The Data Protection Act 2018 (DPA) is designed to regulate the use of personal data by businesses and other organisations. The DPA is the main legislation implementing the UK General Data Protection Regulations (GDPR).
Anyone processing personal data must ensure that it is:
-
used fairly, lawfully and in a transparent manner
-
collected for specified, explicit and legitimate purposes
-
adequate, relevant and its collection is limited to what is necessary
-
accurate and kept up to date
-
kept in a form that enables identification of data subjects for no longer than is necessary
-
handled according to the data protection rights of individuals
-
stored in a way which protects the data against unlawful processing and accidental loss, and
-
not transferred outside the UK without adequate protection. Data transfers to the EEA and certain other states are covered by adequacy decisions, meaning that additional paperwork is usually not required
Organisations that determine the purpose for which personal data is processed (ie data controllers) must pay the Information Commissioner's Office (ICO) a data protection fee unless they are exempt.
For more information, read Data protection, Data protection principles and Data protection for businesses.