The Data Protection Act (DPA) is the principal legislative force which controls the way in which businesses and organisations handle personal data. A data subject's personal and sensitive data is at risk of exploitation when it is stored by data controllers. Therefore, the DPA provides a legislative framework to combat unlawful and fraudulent activity, which may be carried out by organisations which handle personal data.
Why was the DPA introduced in 1998?
The DPA was formulated by the UK parliament in 1998, with the purpose being to control the handling of information and strengthen the legal position of the data subject, whose information is stored within an organisation. Previously, the DPA 1984 and the Access to Personal Files Act 1987 had dominated the legislative stage. However, the need for the DPA 1998 arose as businesses, organisations and the government evolved to utilise databases to store personal and sensitive data, which are easily accessed and manipulated. Consequently, to prevent personal data being exploited by data controllers, the DPA formulated protection principles.
The DPA became the necessary response to the data dominated society which was evolving in the latter half of the twentieth century. Companies have become more data-aware; therefore, organisations have realised that processing data through web analytics and financial planning has allowed their company to grow. Analysing data allows a company to identify their successful strategies, as well as their un-successful strategies, therefore storing data and subsequently analysing it has a lot of value.
Therefore, the data-savvy business industry which has emerged, has created the need for the DPA. Chief science officer, Murli Buluswar of AIG, a US based finance and insurance corporation, has referenced the difficulty in becoming a data-savvy company. Murli Buluswar has stated that this difficulty lay within having to change the mindset of staff members to become more objective and data driven, as well as teaching them how to process the true value of this data store.
Moreover, Zoher Karu, the Vice President of eBay, has stated that the difficulty in becoming data-savvy in their company was due to the problems surrounding data privacy. It appears that consumers are willing to offer their personal data to organisations if they are aware that this personal data will be protected. Therefore, compliance with the DPA is essential for an organisation to assure consumers that their personal data is protected.
Who does the DPA apply to?
The DPA applies to any business or organisation which processes the personal data of a data subject. Technology firms, marketers, financial firms and health organisations, are just a few examples of firms which process vast amounts of personal data daily.
Technology firms have used a lot of money to aid the transition to comply with the DPA. These technology firms have hired new staff, including an information commissioner (is that right? Definitely a commissioner?), to ensure all protection principles are upheld. Data subjects have the right to withdraw their consent and remove their data permanently from an organisation.
This creates implications for tech firms such as Microsoft, Google, IBM and Amazon, as these organisations process data and store it within cloud services, as well as with other companies. Therefore, when it comes to withdrawing data from these servers, a lot of new infrastructure needs to be installed. Microsoft has renewed and updated the contracts it shares with third-party suppliers and has pushed for companies using the Microsoft cloud to ensure that they have complied with the GDPR.
Therefore, once an organisation is aware that the DPA applies to them, they should undergo education and training, to ensure the organisation is ready to implement and comply with the DPA.