This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

United Kingdom

Select your regional store:


Data Protection and Data Protection Act (DPA) Compliance

Data protection is an issue that affects all organisations. With developments in technology permeating all facets of society and business, there has come an increase in the incidence of criminal hacking, data breaches and data loss.

All organisations in the UK must comply with the Data Protection Act 1998 (DPA), and face stiff penalties if they breach it. The DPA will be superseded by the EU General Data Protection Regulation (GDPR), which is expected to be adopted in late 2015 or early 2016.

To discuss your DPA requirements, call us on +44 (0) 0845 070 1750.

On this page:

The video below features IT Governance CEO Alan Calder speaking at the Privacy Laws & Business 23rd Annual International Conference about the relationship between data protection law and information systems.

Eight principles of the UK Data Protection Act

The DPA applies to all organisations in the UK that hold or process personal data. Though by no means the whole of the act, Schedule 1 sets out eight principles with which organisations must comply.

This ensures that personal data:

  • is treated fairly and lawfully;
  • is obtained and processed only for specific and specified purposes;
  • is adequate, relevant and not excessive;
  • is accurate and up to date;
  • is not retained for longer than necessary;
  • is processed in accordance with the individual’s rights;
  • is held with appropriate levels of security;
  • is not transferred abroad without ensuring adequate levels of legal protection.

Organisations that are found to be in breach of the DPA can be fined up to £500,000 by the Information Commissioner's Office (ICO).

Is your organisation compliant with the UK DPA?

Other products about the UK Data Protection Act’s requirements include:

Emerging data protection and privacy regulation

Around the world, data protection and privacy legislation is an increasingly important part of overall IT governance. The EU General Data Protection Regulation (GDPR) is expected to be adopted by early 2016, and will unify all data protection laws in the European Union. A single set of rules will apply to all EU member states and there will be one data protection authority responsible for each company, depending on where the it is based, or which data protection authority it chooses (to be confirmed).

The British BS 10012 personal information management system (PIMS) standard provides guidance on improving data protection. BS 10012 specifies the requirements for a PIMS and allows quick compliance with existing Acts (including the DPA) and new laws because of its best-practice approach to the management of personal information.

Data protection and ISO 27001

The seventh principle of the DPA requires that “appropriate technical and organisational measures be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. Research conducted by IT Governance revealed that the vast majority of data breaches reported to the ICO involved poor information security practices.

ISO 27001, alongside its code of practice, ISO 27002, sets out the technical specifications of an information security management system (ISMS). An ISMS is “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives” (ISO/IEC 27000:2014).

Find out more about how to improve your information and data security here.

To discuss your DPA requirements, call us on +44 (0) 0845 070 1750.

Buy DPA toolkits

Data Protection Act Compliance Toolkit

Buy now


Data Protection Compliance Report

Download Now