Data Protection Act for Businesses
Rights, Obligations and Important Concepts
The UK’s Data Protection Act 2018 was developed not only to significantly update the DPA 1998, and data protections fit for purpose in an increasingly digital world, but to also adopt a parallel set of principles as laid forth in the European Union’s General Data Protection Regulation (GDPR) which advanced and developed data protections standards across all EU nations.
As with the GDPR, the Data Protection Act was designed to do several things, its primary purpose was to more deftly regulate organisations that deal with personal data, as well as to establish greater and better protected data rights for citizens.
What is the Data Protection Act?
Both the General Data Protection Regulation and the Data Protection Act legislate how organisations work with personal data. Whilst the GDPR affects both organisations and companies registered within the EU and any company which handles personal data collected within Europe, the DPA is an equivalent piece of legislation that enshrines many of the same rights and obligations to UK citizens and organisations respectively.
In the development of the DPA and the GDPR, both legislations have defined some integral terms to help establish a clear understanding of the standards organisations must adopt.
Although far from being an exhaustive list, below are some helpful explanations of the more important terms that all businesses should know that will inform your understanding regarding how the Data Protection Act affects businesses.
Perhaps the most straightforward of the DPA essential terms, a data subject is the individual about which a specific piece of data is collected.
Processing is the name given to any set of operations performed on personal data or data sets. These operations can be performed manually or through an automated system and include: the collection, use, transmission, viewing, altering or deletion of the data or data sets. The ‘processor’ being the party responsible for said operations.
A data controller is a party or competent authority which, either alone or jointly “determines the purpose and means of the processing of personal data”. The same organisation could play the role of both processor and controller, yet in the case of distinct roles, responsibility is shared.
Technically speaking, personal data refers to any information relating to an identified or identifiable person (the data subject), that could be used, or potentially used to identify an individual. As a rather broad term, this defines not only the standard information such as name, age, address etc, but can apply to whole variety of other information.
There also exists a more highly protected class of ‘special category’ personal data which includes information pertaining to race, genetics, sexual preferences, biometrics, political beliefs.
Data Protection and Your Business
For many industries across the UK, how does the Data Protection Act affect businesses was the burning question of 2018. Data protection legislation applies to any information an organisation keeps on staff, customers or account holders and will likely inform many elements of business operations, from recruitment, managing staff records, marketing or even the collection of CCTV footage.
Whilst there may be additional protections that need to be applied to special category information, personal data of all kinds must be adequately secured, accurate and up to date, whilst satisfying the rights of subjects.
Depending on the types of storage, processing or transportation that your business conducts upon personal data, at least some methods of encryption, segmentation and pseudonymisation will likely need to be applied, and specialist expertise should be sought if you’re unsure about any technical elements of these processes.
With regards to the technical specifics on technological compliance, the ICO and many other organisations provide detailed explanation of organisational obligations, as well as many other helpful resources for understanding both GDPR and DPA.
The Data Protection Fee
Under the Data Protection Act any organisations processing personal information are now required, unless exempt, to pay a ‘data protection fee’ to the Information Commissioner’s Office. With over 600,000 organisations already registered to pay, the fee covers all types of data processing including the use of CCTV for crime prevention purposes.
As well as publishing the names of fee-paying organisations, the ICO also make public the names of (most) organisations they need to fine. Done so to signal to an organisation’s customers, clients and suppliers an adherence and appreciation of their legal obligation when processing personal information.
Typically costing somewhere in the region of £40 to £60 (up to £2,900), businesses can find out more, help reassure their customers, complete a self-assessment and avoid a ICO fine by visiting the commissioners website and paying here.
Information Security and the DPA
The Data Protection Act has brought the UK significantly forward in terms of data rights and obligations, as well as helping to promote information security as a issue that not only affects information technology professionals, but is also an important concern for all businesses that which to avoid monetary, productivity and reputational damage.
Asking how does the Data Protection Act affect businesses is only one of the questions that business should be asking themselves. The reality is the protection of data can extend far beyond that which is legally enforced, and any organisation serious about developing a security conscious culture should also be investing in the education and awareness of their staff.
A significant proportion of all information security incidents, such as data breaches and hacks, are directly as a result of one weakness: human error. Either by negligence or malice, millions of pounds a year is being lost to hackers, scammers and malicious insiders.
Despite the protections that adherence to legislation such as the DPA afford, and the necessity of adherence, 77% of all UK workers have never received any form of information security training from their employer. A disappointing fact that makes the frequency of information security attacks unsurprising.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security
How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.
Phishing is a number one cyber threat, and awareness training is required to ensure all employees realise it's a business-critical matter.
What does phishing mean in computer terms? The understanding of this term is at the core of Information Security awareness. Blog by Hut Six Security.
Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.
Knowing How to Block Phishing Texts is vital to personal information security in the 21st century. Blog by Hut Six Security.
How do Information Security Attacks threaten the UK Education Sector? Blog by information security awareness training provider Hut Six Security.
There remains concerns about the overall security of storing and processing information in the cloud. Is Information Stored in the Cloud Secure?
The Biggest Data Breaches and Hacks of 2019: As a new year begins, it's time to begin reflecting on what has been observed. Blog by Hut Six
Google Chrome introduces new password safety features. Cybersecurity blog by Information Security awareness training provider Hut Six.