Data Protection Act for Businesses

Rights, Obligations and Important Concepts

The UK’s Data Protection Act 2018 was developed not only to significantly update the DPA 1998, and data protections fit for purpose in an increasingly digital world, but to also adopt a parallel set of principles as laid forth in the European Union’s General Data Protection Regulation (GDPR) which advanced and developed data protections standards across all EU nations.

As with the GDPR, the Data Protection Act was designed to do several things, its primary purpose was to more deftly regulate organisations that deal with personal data, as well as to establish greater and better protected data rights for citizens.

What is the Data Protection Act?

Both the General Data Protection Regulation and the Data Protection Act legislate how organisations work with personal data. Whilst the GDPR affects both organisations and companies registered within the EU and any company which handles personal data collected within Europe, the DPA is an equivalent piece of legislation that enshrines many of the same rights and obligations to UK citizens and organisations respectively.

Important Concepts

In the development of the DPA and the GDPR, both legislations have defined some integral terms to help establish a clear understanding of the standards organisations must adopt.

Although far from being an exhaustive list, below are some helpful explanations of the more important terms that all businesses should know that will inform your understanding regarding how the Data Protection Act affects businesses.

Data Subject

Perhaps the most straightforward of the DPA essential terms, a data subject is the individual about which a specific piece of data is collected.

Data Processor

Processing is the name given to any set of operations performed on personal data or data sets. These operations can be performed manually or through an automated system and include: the collection, use, transmission, viewing, altering or deletion of the data or data sets. The ‘processor’ being the party responsible for said operations.

Data Controller

A data controller is a party or competent authority which, either alone or jointly “determines the purpose and means of the processing of personal data”. The same organisation could play the role of both processor and controller, yet in the case of distinct roles, responsibility is shared.

Personal Data

Technically speaking, personal data refers to any information relating to an identified or identifiable person (the data subject), that could be used, or potentially used to identify an individual. As a rather broad term, this defines not only the standard information such as name, age, address etc, but can apply to whole variety of other information.

There also exists a more highly protected class of ‘special category’ personal data which includes information pertaining to race, genetics, sexual preferences, biometrics, political beliefs.

Data Protection and Your Business

For many industries across the UK, how does the Data Protection Act affect businesses was the burning question of 2018. Data protection legislation applies to any information an organisation keeps on staff, customers or account holders and will likely inform many elements of business operations, from recruitment, managing staff records, marketing or even the collection of CCTV footage.

Whilst there may be additional protections that need to be applied to special category information, personal data of all kinds must be adequately secured, accurate and up to date, whilst satisfying the rights of subjects.

Depending on the types of storage, processing or transportation that your business conducts upon personal data, at least some methods of encryption, segmentation and pseudonymisation will likely need to be applied, and specialist expertise should be sought if you’re unsure about any technical elements of these processes.

With regards to the technical specifics on technological compliance, the ICO and many other organisations provide detailed explanation of organisational obligations, as well as many other helpful resources for understanding both GDPR and DPA.

Useful Links

• Information Commissioner’s Office
• Gov.UK – Data Protection
• Gov.UK – And your Business

The Data Protection Fee

Under the Data Protection Act any organisations processing personal information are now required, unless exempt, to pay a ‘data protection fee’ to the Information Commissioner’s Office. With over 600,000 organisations already registered to pay, the fee covers all types of data processing including the use of CCTV for crime prevention purposes.

As well as publishing the names of fee-paying organisations, the ICO also make public the names of (most) organisations they need to fine. Done so to signal to an organisation’s customers, clients and suppliers an adherence and appreciation of their legal obligation when processing personal information.

Typically costing somewhere in the region of £40 to £60 (up to £2,900), businesses can find out more, help reassure their customers, complete a self-assessment and avoid a ICO fine by visiting the commissioners website and paying here.

Information Security and the DPA

The Data Protection Act has brought the UK significantly forward in terms of data rights and obligations, as well as helping to promote information security as a issue that not only affects information technology professionals, but is also an important concern for all businesses that which to avoid monetary, productivity and reputational damage.

Asking how does the Data Protection Act affect businesses is only one of the questions that business should be asking themselves. The reality is the protection of data can extend far beyond that which is legally enforced, and any organisation serious about developing a security conscious culture should also be investing in the education and awareness of their staff.

A significant proportion of all information security incidents, such as data breaches and hacks, are directly as a result of one weakness: human error. Either by negligence or malice, millions of pounds a year is being lost to hackers, scammers and malicious insiders.

Despite the protections that adherence to legislation such as the DPA afford, and the necessity of adherence, 77% of all UK workers have never received any form of information security training from their employer. A disappointing fact that makes the frequency of information security attacks unsurprising.