Companies and organisations hold your personal data and its incredibly valuable - not just to the companies, but to data brokers, and hackers.
To protect your data and ensure these companies treat it with respect, all companies must comply with the Data Protection Act (DPA).
The Data Protection Act was updated in 2018 to bring it in line with technological advances and the ways companies have been using data.
Consent
When collecting data on users and customers, organisations must have the consent to hold and use their data.
Consent must be:
- Freely given by the user
- Specific to the purposes the data will be used for
- Informed
- Be possible to revoke
Key Principles
The Data Protection Act sets out seven key principles:
- Lawfulness, fairness and transparency - Data must be collected lawfully, fairly and the user must know it is being collected
- Purpose limitation - The data must only be collected and used for a specific purpose, which the user must be aware of
- Data minimisation - Only the data required for the intended purpose may be collected
- Accuracy - Data must be kept up to date
- Storage limitation - Data must only be held for as long as it is needed, and not excessively
- Integrity and confidentiality (security) - Data must be stored and destroyed securely
- Accountability - The company will be accountable for the data is holds and may be incur penalties for not adhering to the DPA
The Data Controller
Organisations must have a data controller - a person who is responsible for the organisations compliance with the Data Protection Act.
Organisations that are in breach may face large fines.
