Today, data protection has become a paramount concern for individuals, businesses, and organisations alike. The United Kingdom has long been at the forefront of safeguarding personal data, with the Data Protection Act 1998 serving as a cornerstone of its efforts. This groundbreaking legislation introduced eight fundamental principles that set the standard for fair and lawful data processing. However, as technology advanced and the need for more robust protection grew, the Act underwent a significant overhaul, resulting in the implementation of the Data Protection Act 2018.
In this article, we will cover these core topics:
- The 8 Principles of the Data Protection Act 1998: We’ll break down the core principles that guided data protection in the UK and their lasting impact.
- Why a New Law Was Needed: We’ll discuss the technological changes and EU’s GDPR that made an update to the law essential.
- The Key Changes in the Data Protection Act 2018: We’ll outline the most important updates, how they align with the GDPR, and how they affect UK businesses.
By the end of this article, you will have a comprehensive understanding of the evolution of data protection laws in the UK, the importance of staying compliant, and the role that the Data Protection Act 2018 plays in safeguarding the personal data of individuals in the digital age.
🔥Let’s get started.
What is the Data Protection Act?
The Data Protection Act is a crucial piece of legislation in the United Kingdom that governs personal data handling, processing, and storage. It sets out the legal framework for data protection, ensuring that individuals’ personal information is collected, used, and shared in a fair, transparent, and secure manner.
The Act applies to any organisation or individual that processes personal data, including businesses, government bodies, and charities. Personal data is defined as any information that can be used to identify a living person, such as their name, address, email, phone number, or even their IP address.
The primary objective of the Data Protection Act is to give individuals control over their personal data and to protect their privacy rights. It does so by imposing obligations on organisations that process personal data, requiring them to handle the information responsibly and securely.
This is achieved by:
- Requiring organisations to handle personal data responsibly and securely.
- Making sure data is collected with consent and used only for specific purposes.
- Keeping data accurate and protected from unauthorised access.
The Act also grants individuals certain rights in relation to their personal data, such as the right to access the information held about them, the right to have inaccurate data corrected, and the right to object to the processing of their data in certain circumstances.
What are the 8 main principles of The Data Protection Act?
The eight data protection principles, also known as core privacy principles, of The Data Protection Act 1998 are outlined below:
Principle 1 – Fair and lawful
The first data protection principle directs the controller to process data protection lawfully and fairly. This means that the controller must notify the data subject on how their data will be processed in accordance, why the information is being collected, and to whom it will be disclosed (if required). Unauthorised or unlawful processing of data is a violation of this principle.
This act principle gives individuals the Right to allow the organisation to process data lawfully and fairly.
Principle 2 – Purpose
The collected data can only be processed fairly and lawfully for purposes. Any processing not justified or allowed by the subject’s general data protection cannot be held. The controller must inform the individual to obtain and process the data.
Principle 3 – Adequacy
Personal data processing must meet the legitimate purposes defined and accepted by the controller and data subjects and remain used adequately. The controller must not collect excessive data and only contain concise, minimum, and required information.
Principle 4 – Accuracy
The collected personal data must be stored, processed in accordance, and kept accurate and up-to-date. The controller must check the data’s accuracy and not process any inaccurate data.
Principle 5 – Retention
The fifth principle directs the controller not to keep more data than required. The controllers are limited to the use of data as long as there are requirements. They must not save the data for future use.
Principle 6 – Rights
The sixth principle has granted rights to the individual. The controller must follow the individuals’ liberty and allow the data subjects to access their data anytime.
Principle 7 – Security
The seventh principle makes the controller responsible for the data protection subject’s information. The act conducts the controller to maintain data integrity, confidentiality, and appropriate security on personal data collection and processing.
Principle 8 – International transfers
The eighth and last principle forbids the controller from transferring personal data without the data subjects’ consent.
In addition, while sharing the data outside the European economic area, the controller must ensure the company or other controller protects personal data and maintains all the rights and principles defined by the DPA 1998.
