Data Protection Act's Eight Principles

(And Why are There Now Only Seven?)

Having governed data protection within the UK for twenty years, the Data Protection Act (DPA) 1998 was updated in 2018 to incorporate a Europe-wide standard, whilst also address the many changes, developments and revolutions that had taken place in the world of personal data.

Though personal data was of course an important asset in 1998, by 2018, the landscape of data collection, handling and implications had radically altered and the many questions regarding individual data rights had firmly arrived into the mainstream.

Start trial icon

Training your employees on data protection?

We can help you get started - let's have a chat.

Book a Meeting

With so many high-profile data breaches, many of which affecting millions of individuals, governments around the world have been forced to address the existing holes within legislation, whilst strengthening and extending the control consumers have over their own information, and approaching the subject of data protection in a more holistic manner.

Now, after the introduction of the General Data Protection Regulation and the DPA 2018, those asking: ‘what are the eight principles of the Data Protection Act? may have a little catching up to do. Luckily, as security awareness training company we’re here to help fill you in.

How Has DPA Changed?

Under the UK’s DPA 1998, eight data protection principles existed at the centre of this regulation. By 2018 these principles were developed further by the European Union’s GDPR and made a part of UK law within the Data Protection Act 2018.

With a great deal of cross-over between the DPA 1998 and 2018, much of the current regulation regarding data protection is greatly similar to the previous laws. Below we can see how these previous eight principles of data protection have been incorporated and developed by the GDPR, and what, if any, their equivalents and differences are.

What are the Eight Principles of the Data Protection Act?

 1998 Act GDPR 
Principle 1 – fair and lawfulPrinciple (a) – lawfulness, fairness and transparency
Principle 2 – purposesPrinciple (b) – purpose limitation
Principle 3 – adequacyPrinciple (c) – data minimisation
Principle 4 – accuracyPrinciple (d) – accuracy
Principle 5 - retentionPrinciple (e) – storage limitation
Principle 6 – rightsNo principle – separate provisions in Chapter III
Principle 7 – securityPrinciple (f) – integrity and confidentiality
Principle 8 – international transfersNo principle – separate provisions in Chapter V
(no equivalent)Accountability principle

Though there is a great amount of similarity between both the DPA 1998 and the incorporation of the GDPR into UK law, to best understand where companies and organisation stand within the British context, and to a lesser extend the Europe as a whole, it’s worth taking a closer look at the current seven principles.

Seven Principles of Data Protection

Having looked at the changes from the DPA 1998 to the 2018 legislation, it’s worth noting that these following seven principles are designed to be the foundation upon which organisation should build all their data protection practices. Now, it is vital that all organisations dealing with personal data, understand and abide by these increasingly universal data protection principles.

  1. Lawfulness, fairness and transparency

As well as continuing the Data Protection standard/principle of lawfulness and fairness, this new standard also seeks to ensure that users can understand what it is there are signing up to when they hand over personal data. This principle requires that organisations use language that is ‘clear, plain and accurate’ as to what a data subject is consenting to, thus helping to ensure the data rights and legal protections.

  1. Purpose limitation

This principle stipulates that personal data, which is collected for a specific, previously stated and understood purpose, must not then be used for other applications. Though the GDPR states that this principle of purpose limitation is not incompatible with processing under grounds of public interest, scientific or statistical purposes or for historical research, it limits the extent to which organisations can ‘multi-purpose’ personal data.

  1. Data minimisation

Ensuring that the extent or amount of data collected and/or processed is adequate, relevant and limited to the intended purpose, the principle of data minimisation is to curtail any organisation seeking to effectively hoard data without a clear rationale.

  1. Accuracy

Not exactly representing a significant step forward in data protection, and present within the DPA 1998, this principle makes organisation responsible for either updating inaccurate information or getting rid of it.

  1. Storage limitation

Like the preceding ‘retention’ principle, storage limitation restricts organisations from keeping hold of data for indefinite periods of time, or beyond that of its intended purpose. Again, purposes of public interest, archiving, scientific or historical research or statistics may act as reasons for an organisation retaining personal data, but these reasons must be justifiable and documented.

  1. Integrity and confidentiality

Previously known as the ‘security’ principle, integrity and confidentiality of personal data must be upheld with the appropriate security measures. As with many of the other principles, there is an inherent responsibility to implement both physical and technological controls to ensure compliance.

  1. Accountability

With no previous principle within the DPA 1998, the accountability principle requires organisations to take responsibility for the personal data being handled and their compliance with the other six principles. Appropriate measures and records are also required to be in place as to demonstrate compliance.

Start trial icon

Try our GDPR Training for Free!

