The Data Protection Act 2018 (DPA) replaced the 1998 act on 25 May 2018. The General Data Protection Regulations (GDPR) apply to all EU member states. The DPA applies GDPR standards in the UK but also includes rules beyond the scope of GDPR.
The DPA governs the use and processing of personal data by businesses and other organisations. You will need to comply with the act if you use, hold, store or otherwise process personal data as part of your business, for example, because you hold customer details or details of employees.
What is personal data?
Personal data is defined very broadly and is any information about a living individual who is identified or who is identifiable. It includes information such as a name and address, bank details, and opinions expressed about an individual. It also includes things like identification number, IP addresses, location data or online identifiers.
Data protection principles
If you are processing personal information covered by the DPA you must comply with the entirety of the DPA and specifically with the following data protection principles. These require that:
- the processing of personal data must be lawful and fair
- the purpose for which personal data is collected must be specified, explicit and legitimate, and not be processed in a manner that is incompatible with the purpose for which it was collected
- personal data processed must be adequate, relevant and not excessive
- personal data processed must be accurate and, where necessary, kept up to date
- personal data processed must be kept for no longer than is necessary for the purpose for which it is being processed
- personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures
Under GDPR, there is a new accountability principle which specifically requires you to take responsibility for complying with the principles and for the personal data that you process.
Under the Data Protection (Charges and Information) Regulations 2018, you may be required to pay a data protection fee to the Information Commissioner’s Office if you are processing personal data, unless you are exempt. Use the self-assessment tool on the ICO website to find out if you need to pay a fee to the ICO.