Understanding the Data Protection Act

The landmark Data Protection Act (DPA) was passed in 1998 and affects every business operating within the United Kingdom. Whether you run a startup or an ecommerce store, understanding the Data Protection Act and its guidelines will go a long way in ensuring that you stay compliant with UK laws. This guide will give a brief overview of the law and help you understand how it applies to your business.

Understanding the Data Protection Act

The Data Protection Act was passed by UK Parliament in 1998. This landmark law determines how personal data of identifiable living people can be used by businesses and the government in UK. All other laws related to personal data and privacy in the UK are derived from this act, making it one of the most important pieces of legislations for any business that deals with user data (which is nearly every modern business with a website). The Data Protection Act was originally derived from the EU Data Protection Directive of 1995. This directive itself sprung from the growing need for legislation dealing with data usage in the fledgling internet age. Although the web was still in its infancy with scarcely 40M users in 1995, it was clear that the platform would grow immensely in the near future (a prediction that would give rise to the dot-com bubble - and still hold true twenty years later). This necessitated that a robust legislation be formed to deal with the web's growing prominence - and the need for businesses to collect private data about customers.

The Rise of the Cookie

In October 1994, Lou Montulli and John Giannadrea wrote the first "cookie" specification to be used in version 0.9b of Mosaic Netscape, the first "modern" web browser. The cookie, which is basically a tiny packet of data stored on a user's computer, would go on to radically transform the way businesses collected customer data. A cookie (earlier called "magic cookie") could collect and store data about a user, including his/her past web surfing habits, account data, etc. and transmit it back to the website of origin. This was tremendously useful to businesses. With cookies, businesses could finally understand who their customers were and what their behaviour was like. Thus, businesses could create better websites for visitors, customise the experience to their customers' needs and gathered intelligent data on their browsing habits.

At the same time, it exposed customers to data abuse and theft. Websites could surreptitiously gather data on what someone was doing online. Hence, the need for the Data Protection Act which has dozens of detailed directives about what can and cannot be stored by a cookie. Cookies continue to form a major part of every website's data collection strategy, though laws like the Data Protection Act control their usage and behaviour.

The Eight Principles of the Data Protection Act

As per the provisions included in the Data Protection Act, every business that stores or utilises customers or employees data has to comply with the eight principles included in the act. Compliance is overseen by the Office of the Information Commissioner (ICO).

These eight principles are:

  • All data must be processed lawfully and fairly.
  • All data must only be used for the purpose for which it was collected.
  • Organisations should only collect as much data as required and must not engage in intrusive or excessive data collection practices.
  • Organisations must strive to keep data as accurate as possible and updated as often as necessary.
  • No organisation must store data for longer than it needs to, i.e. once the data has served its purpose, and the organisation must strive to remove it permanently.
  • No data collection or analysis processes must infringe on individual rights.
  • Organisations have a responsibility to keep data as secure as possible.
  • Data should not be transferred to countries or third-parties that do not have similar data protection stipulates.

In layman speak, these eight principles imply that every business should store and process data lawfully, and must do so without infringing on individual rights. It must also strive to keep data secure.

Penalties for Breaching the Data Protection Act

The Data Protection Act includes severe penalties for any organisation found violating the stipulations of the act. These penalties include, but aren't limited to:

  • Fines of up to £500,000 for organisations found seriously violating the act.
  • Organisations found deliberating flouting the DPA are subject to criminal prosecution and prison sentences.
  • Any organisation found violating the DPA must submit to an undertaking to comply with the terms of the act to avoid further action from the Office of the Information Commissioner.
  • As per the stipulations of the act, the ICO has complete authority to audit government organisations without prior consent to ensure compliance with the act.

Complying with the Data Protection Act

The DPA is quite broad in scope, which makes understanding it and complying with its directives a bit difficult for businesses. Some general guidelines for complying with the act are:

  • Seek consent from users before storing or collecting any personal data (i.e. data that can be used to identify users, not anonymous data).
  • Sensitive data, including health data, financial data, etc. must only be collected when absolutely necessary.
  • Collect personal data only when absolutely necessary. If collected data is found to be out of date, it must be deleted promptly.
  • Strive to keep collected data as accurate as possible.
  • Create strong information security architecture to keep data as secure as possible.
  • Do not transfer data to any third party processors without prior permission from the users.
  • If transferring data overseas (say, to an outsourcing firm), make sure that the third party complies with the principles of the DPA. Do not transfer data to any country which does not have any similar provisions as the DPA.


The DPA is an important law for individuals as well as businesses. Given the importance of data in the current business context, it is all the more important that organisations strive to protect their users' data and use it with complete compliance of the Data Protection Act. There are a host or services available to individuals or new start-ups setting up a new business venture online, from designing your first website, to gaining advice from software developers and of course SEO marketing professionals who can assist with advertising your products and services.