Data Protection Act – What is the Data Protection Act?
The Data Protection Act is a British law that governs the processing and handling of personal information.
Keep your financial data safe and secure with SumUp. Create invoices for free with SumUp Invoices.
More specifically, the term ‘Data Protection Act’ could refer to a number of different pieces of legislation with the name ‘Data Protection Act’. Each new piece of legislation was introduced in order to replace, update, and modernise the previous version of the DPA.
The main purpose of the Data Protection Act is to protect individuals from having their personal details misused or mishandled. The Data Protection Act does this in two ways:
By establishing rights for individuals
By creating responsibilities for businesses, organisations and the government and setting guidelines for the way they handle and store ‘personal data’
‘Personal data’ refers to information that identifies or is ‘obviously about’ about a specific individual; the Data Protection Act doesn’t cover anonymous or aggregated data.
The 1998 version of the Data Protection Act applied to personal data stored on a computer or in a filing system.
The DPA 1998 established eight core principles for the handling of personal data. These principles required personal data to be:
Processed fairly and lawfully
Processed only for specified, lawful, and compatible purposes
Adequate, relevant, and not excessive for the intended purposes
Accurate and up to date – individuals have the right to have inaccurate personal data corrected or destroyed
Kept for no longer than necessary
Processed in line with the rights of the individuals
Secured against accidental loss, destruction, or damage against unauthorised or unlawful processing
Not transferred outside the European Economic Area (EEA) unless there is adequate protection
The current version of the Data Protect Act was introduced in May 2018. One of the main features of the DPA 2018 was to put the standards outlined by the GDPR into British law.
However, the DPA 2018 also introduced a few additional changes that were not covered by the GDPR – primarily in areas that the EU doesn’t have authority over (such as immigration and security).
Virtually all small businesses and start-ups hold personal details of staff, customers, and suppliers – such as names, phone numbers, and bank details.
Any data that is stored on a computer or within a physical filing system must comply with the Data Protection Act, and as an entrepreneur, freelancer or small business owner, it’s your responsibility to make sure that you stick to the rules.
As a small business owner, you should handle data in accordance with the Data Protection Act's eight principles.
Although this might seem like a lot of work, compliance is essential if you want to avoid hefty fines. The eight principles also tend to overlap with good practice when it comes to the management and handling of personal information, such as keeping personal details up to date.
The Information Commissioner’s Office (ICO) has a useful webinar on data protection for small and medium-sized enterprises.
Since the UK left the EU in 2021, the EU GDPR doesn’t apply in the UK. However, the UK DPA 2018 has already brought similar legislation into UK law. Therefore, the UK DPA 2018 essentially merged the rules from the EU GDPR and is currently valid for UK sales.
UK businesses will need to update their GDPR documentation to be in line with the UK GDPR regulations.