This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

Data Protection and Data Protection Act (DPA) Compliance

Data Protection is an issue that affects all organisations. With developments in technology permeating all facets of society and business has come an increase in the incidence of hacking, data breaches and data loss. It has never been more important for businesses to protect their critical assets and ensure that their staff is aware of the role they play in data protection.

In the UK all organisations must comply with the Data Protection Act (DPA), and will face stiff penalties if they breach it. Other countries have local equivalents of the DPA. On this page you can learn about data protection and compliance to the DPA.

On this page:

The video below features IT Governance CEO Alan Calder speaking at the Privacy Laws & Business 23rd Annual International Conference about the relationship between data protection law and information systems

Eight Principles of the UK Data Protection Act

The Data Protection Act 1998 (DPA) applies to all organisations in the UK. All organisations that hold or process personal data must comply with the requirements of the DPA. Though by no means the whole of the act, Schedule 1 sets out eight principles to which organisations comply.

This ensures that personal data:

  • is treated fairly and lawfully;
  • is treated with specific and specified purposes;
  • is adequate, relevant and not excessive;
  • is accurate and up to date;
  • is not retained for longer than necessary;
  • is processed in accordance with individuals rights;
  • is held with appropriate levels of security;
  • is not transferred abroad without ensuring of adequate levels of legal protection.

Organisations that are found to be in breach of the DPA can be fined up to £500,000 by the Information Commissioner's Office (ICO).

Is your organisation compliant with the UK DPA?

Other books on the UK Data Protection requirements that are worth ordering include:

Emerging data protection and privacy regulation

Around the world, data protection and privacy legislation is an increasingly important part of overall IT governance. It is in this field in particular that new laws are emerging on a regular basis. Many of these overlap, or contradict existing laws, and rarely come with detailed regulatory implementation guidance or meaningful case law.

The British BS10012 Personal Information Management System Standard (PIMS) provides guidance on tackling this problem. BS10012 specifies the requirements for a PIMS and thus allows quick compliance to existing Acts (including the DPA), and new laws because of its best practice approach to the management of personal information.

Key legislation for the United States, Canada and the UK and EU includes the following:

  • In the UK: the Data Protection Act, the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures combine to make compliance a significant challenge for all organisations. In addition to the DPA, all private sector organisations are also obliged to comply with the Freedom of Information Act.

  • In the US: HIPAA, GLBA, SB 1386, OPPA, the Fair Credit Reporting Act (FCRA) and various State Breach Laws.

  • In Canada: PIPEDA,

  • In the EU: the Data Protection Directive (implemented slightly differently in each of the EU countries) - and the EU Safe Harbor regulations which enable US companies to escape prosecution under EU regulations.


The Gramm-Leach-Bliley Act (GLBA), also known as the “Financial Services Reform Act of 1999”, requires US financial institutions to establish administrative, technical and physical information safeguards to ensure the confidentiality and integrity of customer records and information.

In order to comply with this federal mandate, institutions that are significantly engaged in financial activities are required to identify and assess security risks, plan and implement security solutions to protect sensitive information, and establish measures to monitor and manage security systems.

Section 501(b) of GLBA established the required high-level privacy and security requirements with which financial institutions must comply. The Federal Trade Commission (FTC) was authorised to implement it and issued Final Rule (16 CFR Part 314) in May 2002.

With a few exceptions, the effective date for financial institution compliance with the Final Rule was May 23, 2003 (with a two-year grandfathering of service contracts, until May 24, 2004)

In summary, the objectives of GLBA are to:

  • protect the security and confidentiality of customers’ non-public personal information;
  • institute administrative, technical, and physical safeguards;
  • protect against anticipated threats and hazards to information security;
  • protect against unauthorized access to or use of information;
  • establish a continuous risk-based information security program with:
    • board oversight;
    • assessment of threats and vulnerabilities;
    • risk management and controls;
    • training and testing;
    • vendor oversight;
    • monitoring, auditing, adjusting and reporting.


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (which took effect in 2003) is a set of federal standards that requires healthcare organisations (Covered Healthcare Providers, Health Plans and Healthcare Clearinghouses) to implement security standards that protect (and keep up to date) patient data and to standardize on electronic data interchange.

HIPAA was originally designed to speed the processing of medical claims by implementing certain standards for transmitting medical data. This of course raised information security concerns, so provisions were also made to protect the confidentiality of personal health information while in transit and while being stored.

The Administrative Simplification (AS) Provisions set out the specific rules that institutions must implement in order to comply with HIPAA. These include the rules for EDI, for electronic signatures and for privacy standards. While these provisions are technology-independent, any system of information security controls that a healthcare organisation implements will need to be integrated and comprehensive.

US State Breach Laws

Senate Bill 1386 (SB-1386), also known as the California Information Practice Act, was passed into law in July 2003. The primary purpose of the Bill was to force companies to think more seriously about information security and its impact on the residents of California. The law focuses on companies, primarily in the US but in reality throughout the world, and their need to protect the personal information of California residents.

SB-1386 requires any ‘state agency or entity’ holding personal data about customers (or employees) living in California, and that suffers a breach of security relating to any database that holds that personal information (unless the data is encrypted), to notify the entire class of customers where the security of even one of them may have been breached, however that breach occurred.
The costs of communicating with every Californian on the database, in addition to the negative publicity and reputation damage for the organisation, are significant outcomes of a failure to establish a best-practice information security management system.

More than 35 States have now passed security breach laws similar to SB-1386. Companies that seek to avoid the penalties of compliance failure need to implement a comprehensive information security management system that will protect the confidentiality, integrity and availability of individual data.


Buy DPA toolkits

Data Protection Act Compliance Toolkit

Buy now

+44 (0) 845 070 1750
live chat support software