Start Now

International Transfer of Data (Principle 8 of the DPA 1998)

Previously included as a principle of the DPA 1998, within the GDPR and the DPA 2018 the stipulations regarding the international transfer of data are not included as a key ‘principle’. Detailed within Chapter 5 of the GDPR, the transfer of personal data to countries or organisations outside of the direct jurisdiction of the GDPR are sufficiently compliant with the standards laid forth by the legislation.

All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”

More information relating to how Chapter 5 of the GDPR has been incorporated into the UK’s Data Protection Act is provided by the Information Commissioner’s Office.

Individual Rights

As well as developing and advancing the principles surrounding data protection, both the GDPR and DPA 2018 forward the individual rights of citizens and their respective personal data.

The GDPR provides the following corresponding rights for individuals:

  1. The right to be informed

Both data processors and controllers are now obliged to provide information to data subjects about the personal data being collected, how it is going to be used, who it will be shared with, for how long it will be kept and the purpose of its processing.

  1. The right of access

With request, individual data subjects are entitled to confirmation that their data is being processed, access to that data as well as further information regarding any automated decision making, or the envisioned period of retention.

  1. The right to rectification

With its corresponding principle in ‘accuracy’, data subjects hold the right to have personal data rectified should it be either inaccurate or incomplete.

  1. The right to erasure

Also known as ‘the right to be forgotten’, this right allows data subjects to request the removal or deletion of data in the eventuality there is no compelling reason for its continued processing or availability. This right may in some circumstances also obligate, for instance, a search engine company to remove certain results, or limit their discoverability.

  1. The right to restrict processing

Processing is any operation performed on personal data. This includes using, viewing, altering or deleting the data. Individuals may block or suppress processing of personal data for the following reasons: Inaccurate data, the unlawful processing of that data or a pending objection to processing the data by the data subject

  1. The right to data portability

Allowing individuals to obtain and reuse their personal data across different services, this right means an individual’s data should be available in a commonly used machine-readable format, in a way which allows data not to be constantly resubmitted.

  1. The right to object

Allowing individual to object (for certain reasons) to the processing of their personal data, as well as obliging organisations to inform individuals of this right at the time of first communication.

  1. Rights in relation to automated decision making and profiling.

One of the more detailed and technical rights afforded under the GDPR, among other things, entitles individuals either opt out of automated decision-making processes, challenge decisions, and/or have automated decisions reviewed by a human.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Hut Six Staff Snippets: Encouraging a Secure Culture

Hut Six Staff Snippets: Encouraging a Secure Culture - Hut Six

Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.

Remote Work - the New Normal?

The Age of Remote Work

4 Key Information Security Risks for remote work during lockdown. Blog from Information Security Awareness training provider Hut Six Security.

Top 10 Essential Information Security Awareness Training Topics for Employees

Top 10 Essential Security Awareness Training Topics - Hut Six

Top Cyber Security Awareness Training Topics · Phishing · Web Safety · Passwords · Malware · Mobile Devices · Wi-Fi · Social Engineering · Encryption · Backups · Sensitive Information.

Data Protection Act Responsibilities

Who is Responsible for Enforcing the Data Protection Act?

Who is Responsible for Enforcing the Data Protection Act? Information security awareness blog by Information Security training provider Hut Six Security

Hut Six Staff Snippets: Social Media and Privacy

Hut Six Staff Snippets: Social Media and Privacy - Hut Six

Priya, our Customer Success Specialist, talks about her favourite tutorial, Social Media & Privacy, which explains the dangers of social media sites and how to stay safe.

Data Protection Act Exemptions

Are There Any Exemptions to the Data Protection Act?

Are there any exemptions to the Data Protection Act? Blog by Information Security Awareness Training provider Hut Six Security.

Hut Six Staff Snippets: Assessing your Risk

Hut Six Staff Snippets: Assessing your Risk - Hut Six

Simon Fraser, our Managing Director, talks about his favourite tutorial, Assessing your Risk, which explains how businesses can assess the likelihood of a security risk occurring

Tech Nation Cohort Member - Hut Six

Hut Six Announces Tech Nation Cyber Membership

Hut Six are pleased to announce membership to Tech nation Cyber, the UK's national scale-up program for all things cyber and tech. Blog by Hut Six Security.

Hut Six Staff Snippets: Encryption

Hut Six Staff Snippets: Encryption - Hut Six

Pratteek Bathula, our Product Director, talks about his favourite tutorial, Encryption, which explains the principle of encryption and how it is used to keep your information safe.

Hut Six Staff Snippets: Password Security

Hut Six Staff Snippets: Password Security - Hut Six

Technical Director Dan walks us through the password security tutorial. New video from Information Security Awareness Training Provider Hut Six Security

Speak to us about your Cyber Awareness