Introduction
The Data Protection Act 2018 (DPA 2018) is a legislative framework set out in the United Kingdom to govern processing of personal data. It came into force as an update to the UK’s Initial Data Protection Act of 1998, in order to align with the European Union’s General Data Protection Regulation (GDPR).
This helps to ensure consistency between the data protection standards of the UK and the European Union, with a primary focus on how organisations handle personal data. These rigorous principles include a greater transparency of how data is used, minimising unnecessary collection and sharing.
Essential Rights For Citizens
One of the primary components of the DPA 2018 is to provide citizens with greater control over how their personal data is managed. The following six essential rights for citizens are outlined below;
- Transparency And Awareness
Individuals have the right to know what data is being collected, how it is being used, who it is being used by and what it is being used for. - Access And Control
Individuals have the right to request access to their personal data that is held by a company to ensure that it is accurate and appropriate. - Right To Rectify
Individuals have the right to update or modify their personal data that is held by a company. - Right To Be Forgotten
Individuals have the right to request that organisations permanently delete the personal data that they hold on them. - Restriction And Objection
Individuals have the right to restrict or object to how their data is going to be used in specific situations. - Data Portability
Individuals have the right to obtain and reuse their data for different services, essentially having that data exported for them.
Key Principles Of The DPA
There are seven core data protection principles within GDPR and the DPA 2018 builds upon these to ensure that personal data is handled legally and ethically.
- Lawfulness, Fairness And Transparency
Emphasises that personal data must be processed in a legal and ethical manner. Individuals have the right to know how their data is used, with clear data collection practices and purposes outlined. - Purpose Limitation
Organisations must clearly outline and limit the purposes for their data collection activities to the individual. It must be made clear what information is being collected, what it is being collected for and they must obtain consent from the individual for this scope of data. - Data Minimisation
Similarly to purpose limitation, organisations should only collect data that is strictly required for the specific purpose that has been defined and accepted by the individual. Data should not be collected excessively, in order to reduce the privacy and security risks. - Accuracy
Data must be collected and maintained appropriately to ensure that it is accurate, as inaccurate data cannot satisfy the conditions under which it has been collected. Procedures need to be established to regularly review and update data, with the ability for individuals to request corrections to their information held. - Storage Limitation
Data must not be kept indefinitely and there must be a time frame established and agreed by the data subjects to achieve the purpose of that data collection. After this time frame, data must be securely deleted. - Integrity And Confidentiality
Ensures that organisations apply suitable technical and organisational controls to protect personal data from a range of threats. This then helps to prevent security issues such as unauthorised access, damage or deletion of data. - Accountability
Emphasises the need to establish a level of accountability for the data controller. The data controller is ultimately accountable for adhering to the principles of DPA 2018, establishing the purposes and means of processing personal information. A data protection officer (DPO) may be needed for this role.
Examples Of Non-Compliance With The DPA
The following examples outline areas of non-compliance with the DPA 2018 regulations;
- An employee loses a corporate device that contains unencrypted personal data for the company’s customers. This breaches the integrity and confidentiality of the data, as the organisation has failed to implement appropriate security controls.
- An application with a poor password policy has a data leak, exposing sensitive user information. This breaches the transparency and purpose limitation as the user is unaware of where their personal data has been shared to.
- Staff fall victim to a phishing scam and provide access to a threat actor who steals customer data. This breaches accountability, integrity and confidentiality as the organisation has not put sufficient access controls in place.
- A company sends out marketing emails to a list of purchased email addresses without obtaining prior consent. This breaches the lawfulness, fairness and transparency as it is unclear how data is obtained and used.
Best Practices To Ensure Compliance
The following checklist whilst not an exhaustive list, contains a series of steps that can be taken to build out the data security management in line with the DPA 2018.
- Clearly Understand The Data You Hold
- What personal data do you hold?
- Does the data include sensitive personal data? If yes, how do you keep it safe?
- Does your website collect personal data from minors?
- Why does your company require this data?
- How have you retained consent for processing this personal data?
- Where is this personal data stored?
- Who has access to this data?
- Do any third parties hold this personal data? If yes, how do you control their processing of your data?
- Are these third parties based outside the EEA?
- How long does this personal data need to be kept? Can any of this information be deleted or anonymized?
- Secure Your Infrastructure
- Install an SSL certificate (HTTPS website URL) that will encrypt any information sharing between the site and server.
- Use strong passwords for admin accounts.
- Add extra layers of protection to your server in case you allow users to share payment information.
- Use a CDN provider that can improve security, e.g., by protecting websites against DDoS.
- Use anti-virus software or services to protect against unauthorized access to the site.
- Do not collect, use or store personal data more than what is necessary for your website.
- Try not to send or share personal data, especially sensitive types to third-party services.
- Pseudonymize or anonymize personal data before storing them to de-identify the users.
- Remove personal data once your website does not need them.
- Back up the data in multiple locations.
- Privacy Policy
Ensure that your privacy policy is easily accessible to users and informs website visitors of how you collect, use, store and disclose their personal data. You must also clearly establish user’s rights and your obligations, such as their right to access personal data and request erasure.
- Obtain Consent
Ensure that you have captured explicit permission from users to contact and use their personal data under the defined and agreed conditions. For example, organisations should have users opt out of data sharing agreements by default, ensuring that the user has directly agreed to these conditions, rather than an implicit agreement. - Cookies
Websites that use non necessary cookies need a cookie banner to establish how these cookies are used and what information they store, with the ability for users to reject the storage of cookies. - Validate Forms
- Include a privacy statement that explains why you’re asking for their details; what you’re going to do with them; and that they can withdraw consent at any time.
- Add an opt-in option, such as an unticked checkbox or a disabled toggle switch to get user consent to collect data.
- Add a checkbox (or similar option) so that people can choose whether to receive correspondence from you or related services.
- Preferably, add a link to the Privacy Policy for further information.
- Review Data Processors And Third Parties
Ensure that services or companies that are used by your organisation are also compliant with the DPA 2018. As the data controller you are responsible for validating the privacy policies of any third party service or company that you share data with. - Review International Transfers
- Have you done the necessary risk assessments before transferring the data?
- Does the recipient country or service provide an adequate level of data protection system in place?
- Do you have all the necessary agreements with the recipient company/services?
- Provide Data Rights Provision
Web users have a right to obtain information about the personal data you hold on them and they can then request that it is updated or deleted at any time. They can do so through a Data Subject Access Request (DSAR). - Analyse & Mitigate Data Breaches
Prepare a plan of action if another data breach happens or is likely to happen in the future.
Keep a record of your processing activities.
Block all access to your website until you fix the vulnerability.
Conduct a thorough investigation — where, when and how it happened, what data was involved, and who got affected and how.
Notify the appropriate supervisory authority about the breach within 72 hours with all the information you have. Usually, the breach notification must include the categories and the approximate number of users concerned; the categories and the approximate number of personal data records affected; any action taken, or measures planned, by the company in response to the breach, including measures to mitigate its possible adverse effects.
Notify the affected users if there is an increased risk to users’ rights and freedoms as a result of the breach, including what they can do to protect their data.
Update your policies and procedures to prevent future security breaches on your website.