The Data Protection Act and GDPR

The Data Protection Act 2018 (DPA) is the UK's main law governing how personal data is collected, stored, and used. It incorporates the principles of the General Data Protection Regulation (GDPR), which is an EU regulation that the UK adopted.

---

What is Personal Data?

Personal data is any information that can identify a living individual, directly or indirectly. Examples include:

• Name, address, date of birth
• Email address, phone number
• Medical records, financial information
• IP addresses, location data
• Photographs, biometric data (fingerprints, facial recognition)

Sensitive personal data (called "special category data" under GDPR) requires extra protection and includes:

• Racial or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Health data
• Sexual orientation
• Biometric data used for identification
• Genetic data

---

Key Terms

Term	Definition
Data subject	The individual whose personal data is being processed
Data controller	The organisation that decides how and why personal data is processed
Data processor	An organisation that processes data on behalf of the controller
Processing	Any operation performed on personal data (collecting, storing, using, deleting)
Information Commissioner's Office (ICO)	The UK's independent body that enforces data protection laws

---

The Eight Data Protection Principles

Under the DPA 2018 / GDPR, personal data must be:

Principle	Meaning
1. Lawful, fair and transparent	Data must be collected legally, used fairly, and individuals must be told how their data is used
2. Purpose limitation	Data must be collected for a specific, stated purpose and not used for other purposes
3. Data minimisation	Only the minimum amount of data needed should be collected
4. Accuracy	Data must be accurate and kept up to date
5. Storage limitation	Data must not be kept for longer than necessary
6. Integrity and confidentiality (security)	Data must be stored securely and protected from unauthorised access, loss, or damage
7. Accountability	The data controller must be able to demonstrate compliance with these principles
8. Lawfulness of processing	There must be a lawful basis for processing (e.g., consent, legal obligation, legitimate interest)

Exam Tip: You do not need to memorise the exact wording, but you should know the key ideas behind each principle. Being able to give an example for each principle will help you gain full marks.

graph TD
    DPA[DPA 2018 / UK GDPR]
    DPA --> P[Principles]
    DPA --> R[Data Subject Rights]
    DPA --> E[Enforcement]
    P --> P1[1. Lawful, Fair, Transparent]
    P --> P2[2. Purpose Limitation]
    P --> P3[3. Data Minimisation]
    P --> P4[4. Accuracy]
    P --> P5[5. Storage Limitation]
    P --> P6[6. Integrity & Security]
    P --> P7[7. Accountability]
    R --> R1[Access / SAR]
    R --> R2[Rectification]
    R --> R3[Erasure]
    R --> R4[Portability]
    R --> R5[Object / Restrict]
    E --> ICO[ICO]
    ICO --> F[Fines up to 4% turnover]

---

Rights of Data Subjects

Under GDPR/DPA 2018, individuals have the following rights:

Right	Explanation
Right of access	You can request a copy of all personal data an organisation holds about you (Subject Access Request)
Right to rectification	You can ask for inaccurate data to be corrected
Right to erasure	You can request that your data be deleted ("right to be forgotten")
Right to restrict processing	You can limit how your data is used
Right to data portability	You can request your data in a format that allows transfer to another service
Right to object	You can object to your data being used for certain purposes (e.g., direct marketing)

---

Enforcement and Penalties

The Information Commissioner's Office (ICO) is responsible for enforcing the DPA in the UK.

Penalties for non-compliance:

• Fines of up to £17.5 million or 4% of global annual turnover (whichever is greater) for the most serious breaches
• Lower-level fines for less serious breaches
• Enforcement notices requiring organisations to take specific actions
• Criminal prosecution in some cases

Examples of enforcement:

• British Airways was fined £20 million in 2020 for a data breach affecting 400,000 customers
• Marriott Hotels was fined £18.4 million for a breach affecting 339 million guest records

---

Practical Implications for Organisations

Organisations must:

• Appoint a Data Protection Officer (DPO) if they process large amounts of data
• Conduct Data Protection Impact Assessments for high-risk processing
• Report data breaches to the ICO within 72 hours
• Obtain consent before collecting personal data (where consent is the lawful basis)
• Provide privacy notices explaining how data will be used
• Implement appropriate security measures (encryption, access controls, backups)

---

Key Points

• The DPA 2018 and GDPR regulate how personal data is collected, stored, and used.
• Personal data is any information that can identify a living individual.
• There are eight key principles that organisations must follow.
• Data subjects have rights including access, rectification, and erasure.
• The ICO enforces the law and can issue substantial fines.
• Organisations must implement appropriate security measures and report breaches.

---

The Seven UK GDPR Principles in Depth

While the AQA specification refers to "the principles of data protection", it is the UK GDPR as enacted through the Data Protection Act 2018 that provides the operative list. The seven principles set out in Article 5 are lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. You should be able to explain each and apply it to a scenario.

Lawfulness, fairness and transparency requires a lawful basis — one of the six listed in Article 6: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Fairness means processing must not be unduly detrimental, unexpected, or deceptive. Transparency requires a privacy notice that is concise, intelligible, and accessible.

Purpose limitation means data collected for one purpose cannot be repurposed without a fresh lawful basis. A school that collects pupil photographs for ID cards cannot reuse them to train a commercial facial-recognition model without further consent.

Data minimisation — collect only what is adequate, relevant, and necessary. A delivery company does not need a customer's date of birth to drop off a parcel.