Who Regulates the Data Protection Act? Both becoming enforceable in 2018, since the introduction of the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR), a great deal has changed across Europe and the United Kingdom with regards to the handling of personal data.

Updating and revamping legislation written twenty years prior, GDPR has sought to bring data protection standards up to date by addressing two decades of technological and attitudinal development.

The Data Protection Act 2018 functions as the United Kingdom’s incorporation of the European-wide GDPR, and despite being largely similar, has its own specific elements under the provided derogations.

Who Regulates the Data Protection Act?

The regulation of the Data Protection Act is ultimately the responsibility of the UK Parliament, even prior to the UK’s withdrawal from the European Union that occurred on the 31st of January 2020. Though the Act complemented and incorporated the principles laid forth in the EU’s GDPR, it is with the same authority as any UK law, that the Parliament is responsible for its regulation.

Who Enforces the Data Protection Act?

Across Europe, each state is responsible for establishing its own enforcement authority. In the case of the UK, the independent body responsible for enforcing the Data Protection Act is the Information Commissioner’s Office (ICO), headed since 2016 by the Information Commissioner, CBE Elizabeth Denham.

What is the Data Protection Act?

Having been developed for several years prior, the General Data Protection Regulation came into effect across Europe in 2016. Becoming enforceable, alongside the Data Protection Act in May of 2018, these pieces of regulation govern how organisation’s handle personal data and what their responsibilities are to the data rights of individuals.

In the UK, the DPA 2018 replaced the DPA 1998. A largely similar piece of legislation, the DPA 1998 was developed at a time when the implications and importance of high data protection standards was perhaps less emphasised and recognised as it was by 2018. The ICO commenting, that with the ability to enforce the DPA 2018, the UK saw the biggest upgrade to data protection laws for a generation.

It is worth noting that under the DPA 1998, the greatest fine possible for offending parties was £500,000. Whereas under the GDPR and DPA 2018, it is possible for the ICO (and other European enforcement entities) to levy fines of up to 20 million Euros, or, depending on which is greater, 4% of global annual turnover from the previous year.

The Information Commissioner’s Office and Enforcement

The Information Commissioner, who regulates the Data Protection Act, has made it its mission to promote openness by public bodies, to uphold information rights and forward the data privacy of individuals.

In its capacity as the independent official enforcement body, the Information Commissioner’s Office has seen, with the introduction of the DPA 2018 and the GDPR, a distinct increase in its public visibility. As well as this, the ICO has also been responsible for an increasingly amount of highly publicised investigations.

Principles of the DPA and GDPR

Unlike its updated version, the DPA 1998 set forth eight key principles rather than the now seven principles. These following seven principles are designed to act as the fundamental tenets that inform how organisations think and behave regarding the protection of data.

The Seven Principles of Data Protection

Lawfulness, fairness and transparency

As well as the processing of data being lawful, this principle also seeks to ensure that any organisation gathering personal data does so in a way that is straightforward and transparent, i.e. explained to a user in an easily understood manner.

Purpose limitation

The processing of data should be limited to clearly stated and agreed upon purposes; as in personal data cannot be used for anything an organisation deems useful if the ‘data subject’ has not agreed to it.

Data minimisation

The amount or extent of data being collected and processed should be limited, to that which is adequate and/or relevant to the aforementioned purposes.


This straightforward and easily understood principle seeks to ensure that any personal data being held or processed by an organisation should be accurate, as well as organisation’s being responsible for updating or amending inaccurate information; or failing that recourse, the deletion of said personal data.

Storage limitation

This principle looks to restrict the extent to which organisations can keep hold of data beyond the time necessary for its intended purpose. As with the ‘purpose limitation’, regulation states that this principle is not intended to limit the processing of personal data under the grounds of public interest, scientific or statistical purposes, or for historical research.

Integrity and confidentiality

With the intention of ensuring the security of personal data, organisations are responsible for taking the appropriate measures to uphold the integrity and confidentiality of personal data. Thus, minimising the chances of personal data being breached. Both technological and physical controls should be implemented to ensure compliance.


Not previously covered within the eight principles of the DPA 1998, the accountability principle firmly places the responsibility of compliance upon all those working with personal data. Not only should organisations be compliant, but also be able to demonstrate their compliance with appropriate records.