Which principle is added to the GDPR that does not apply to the DPA?
International data transfer is not included as a critical principle in the DPA.
You might ask…
Did GDPR replace DPA?
Yes, GDPR is Europe’s new data protection law that replaced the data protection directive from 1995.
Need for the Data Protection Act 2018
The Data Protection Act 2018 (DPA 2018) was enacted to modernise the UK’s data protection framework in response to technological advancements and privacy rights. These are:
- Rapid technological advancements: The widespread adoption of the internet, social media, and cloud computing increased the volume and variety of personal data being processed. The Data Protection Act 1998 (DPA 1998) was no longer adequate to address the challenges of the digital age.
- Introduction of the GDPR: The European Union’s General Data Protection Regulation (GDPR) set a new global standard for privacy rights and required the UK to update its laws to ensure compliance.
Key Changes Made in The Data Protection Act 2018
The Data Protection Act 2018 introduced several key changes to align with the GDPR and modernise the UK’s data protection framework. These changes aimed to enhance individuals’ privacy rights, increase organisational accountability, and provide a more comprehensive approach to data protection.
Key Changes:
- Expanded scope: The Act applies to all organisations processing personal data, regardless of their size or sector, ensuring a more uniform approach to data protection.
- Strengthened consent requirements: Organisations must obtain explicit, freely given, and informed consent before processing personal data, giving individuals greater control over their information.
- Enhanced rights for individuals: The Act introduced new rights, such as the right to data portability and the right to erasure (also known as the right to be forgotten), empowering individuals to manage their personal data more effectively.
- Increased penalties for non-compliance: Organisations found in breach of the Act can face fines of up to €20 million or 4% of their annual global turnover, whichever is higher, emphasising the importance of compliance.
- Data Protection Officers (DPOs): Certain organisations, such as public authorities and those engaged in large-scale data processing, are required to appoint DPOs to oversee their data protection practices.
Compliance with GDPR:
The Data Protection Act 2018 was designed to be read in conjunction with the GDPR, ensuring that the UK’s data protection laws are fully compliant with the EU’s regulations. This alignment is crucial for maintaining the free flow of data between the UK and the EU, which is essential for businesses operating in both jurisdictions.
The Act incorporates the GDPR’s key principles, such as data minimisation, purpose limitation, and storage limitation, while also providing additional clarity and guidance on how these principles should be applied in the UK context. By closely mirroring the GDPR, the Data Protection Act 2018 ensures that organisations processing personal data in the UK are meeting the highest standards of data protection.
How many principles are there in the Data Protection Act 2018?
The Data Protection Act of 2018 consists of seven principles.
Though many organisations may not have changed their practices, it is vital now, in 2021, that all understand and abide by these increasingly universal data protection principles.
The DPA 1998 has been updated to the 2018 legislation with seven principles designed as a foundation for organisations’ privacy policies.
7 Data Protection Principles of The DPA 2018
Lawfulness, fairness, and transparency
The revised first principle of DPA 2018 mandates that organisations and controllers work in a 100% transparency manner while seeking individuals for data collection, processing, and protection.
They must deliver the data collection purposes in clear and plain language to address the data subjects’ consent and individual rights regarding personal data collection.
Purpose limitation
This principle specifies that personal data must be used for the specific purpose the data subjects have given consent. The controller cannot use the data for processing outside the mentioned purpose.
Unlike GDPR, DPA 2018 only gives leniency to storing data beyond the defined data processing purpose in some cases, such as for historical, scientific, statistical, or archiving purposes.
Data minimisation
The DPA 2018 conditions collect the necessary, relevant, and not excessive amount of personal data for processing. The controller must not collect more data than they need. Article 5 (1) (c) of GDPR defines data minimisation as “adequate, relevant and limited to what is necessary about the purposes for which they are processed “.
Accuracy
The controllers must verify that the data they process and collect is accurate, not misleading, incomplete, or incorrect.
