Data Protection, the DPA, and the EU GDPR
All organizations that collect, process or store personal information must comply with the Data Protection Act 1998 (DPA), or face fines of up to £500,000 in the event of a data breach.
The DPA will soon be superseded by the EU General Data Protection Regulation (GDPR), which prescribes considerably greater penalties—up to 4% of annual global turnover or €20 million.
All organizations that process EU residents’ data must comply with the GDPR by May 25, 2018.
To discuss your data protection requirements, call us on 1 877 317 3454.
On this page:
Eight principles of the UK Data Protection Act
The DPA applies to all organizations in the UK that hold or process personal data. Though by no means the whole of the act, Schedule 1 sets out eight principles with which organizations must comply.
This ensures that personal data:
is treated fairly and lawfully
is obtained and processed only for specific and specified purposes
is adequate, relevant, and not excessive
is accurate and up to date
is not retained for longer than necessary
is processed in accordance with the individual’s rights
is held with appropriate levels of security
is not transferred abroad without ensuring adequate levels of legal protection
Organizations that are found to be in breach of the DPA can be fined up to £500,000 by the Information Commissioner's Office (ICO).
Is your organization compliant with the UK DPA?
Our webshop also provides a comprehensive range of books and tools for achieving DPA compliance >>
The EU General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) will unify data protection laws in the European Union. It was adopted in April 2016 and will be enforced from May 25, 2018, when a single set of rules will apply to all 28 EU member states.
The GDPR will introduce new rules on international data transfers, documenting data processing activities, performing data protection impact assessments (DPIAs), and appointing data protection officers. It will also mandate notifying the local data protection authority (in the UK, the Information Commissioner’s Office) of data breaches within 72 hours of their discovery.
Click for more information on the GDPR >>
BS 10012 is the British Standard for personal information management systems (PIMSs) and provides guidance on improving data protection. BS 10012 specifies the requirements for a PIMS and allows quick compliance with existing acts (including the DPA) and new laws (such as the GDPR) because of its best-practice approach to the management of personal information.
Click for more information on BS 10012 >>
Data protection and ISO 27001
The international standard for best-practice information security management, ISO 27001—alongside its code of practice, ISO 27002—sets out the technical specifications of an information security management system (ISMS) – “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives” (ISO/IEC 27000:2014).
The seventh principle of the DPA requires that “appropriate technical and organizational measures be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Research conducted by IT Governance revealed that the vast majority of data breaches reported to the ICO involved poor information security practices.
According to the GDPR (Article 42: Certification), the European Data Protection Seal—a common certification scheme administered by the various national data protection authorities—will demonstrate compliance with the GDPR.
The ICO is currently developing its own privacy seal, which it “intends to meet the provisions of the Regulation.” The seal should be “up and running in 2016,” but data security should not wait till then.
ISO 27001 will help organizations protect their data assets and meet their compliance objectives now. The requirements for privacy seals—many of which will likely be covered by the Standard—can then be incorporated into the wider management system as they become available.
IT Governance has over a decade’s experience helping organizations all around the world to implement and maintain integrated management systems that achieve multiple compliance certificates.
Find out more about how to improve your information and data security here >>
To discuss your DPA requirements, call us on 1 817 317 3454.