Strike Graph security compliance blog

Is the Data Protection Act of 1988 still in force?

Written by Michelle Strickler | Jun 30, 2023 7:00:00 AM

In today’s world of cybersecurity, there are constantly evolving laws and regulations that keep businesses strong against the ever-changing threats that lurk in cyberspace. Knowing the history of influential laws in the cybersecurity industry, like the Data Protection Act (DPA), can give you leverage when it comes to keeping up with changing regulations and can help you stay competitive in a market that demands compliance with multiple frameworks.

The DPA 1988 was revolutionary at the time it was passed. It established a foundation for best practices for data storage and protection in the UK – a concept that couldn’t be more significant to the modern digital landscape. It also created the idea of consumer rights, granting people a say in how their information would be handled. And, it was one of the first laws to impose actual consequences for not following its regulations, meaning organizations would be held accountable for protecting people’s information. 

These are foundational ideas that are certainly still in force today – in fact, they laid the groundwork for the 7 GDPR principles AND the 8 GDPR rights. But while the ideas are long-lasting, the law itself has been updated multiple times to better meet the needs of the modern world. 

DPA 1998 and 2018

A decade after the initial passing of the DPA 1988, the law was updated in 1998 because of the enhanced need for cybersecurity. Internet access was growing rapidly and information was quickly transitioning into digital storage, replacing old-fashioned paper files and filing cabinets. These changes were reflected in the legislation of DPA 1998, which updated privacy requirements and consumer rights. 

Skip ahead to 2018, and once again the world has changed significantly. The amount of personal data stored digitally and threats to all types of information have grown exponentially. In order to address these needs, the DPA 2018 now supersedes the DPA 1998. The procedures and principles in the 2018 version of the law reflect the more nuanced challenges of the current day. 

In the EU and the UK, there is significant crossover between the General Data Protection Regulation (the GDPR) and the DPA 2018. Understanding the relationship between these two regulations is important for anyone doing business in either territory. 

While the GDPR is the privacy and security standard within the EU, the DPA 2018 is the UK’s complete set of security systems. In the UK specifically, the GDPR is administered through the larger scope of the DPA 2018. In the UK, you can almost think of the GDPR as a supplement to the DPA 2018. Neither one replaces the other – rather, they work together to enforce the UK’s accountability measures when it comes to security. 

It’s also helpful to know that the UK has made nuanced changes to the ways it enforces the GDPR. These include differences in the way criminal data is processed, the official age of child consent to data processing, select circumstances in automated decision-making, and specific exemptions from personal data protections when considered in the public’s best interest. Knowing that these small changes exist in the UK is particularly important for anyone doing business with both regions.

So how do you actually manage your compliance with the DPA 2018? Because of the crossover between DPA 2018 and GDPR, the process of becoming GDPR compliant will put you on the right track towards DPA 2018 compliance as well. You want to make sure that you and your security team are comfortable with DPA’s requirements, and also know the nuanced differences between DPA 2018 and GDPR so that you are confident about where those small changes are addressed in your security plan.

When your organization processes a large amount of personal information, you’ll work with a Data Protection Officer (DPO) – an independent expert in data protection – whose role it is to help ensure that all the security systems in place are in line with GDPR rights and principles. 

Finally, one of the best ways to uphold your security and compliance is to build a company-wide culture of data protection. Make sure your employees, especially those who handle information regularly, are up to date on the needs of GDPR and DPA 2018 compliance. Create opportunities for regular training, and ensure that they are on board with their responsibilities in keeping information protected according to regulation standards. 

As technology advances, threats to our security continue to morph with the landscape. Companies need to be flexible enough to grow and adapt with these changes to keep threats at bay and to build customer and stakeholder trust

How Strike Graph can help you with the changing landscape

No matter what region you’re working in, Strike Graph helps you design a robust and flexible security program that keeps up with the changing regulatory landscape. Our easy-to-use platform will help you meet those changing requirements and keep you ahead of the competition. 

For those looking for GDPR compliance, our library of preloaded GDPR controls will streamline your process. And, our flexible platform will help you use the work you’ve already done to meet the requirements of other frameworks, allowing you to focus on growing your company and meeting the changing demands of the industry.