How Does the Data Protection Act Affect the Running of My Business in the UK?

The introduction of the Data Protection Act 2018 (DPA) had a significant impact on businesses in the UK. The main effect of the DPA was introducing the provisions of the General Data Protection Regulation (GDPR) into UK law. However, the Act contains six data protection principles you should be aware of. This article will consider the impact of the six data protection principles on your business in the UK. Following these principles can help you avoid fines of up to £17.5m from the Information Commissioner’s Office (ICO) for data protection rule breaches.

Why Do We Have the UK DPA and the UK GDPR?

The DPA introduces the provisions of the GDPR into UK law and confirms six data protection principles for businesses. These principles are similar to and overlap with the ones in the GDPR, albeit they are not necessarily identical.

Let us explore the six principles below.

1. Fair and Lawful Processing of Personal Data

This is a fundamental principle as it makes clear that unlawful processing of personal data is a breach of data protection law.

Fair and lawful processing will usually involve:

• handling the personal information of individuals in line with the Data Protection Act and GDPR rules; 
• securing handling personal data and guarding it against theft or unauthorised use;
• reporting serious data breaches (including cyber attacks) to the Information Commissioner’s Office within 72 hours; and
• providing upfront information to individuals about how and why you will process their personal data.

2. Legitimate Purpose

Your business may only process and collect personal data for legitimate purposes. Suppose, for example, an individual provides personal information to you to receive a delivery. You cannot sell it to another company for profit without their prior consent.

This principle has led to a drop in the previously common practice of businesses ‘cold calling’ individuals who had only provided their telephone number for an update on an order.

3. Data Processing Must Be Adequate, Relevant and Not Excessive

The tests of adequacy and relevance relate to the purpose for which you collected the data. Thus, if an individual provides an email address to receive updates on a purchase, you should not take them to have provided it for an electronic newsletter.

But what does excessive mean? The ICO will judge personal data processing as disproportionate if it exceeds your business’ requirements for that task. For example, say someone books a service for their car. You may safely ask for their full name, mobile number and email address. However, asking them for their national insurance number or date of birth would be excessive.

There is a similar principle under the GDPR, known as data minimisation.

4. Ensuring Accuracy and Updating of Personal Data

Businesses in the UK must take reasonable steps to update personal information and delete any inaccurate information from their systems without delay.

Suppose your business runs a gym, and it becomes apparent that the date of birth of a customer is wildly inaccurate. It should immediately delete the erroneous date. This is the case even whilst waiting for the customer to bring in a piece of ID to show their correct date of birth.

5. Keep Data for No Longer Than Necessary

This is similar to the storage limitation principle of the GDPR. Namely, your organisation should avoid storing personal data for longer than necessary.

So, for example, if a one-off customer provides credit card details in 2018 and orders nothing else, you should erase those details from your system by 2022. The reasons for this include the following:

• they could use a different credit card in the future;
• they are not necessary (because the customer does not regularly order goods and can simply re-enter them); and
• most banks provide fresh credit card information every 3-5 years as an anti-fraud measure.

6. Ensure Good Data Security

Your business should ensure good levels of protection against theft or unauthorised personal data use. The DPA also requires your organisation to vigorously guard against the accidental loss or destruction of personal information.

Some practical security measures include:

• using robust antivirus software;
• engaging in strong password use and two-factor authentication;
• encrypting sensitive data; and
• limiting employee access to personal information except where reasonably necessary. 

Key Takeaways

The UK Government passed the DPA into domestic law to incorporate the rules within the EU GDPR. The specific purpose of our data protection legislation is to protect the personal data of citizens of the United Kingdom. Indeed, our Government believes it is in the public interest to ensure businesses do everything to safeguard personal information.

If you need help complying with the Data Protection Act, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions