Data Protection Act Responsibilities
The DPA and Principles of Data Protection
The UK’s Data Protection Act was introduced in 2018, absorbing the Europe wide standards set forth by the GDPR. As a much-needed update to the DPA 1998, the 2018 piece of legislation was designed to address twenty years of technological development and the many significant changes to not only the value of personal data, but also the applications.
Across Europe, states each have their own official authorities which govern and enforce data protection legislation. In the UK it is the Information Commissioner that fulfils this role, and as such, can impose fines of up to 20 million Euros (equivalent in GBP) or 4% of an organisation’s total annual global turnover, for failures to comply.
The Data Protection Act 2018
The DPA and GDPR was introduced in 2018 to a great deal of excitement, and plenty of organisations quickly working to implement compliance solutions. Providing a great deal of guidance and support to UK organisations was the Information Commissioner’s Office (ICO), headed by Information Commissioner Elizabeth Denham.
Written into the General Data Protection Regulation was a degree of flexibility which allowed for EU states to adapt certain elements of the legislation to suit specific needs. These ‘derogations’ have allowed alterations to be made in its implementation into UK law in the form of the DPA 2018.
At the heart of the Data Protection Act are seven principles which outline the way in which organisations are now expected to imbibe high data protection standards as a fundamental consideration and priority within all personal data processing endeavours.
The Information Commissioner’s Office
As the independent official, the Commissioner’s mission is to "uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals". As the authority who is responsible for enforcing the Data Protection Act, the ICO has the ability to levy considerable penalties against organisations failing to comply with data protection. Though decisions made by the Commissioner are subject to appeal to an independent tribunal and the courts.
“Accountability encapsulates everything the GDPR is about”
CBE Elizabeth Denham, UK Information Commissioner
Originally formed in 1984, the ICO’s role has grown in significance and public prominence along with the introduction of GDPR, and since then the ICO has investigated several high-profile cases of infringement of data protection law. Perhaps most notably, in October of 2018 when a fine of £500,000 was issued to the social media giant Facebook.
Handed down as a result of serious breaches of data protection law, these breaches took place several years prior to the introduction of the GDPR, at a time when, under the DPA 1998, the maximum fine that could be issued was half a million pounds. Had the infringement taken place after the data protection update, the fine could have amounted to a whopping £1.7 billion.
Penalties and Fines for Breaching DPA
Failure to comply with the 2018 legislation can result in fines far more significant that those possible under the DPA 1998. Previously capped at £500,000, the ICO can now levy fines of up to 20 million Euros (the equivalent in sterling), or 4% of annual global turnover, which ever is higher.
The Data Protection Principles
Having established who is responsible for enforcing the Data Protection Act, it’s vital for all organisations who handle personal data to understand and incorporate the following seven principles into all relevant aspects of their processes and procedures.
- Lawfulness, fairness and transparency
Personal data must be processed lawfully, transparently and fairly. As well as abiding by non-data protection law, the purposes for processing data must be outlined to data subjects in a manner, and in language that can be clearly, plainly and accurately understood; allowing individuals to give informed consent.
- Purpose limitation
The processing of personal data must be limited to that initially outlined at the time of collection and cannot be processed in a manner incompatible with previously stated purposes. Though personal data may be processed further under grounds of public interest, scientific or historical research or statistical purposes etc., this principle aims to ensure organisations aren’t processing personal data in ways data subjects haven’t agreed to.
- Data minimisation
Data is adequate, relevant and limited to what is necessary for the intended processing. This principle essentially aims to ensure organisations are not collecting excessive personal data which is unnecessary for the stated processing purposes and merely done so with the intention of data hoarding.
Personal data must be kept up to date, as well as reasonable measures being taken to ensure data is accurate. Should personal data be known to be inaccurate, then information should be either rectified or erased.
- Storage limitation
In line with this principle, personal data must be kept in a form which, during processing, limits the ability to identify any data subjects for any longer than strictly necessary and that data is not unduly kept for grounds not congruent with other data protection principles.
- Integrity and confidentiality
The processing of data should be conducted in a way which ensures an appropriate degree of security, as well as organisations taking reasonable measures to protect against any breach of personal data. Both reasonable technical and organisational measures should be in place, including but not limited to; data segmentation, encryption and anonymisation.
As the central focus of the Data Protection Acts as a whole, the accountability principle places the responsibility squarely upon the organisations to handle personal data appropriately and lawfully, as well as ensuring the responsibility of organisations to demonstrate their compliance.
If you require further official advice and information regarding the Data Protection Act and data protection principles, the ICO’s website has a great deal of information available.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Priya, our Customer Success Specialist, talks about her favourite tutorial, Social Media & Privacy, which explains the dangers of social media sites and how to stay safe.
NCSC Campaign, Warwick University Breach, and Kinomap: InfoSec Round-Up: April 20th - 30th 2020
Are there any exemptions to the Dta Protection Act? Blog by Information Security Awareness Training provider Hut Six Security.
Simon Fraser, our Managing Director, talks about his favourite tutorial, Assessing your Risk, which explains how businesses can assess the likelihood of a security risk occurring
Hut Six are pleased to announce membership to Tech nation Cyber, the UK's national scale-up program for all things cyber and tech. Blog by Hut Six Security.
Pratteek Bathula, our Product Director, talks about his favourite tutorial, Encryption, which explains the principle of encryption and how it is used to keep your information safe.
Technical Director Dan walks us through the password security tutorial. New video from Information Security Awareness Training Provider Hut Six Security
How Many Data Protection Principles are There? And what do they all mean? Blog by Information Security Awareness Training provider Hut Six Security
The Cyber Security Breaches Survey 2020 provides many insights into the current state of cyber security. Blog by Hut Six Security
What is the Punishment for Breaking the Data Protection Act? Blog by Information Security Awareness Training provider Hut Six Security