The Data Protection Act 1998 (DPA) was originally designed to give companies a framework of working standard for protecting sensitive and personal data, over the years there have been many amendments to the Act however its main purpose has not changed.
An overview of the Act is to strike a balance between the rights of individuals (which is personal data) to privacy and the ability of organisations (known as the data controller) to use data for the purpose of their business.
The DPA consists of specific principles that the data controller must comply with:
* The data should be obtained and used for lawful purpose.
* The data should not be excessive, but accurate and kept up-to-date.
* The data should not be kept longer than required.
* The data must be protected, taking full advantage of technological advances to keep the data safe, even small business backup
* Data should not be kept outside EU.
Whilst this is not an extensive review of the principles, it will give business managers a flavour of their expected working practice to be compliant with the DPA.
If we have a look at Principle 7 of the DPA; Appropriate technical and organisational measure shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This basically means that it is the business managers responsibility to ensure that personal data is kept safe and secure at all times. There are many ways that the manager can protect data however if we look at the technical advance of data protection.
Over recent years data security has become a high profile aspect of any business, and managers must prove that they are taking this serious and have reviewed their current procedures and policies, and have a budget available to improve the protection of data.
A recent advancement is encryption of the data at the point of backup. Encrypting the data allows the data to be kept safe, because access to the data can only be achieve if the individual has access to the encryption key. Most encryption keys use very complex maths equations that are practically impossible to solve, therefor access to the data is prohibited.
If companies were to look at their backup procedure and adopt a data encryption system, then they would be reviewing their policies and procedures and also keeping up with technological advancement.
If organisations are found to be lacking in complying with Principle 7, and a data breach occurs then the organisation is liable to have an investigation and potentially a hefty fine levied against the company, whilst the company may be in a position to pay the financial penalty it may seriously damage the companys reputation with its clients and staff.