controller to process data protection lawfully and fairly. This means that the controller must notify the data subject on how their data will be processed in accordance, why the information is being collected, and to whom it will be disclosed (if required). Unauthorised or unlawful processing of data is a violation of this principle. 

This act principle gives individuals the right to allow the organisation to rights data lawfully and fairly.

Principle 2 – Purpose

The collected data can only be processed fairly and lawfully for purposes. Any processing not justified or allowed by the subject’s general data protection cannot be held. The controller must inform the individual to obtain and process the data.

Principle 3 – Adequacy 

Personal data processing must meet the legitimate purposes defined and accepted by the controller and data subjects and remain used adequately. The controller must not collect excessive data and only contain concise, minimum, and required information. 

Principle 4 – Accuracy 

The collected personal data must be stored, processed in accordance, and kept accurate and up-to-date. The controller must check the data’s accuracy and not process any inaccurate data.

eight principles of the Data Protection Act 1998

Principle 5 – Retention

The fifth principle directs the controller not to keep more data than required. The controllers are limited to the use of data as long as there are requirements. They must not save the data for future use.

Principle 6 – Rights

The sixth principle has granted rights to the individual. The controller must follow the individuals’ liberty and allow the data subjects to access their data anytime.

Principle 7 – Security

The seventh principle makes the controller responsible for protecting the subject’s information. The Act requires the controller to maintain data integrity, confidentiality, and appropriate security in personal data collection and processing.

Principle 8 – International transfers 

The eighth and last principle forbids the controller from transferring personal data without the data subjects’ consent.

In addition, when sharing data outside the European Economic Area, the controller must ensure that the company or other controller protects personal data and maintains all the rights and principles defined by the DPA 1998.

Data Protection Best Practices to Follow

As a leading cyber security provider, Cyphere understands the importance of robust data protection that comes with a proactive approach to security and privacy. Here are some best practices to help your organisation safeguard sensitive information:

  • Implement Strong Access Controls: Limit access to sensitive data to authorised personnel only on a “need-to-know” basis. Use strong authentication mechanisms, such as passwords (or don’t in case of password-less sign-ins), multi-factor authentication (MFA), and role-based access controls.
  • Encrypt Data: Encrypt data in transit, at rest and at the end of life to protect it from unauthorised access and interception. Data at the end of life includes remnants on devices or other equipment being disposed of by suppliers. 
  • Conduct Regular Security Audits: Carry out regular internal and external security audits to identify and address any vulnerabilities across people, processes and technical controls. Cyphere’s security assessments can help you identify and mitigate these risks effectively – it’s not just risk identification; you need a solid plan to address those risks to ensure identification and mitigation are happening continuously.
  • Employee Training: Invest in a comprehensive data protection education programme to raise awareness about data security risks and best practices on an ongoing basis.
  • Incident Response Planning: Develop and regularly test a robust incident response plan to handle data breaches and other security incidents effectively. Cyphere can assist in developing and implementing an effective incident response plan, including tabletop exercises tailored to your specific needs.
  • Stay Informed: Stay updated on the latest data protection regulations, best practices, and emerging threats.
  • Basics such as secure asset management and change management workflows must undertake security threats into mind. This is an organisational change that must be accountable from the top and implemented through processes and policies supporting the security and privacy teams.  

Implementing these best practices and leveraging Cyphere’s expertise can significantly enhance your organisation’s data protection posture and build a strong foundation of trust with your customers and stakeholders.

Summary

The Data Protection Act 2018 (DPA 2018) is a crucial update to the UK’s data protection framework. It ensures that personal information is collected, used, and shared fairly, transparently, and securely. Here’s the breakdown:

  • Why the Update? Technological advancements and the introduction of GDPR necessitated revamping the older Data Protection Act 1998.
  • Key Changes: The DPA 2018 strengthens data subject rights, requires stricter organisation accountability, and aligns with the GDPR’s data protection principles.
  • What it Means for Businesses: Businesses must comply with the Act to avoid hefty fines and maintain customer trust.

This update emphasises the importance of data protection for businesses. As a security services provider, Cyphere helps businesses with GDPR penetration testing and other security compliance services. This allows organisations to identify the need for data protection measurements and facilities incorporating data privacy and security models according to business demands. 

Get in touch today to discuss your security & privacy concerns.

Good Security Practices Start With the Right Foundations

Explore actionable insights that help businesses map their attack surface and address exploitable risks ranked by real business impact.

Trusted by 150+ UK orgs

Related Reads

Join 1000+ subscribers getting the best tips on cybersecurity, security management, and more!

You may opt-out at any time. Read our privacy policy.

Get in touch

No salesy newsletters. View our privacy policy.

How "Defensible" is your firm compared to UK peers?

Most SMBs and mid-market firms have “silent” gaps in their people, process and tech controls implementation. Take the 90-second maturity audit to see your percentile rank.