Data Protection, the DPA and the EU GDPR
Currently, all organisations in the UK that collect, process or store personal information must comply with the Data Protection Act 1998 (DPA), or face fines of up to £500,000 in the event of a data breach.
The DPA will soon be superseded by the EU General Data Protection Regulation (GDPR), which prescribes considerably greater penalties – up to 4% of annual global turnover or €20 million.
All organisations that process EU residents’ data must comply with the GDPR by 25 May 2018.
The eight principles of the DPA
The DPA applies to all organisations in the UK that hold or process personal data. Though by no means the whole of the act, Schedule 1 sets out eight principles with which organisations must comply.
This ensures that personal data:
Is treated fairly and lawfully;
Is obtained and processed only for specific and specified purposes;
Is adequate, relevant and not excessive;
Is accurate and up to date;
Is not retained for longer than necessary;
Is processed in accordance with the individual’s rights;
Is held with appropriate levels of security;
Is not transferred abroad without ensuring adequate levels of legal protection.
Organisations that are found to be in breach of the DPA can be fined up to £500,000 by the Information Commissioner's Office (ICO).
Is your organisation compliant with the DPA?
Our webshop also provides a comprehensive range of books and tools for achieving DPA compliance >>
The EU General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) will unify data protection laws in the European Union. It came into force on 24 May 2016 and will be enforced from 25 May 2018, when a single set of rules will apply to all 28 EU member states.
Among other stipulations, the GDPR introduces new rules on international data transfers, documenting data processing activities, performing data protection impact assessments (DPIAs) and appointing data protection officers (DPOs). It also mandates notifying the local data protection authority (in the UK, the Information Commissioner’s Office) within 72 hours of a breach’s discovery.
Click for more information on the GDPR >>
BS 10012 is the British Standard for personal information management systems (PIMSs), and provides guidance on improving data protection. BS 10012 specifies the requirements for a PIMS and allows quick compliance with existing acts (including the DPA) and new laws (such as the GDPR) because of its best-practice approach to the management of personal information.
Click for more information on BS 10012 >>
Data protection and ISO 27001
The international standard for best-practice information security management, ISO 27001, alongside its code of practice, ISO 27002, sets out the technical specifications of an information security management system (ISMS) – “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives” (ISO/IEC 27000:2014).
The seventh principle of the DPA requires that “appropriate technical and organisational measures be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. Research conducted by IT Governance revealed that the vast majority of data breaches reported to the ICO involved poor information security practices.
According to the GDPR (Article 42: Certification), the European Data Protection Seal – a common certification scheme administered by the various national data protection authorities – will demonstrate compliance with the GDPR.
The ICO is currently developing its own privacy seal, which it “intends to meet the provisions of the Regulation”. The seal should be “up and running in 2016”, but data security should not wait till then.
ISO 27001 will help organisations protect their data assets and meet their compliance objectives now. The requirements for privacy seals – many of which will likely be covered by the Standard – can then be incorporated into the wider management system as they become available.
IT Governance has over a decade’s experience helping organisations all around the world to implement and maintain integrated management systems that achieve multiple compliance certificates.
Find out more about how to improve your information and data security here >>
To discuss your data protection requirements, call us on +44 (0)333 800 7000.