Data Protection Act 1998 – The basics

Our recent focus on the upcoming General Data Protection Regulation (GDPR) may have a lot of you thinking about how your company handles data. We referenced the Data Protection Act (DPA) of 1998 a lot in those articles. It’s quite an old piece of legislation now, but a lot of people still don’t know what it means. Before you sink your teeth into GDPR (and we definitely advise that you do that soon), it is worth familiarising yourself with the DPA.

Basically, the DPA laid out some basic rules for processing personal information. At its core were eight data protection principles which state that all personal data shall be:

  1. Fairly and lawfully processed
  2. Processed for limited purposes
  3. Adequate, relevant and not excessive
  4. Accurate
  5. Not kept for longer than is necessary
  6. Processed in line with an individual’s rights
  7. Secure
  8. Not transferred to other countries without adequate protection

These are quite loose principles but it’s the DPA is in a nutshell. The specifics of each principle isn’t as important as having the processes in place to handle them. For example, ensuring that you have a process in place to dispose of data once it is no longer necessary to keep (an employee leaving the company, a supplier shutting down, a business contact retiring, etc.).

Make sure you have rigorous processes in place for all of these principles. Once you’ve achieved that, it’s very important to start working on your organisation’s compliance with GDPR. This is a great time to move onto our two blog posts on GDPR and the basics of compliance.

If you’re interested in learning more about DPA, take a look at the parliament’s information page.


Content Marketing Manager