Data Protection is the precautionary procedure used to control personal information used by businesses and organisations. The Data Protection Act (DPA), recently updated in 2018, complies with some of the directives stated within the European General Data Protection Regulation (GDPR). Businesses in the UK are obliged to abide by the protection principles listed in the DPA, from the initial period of receiving personal data to the terminating period, in which data is either returned or destroyed.

Consequently, it is essential that staff members are thoroughly educated and trained with handling personal data. The Information Commissioner’s Office (ICO) maintains and enforces the DPA across the UK, therefore awareness and understanding of the DPA is essential to businesses to ensure they do not breach it, which would result in action from the ICO.

The UK’s DPA is now in its third generation; therefore, organisations are required to modernise and comply with these new regulations. Data protection regulations vary in relation to small and medium-sized enterprises (SME) and large business. This variation is only slight, yet still calls for comprehension.

How does the DPA affect SMEs in particular?

Researchers have suggested that the SME sector is quite unclear as to how the DPA will affect them, therefore the ICO’s guidelines have established that if an organisation, regardless of size, is handling personal data from a living and identifiable individual, then they must comply.

The recent Cambridge Analytica scandal highlights that the size of a company has little impact on whether it should comply with data protection regulations. Cambridge Analytica was considered an SME, with less than 250 employees; however, Cambridge Analytica’s implication in the data breach of ten million Facebook users has led to financial consequences. Facebook users’ data was leaked to Cambridge Analytica, the small firm campaigning for Donald Trump in 2016. Subsequently, Cambridge Analytica has been banned from Facebook following its data breach and refusal to delete this data back in 2015.

This exemplifies the mis-handling of personal data by a business giant such as Facebook and an SME such as Cambridge Analytica. Consequently, SMEs and all businesses which handle personal data fall within the scope of the DPA.

Data Destruction Policy

Businesses are required to formulate a data destruction policy to comply with the DPA. This data destruction policy is formulated to ensure that devices, such as company hard drives, flash memory devices and mobile phones, have made previous data irretrievable.

Computer recycling has hindered data destruction policies, as organisations have discarded of computers, without effectively destroying the data on its IT system. The business sector is saturated with IT systems, therefore there is a responsibility to destroy the data on these computers to prevent cyber-criminals from gaining access to personal data.

Researchers in the UK retrieved personal information in the form of bank account details, company data and medical records from over 300 hard drives bought on eBay and at computer auctions. This research was headed by BT’s Security Research Centre following the highly sensitive case in which a hard drive bought from eBay contained details of a US military missile air defence system. Consequently, data destruction has become imperative if a business wants to mitigate the risks of a data breach.

How serious are the repercussions of a data breach within a business or organisation?

The repercussions of a data breach have intensified with the new legislation. The ICO can now fine an organisation up to four percent of their annual global turnover, or twenty million euros, whichever is higher.

Yahoo! UK Services Limited were fined £250,000 by the ICO following a data breach in November 2014. This data breach encompassed 500 million Yahoo! users and witnessed the compromise of their personal data.

The ICO considered the response from Yahoo! UK Services Limited as inadequate as it did not conform with the correct organisational measures needed to protect personal data. Therefore Yahoo! UK Services Limited were found guilty of breaching the seventh protection principleof in the DPA 1998.

This principle states that:

‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

The severity of this economic repercussion enforced by the ICO upon this organisation demonstrates the crippling nature of a data breach. Therefore, it is essential for a business or organisation to avoid a data breach, to ensure that such repercussions are not experienced.

Through well-formed knowledge and training which has modernised in conjunction with the new DPA legislation, businesses can ensure that compliance with the DPA is upheld. Therefore, staff members and businesses collectively will have a confident base to work from regarding their data protection.