At any stance, if the information is found inaccurate, the controller must consider steps, i.e., erase or correct the data as soon as possible.
Storage limitation
The act makes it necessary for controllers not to keep personal data more than its requirement. They must notify the data subjects on how long they will hold the data.
If any requirements are completed before its retention time, the controller should destroy or erase the data in such a situation. Controllers can only keep personal data for a long time if needed for statistics, scientific, historical, and research purposes.
Integrity and confidentiality (Security)
The sixth DPA 2018 principle, also known as the security principle, orders organisations and controllers to have security controls and measures to protect the confidentiality or integrity of stored and processed personal data so no one can alter or steal the data subjects’ information. Read more about the CIA triad (confidentiality, integrity, and availability) here.
Regarding data protection, the controller must implement controls to prevent
- Unauthorised access to personal data
- Unauthorised processing of personal data
- Unlawful processing of personal data
- Accidental destruction, damage or loss of personal data
Accountability
This principle is relatively new in contrast with DPA 1998. With this newly added principle in DPA 2018, every organisation that stores or processes personal data must comply with regulatory obligations.
To meet the legislation, controllers, and businesses must design data protection principles to secure UK citizens’ personal data usage.
Individuals can demand or access copies of their collected personal data and other information. This request is known as a simple SAR or Data Subject Access Request. We have covered this topic in detail in Article 15 – the Right of Access.
What are the eight pieces of sensitive personal data as classified by GDPR?
Under the GDPR rights, data is classified into two categories, i.e., personal and sensitive personal data. Personal data is information that helps identify the person related to some degree of accuracy.
In contrast to GDPR breaches, sensitive personal information is information that, if disclosed or misused, can result in data theft or identity fraud. Both of the data need to be protected at any cost. However, sensitive personal information needs an extra layer of security controls, such as encrypted, password-protected, etc., to keep it secure.
Any organisation that uses or stores personal data (personal or sensitive personal) must comply with the law’s compliance and rules.
Biometric data
This sensitive data includes individuals’ physical characteristics such as fingerprints, DNA, hand geometry, facial patterns, retina and ear shape recognition, palm recognition, iris scanning, etc.
Health data
This is linked to an individual’s health condition and medical history, including health diagnosis information, disability data, medical insurance, fitness data, etc. See why data protection of sensitive health data is essential in health and social care.
Genetic data
This sensitive data is associated with inherited characteristics through the analysis of DNA, RNA, and chromosomal information.
Individual data
In the scope of GDPR, individual personal data includes sexual orientation, political views, cultural background, religion, race and ethnicity, etc.
Financial data
Involves individuals’ financial information such as credit card details, security codes, banking details, income statements, digital card pins, retained earnings, cash flow, etc.
Classified data
It includes any personal information classified explicitly for non-public disclosure or identifiable information.
Business-related data
Any information related to the business intellectual property, trade secrets, employees’ PII, financial accounts, etc., is sensitive data in the GDPR.
Web data
Any information that reveals any individual’s online identification. It includes location, IP address, cookies, RFID tags, etc.
Following the DPA is a technical and organisational requirement as per compliance. To abide by the law, you must follow the fundamental principles and notify the ICO about your activities because you will have to face legal challenges in minor glitches or security incidents.
Like GDPR data breach reporting, the Data Protection Act requires the controller to notify the ICO within 72 hours if personal data gets breached or accessed in any cyber attack.
Under the DPA 2018 compliance, the ICO can fine the controller up to 17m GBP or 4% of global turnover consistent with GDPR.
Another good source is the Data protection act 2018 – BBC bite-size article.
Conclusion
If you doubt whether your business requires to meet the legislation, you must seek advice from ICO or any independent professional.
As a security services provider, Cyphere helps businesses with GDPR penetration testing and other security compliance services. This allows organisations to identify the need for data protection measurements and facilities incorporating data privacy and security models according to business demands.
Get in touch today to discuss your security & privacy concerns.
