Data Protection Act Regulators
Who Regulates the Data Protection Act? Both becoming enforceable in 2018, since the introduction of the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR), a great deal has changed across Europe and the United Kingdom with regards to the handling of personal data.
Updating and revamping legislation written twenty years prior, GDPR has sought to bring data protection standards up to date by addressing two decades of technological and attitudinal development.
The Data Protection Act 2018 functions as the United Kingdom’s incorporation of the European-wide GDPR, and despite being largely similar, has its own specific elements under the provided derogations.
Who Regulates the Data Protection Act?
The regulation of the Data Protection Act is ultimately the responsibility of the UK Parliament, even prior to the UK’s withdrawal from the European Union that occurred on the 31st of January 2020. Though the Act complemented and incorporated the principles laid forth in the EU’s GDPR, it is with the same authority as any UK law, that the Parliament is responsible for its regulation.
Who Enforces the Data Protection Act?
Across Europe, each state is responsible for establishing its own enforcement authority. In the case of the UK, the independent body responsible for enforcing the Data Protection Act is the Information Commissioner’s Office (ICO), headed since 2016 by the Information Commissioner, CBE Elizabeth Denham.
What is the Data Protection Act?
Having been developed for several years prior, the General Data Protection Regulation came into effect across Europe in 2016. Becoming enforceable, alongside the Data Protection Act in May of 2018, these pieces of regulation govern how organisation’s handle personal data and what their responsibilities are to the data rights of individuals.
In the UK, the DPA 2018 replaced the DPA 1998. A largely similar piece of legislation, the DPA 1998 was developed at a time when the implications and importance of high data protection standards was perhaps less emphasised and recognised as it was by 2018. The ICO commenting, that with the ability to enforce the DPA 2018, the UK saw the biggest upgrade to data protection laws for a generation.
It is worth noting that under the DPA 1998, the greatest fine possible for offending parties was £500,000. Whereas under the GDPR and DPA 2018, it is possible for the ICO (and other European enforcement entities) to levy fines of up to 20 million Euros, or, depending on which is greater, 4% of global annual turnover from the previous year.
The Information Commissioner’s Office and Enforcement
The Information Commissioner, who regulates the Data Protection Act, has made it its mission to promote openness by public bodies, to uphold information rights and forward the data privacy of individuals.
In its capacity as the independent official enforcement body, the Information Commissioner’s Office has seen, with the introduction of the DPA 2018 and the GDPR, a distinct increase in its public visibility. As well as this, the ICO has also been responsible for an increasingly amount of highly publicised investigations.
Principles of the DPA and GDPR
Unlike its updated version, the DPA 1998 set forth eight key principles rather than the now seven principles. These following seven principles are designed to act as the fundamental tenets that inform how organisations think and behave regarding the protection of data.
The Seven Principles of Data Protection
Lawfulness, fairness and transparency
As well as the processing of data being lawful, this principle also seeks to ensure that any organisation gathering personal data does so in a way that is straightforward and transparent, i.e. explained to a user in an easily understood manner.
The processing of data should be limited to clearly stated and agreed upon purposes; as in personal data cannot be used for anything an organisation deems useful if the ‘data subject’ has not agreed to it.
The amount or extent of data being collected and processed should be limited, to that which is adequate and/or relevant to the aforementioned purposes.
This straightforward and easily understood principle seeks to ensure that any personal data being held or processed by an organisation should be accurate, as well as organisation’s being responsible for updating or amending inaccurate information; or failing that recourse, the deletion of said personal data.
This principle looks to restrict the extent to which organisations can keep hold of data beyond the time necessary for its intended purpose. As with the ‘purpose limitation’, regulation states that this principle is not intended to limit the processing of personal data under the grounds of public interest, scientific or statistical purposes, or for historical research.
Integrity and confidentiality
With the intention of ensuring the security of personal data, organisations are responsible for taking the appropriate measures to uphold the integrity and confidentiality of personal data. Thus, minimising the chances of personal data being breached. Both technological and physical controls should be implemented to ensure compliance.
Not previously covered within the eight principles of the DPA 1998, the accountability principle firmly places the responsibility of compliance upon all those working with personal data. Not only should organisations be compliant, but also be able to demonstrate their compliance with appropriate records.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Dating App Leak, Norwegian Tracing App and Security Camera Flaw – Infosec Round-Up, June 19th, 2020
NHS phishing attack sees email accounts compromised as part of an attack targeting a wide range of organisations Blog by Hut Six Security.
Who Enforces the Data Protection Act? Principles, Protections and Penalties. Blog by Information Security Awareness Training provider Hut Six Security.
Tax Refund Scams, Zoom Encryption and Fake Ransomware Decryptor – Infosec Round-Up, June 12th, 2020
How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.
Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security
REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing – Infosec Round-Up, June 5th 2020
What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security
What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.
GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020