What is DPA?

Need to understand what DPA is? An overview of the main things you need to know can be found here.

Top 5 DPA Compliance Challenges
DPA 10 Tips for Preventing Fines
Need some help?

Speak to an expert. Contact our "Factory Foreman" and he can answer any questions you may have.

Call us at: 0800 978 8139

In a nutshell:

DPA refers to the 1998 Data Protection Act which was passed by Parliament to establish a minimum baseline for companies to ensure the protection of the information they process and give legal rights to people who have information stored about them.

Information businesses may collect on their customers (or potential customers) can be personal and as such may need to be kept confidential. People want to keep their pay, bank details, and medical records private for instance and away from the view of just anybody. If someone who is not entitled to see this information can obtain access without that person’s permission it is unauthorised access. The DPA sets up rules to prevent this happening. 

The DPA recognises two types of information: “Personal Identifiable Information (PII) and “Sensitive Personal Identifiable Information(SPII). PII about customer (data subject) could be: their name, date of birth, height, weight, driver’s license number, street address, telephone number, email address etc,. SPII on the other hand is a customer’s racial or ethnic origin, medical records, political or religious beliefs, sexual preference as well as their financial, credit or debit card details. Generally speaking there are fewer safeguards required for PII than there are for SPII. In most cases a person must be asked specifically if SPII can be kept about them.

The DPA establishes 8 Principles that all UK companies should adapt for processing, storing and transmitting personal and sensitive personal information. The 8 Principles outline overall objectives for ensuring the data is collected and used fairly, relevant and used only for the purpose it was collected, kept up to date and only for the length of time it was needed for and not transferred outside of the EU unless the country has a suitable data protection law. Above all companies must provide an appropriate level of security to ensure the protection of this data. Find out more about the DPA

How much security? How long is a piece of string? You decide. You see the DPA are just a set of Principles and do not establish any specific controls or even a general level of security for businesses to implement. Your business needs to make that decision. Your business needs to design a framework conducive to adequately protecting the data based on its sensitivity. If you just process customer’s names and addresses or other data that is already public knowledge perhaps you do not need as much security as if you were processing their credit cards or medical histories. 

The framework you design needs to be simple, effective and appropriate to the sensitivity of the data and documented in order to stand as proof of due diligence in the event you have a problem. Above all it should be based on common sense. Never forget that the data your business, processes, stores and transmits every day is information about someone’s life. Ensure that your business protects this data to a standard that you would want a business to protect your personal information and you've got it exactly right.