You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson covers the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) as required by OCR J277 Section 1.6. These are the most important pieces of legislation governing the use of personal data in the UK.
The Data Protection Act 2018 (DPA 2018) is the UK's implementation of the General Data Protection Regulation (GDPR), a regulation from the European Union. Together, they control how personal data is collected, stored, processed, and shared by organisations.
The DPA 2018 replaced the earlier Data Protection Act 1998 and provides stronger rights for individuals and stricter obligations for organisations.
| Term | Meaning |
|---|---|
| Personal data | Any information that can identify a living individual (name, address, email, IP address, etc.) |
| Sensitive personal data | Special category data including health records, biometrics, religious beliefs, ethnicity |
| Data subject | The individual whose personal data is being processed |
| Data controller | The organisation that decides why and how personal data is processed |
| Data processor | An organisation that processes data on behalf of the data controller |
| ICO | The Information Commissioner's Office — the UK's data protection regulator |
Organisations that handle personal data must follow seven key principles:
| Principle | Meaning |
|---|---|
| 1. Lawfulness, fairness, transparency | Data must be processed legally, fairly, and in a clear manner |
| 2. Purpose limitation | Data must be collected for a specific, stated purpose and not used for anything else |
| 3. Data minimisation | Only the minimum amount of data necessary should be collected |
| 4. Accuracy | Data must be kept accurate and up to date |
| 5. Storage limitation | Data must not be kept longer than necessary |
| 6. Integrity and confidentiality | Data must be kept secure and protected from unauthorised access |
| 7. Accountability | The data controller must be able to demonstrate compliance with all principles |
OCR Exam Tip: You do not need to memorise the exact names of all seven principles, but you should be able to describe at least four or five of them in your own words. A common exam question asks you to explain how a given scenario does or does not comply with the DPA/GDPR.
Under the DPA 2018 and GDPR, individuals have several important rights:
| Right | What It Means |
|---|---|
| Right of access | You can request a copy of all personal data an organisation holds about you (Subject Access Request) |
| Right to rectification | You can ask for inaccurate data to be corrected |
| Right to erasure | You can request that your data be deleted (the "right to be forgotten") |
| Right to restrict processing | You can ask an organisation to stop processing your data in certain circumstances |
| Right to data portability | You can request your data in a format that allows it to be transferred to another provider |
| Right to object | You can object to your data being used for certain purposes, such as direct marketing |
Organisations that handle personal data must:
Organisations that fail to comply with the DPA 2018/GDPR face serious penalties:
| Consequence | Detail |
|---|---|
| Fines | Up to £17.5 million or 4% of annual global turnover (whichever is higher) |
| Enforcement notices | The ICO can order organisations to take specific actions |
| Reputation damage | Public awareness of data breaches damages trust |
| Compensation claims | Affected individuals can claim compensation for distress or financial loss |
In 2020, British Airways was fined £20 million by the ICO after a data breach exposed the personal data of approximately 400,000 customers.
OCR Exam Tip: When answering questions about the DPA/GDPR, always link back to specific principles. For example, if a company keeps data for 10 years without a reason, this violates the storage limitation principle. If they do not use encryption, this violates integrity and confidentiality.
The Data Protection Act 2018 and GDPR protect individuals' personal data by setting strict rules for how organisations collect, store, process, and share it. The seven principles provide a framework for lawful data handling, and individuals have rights including access, rectification, and erasure. Non-compliance carries significant financial and reputational consequences. This is one of the most commonly tested pieces of legislation in the OCR J277 exam.