With new security laws passing every year, and old laws constantly updating, the origins of current regulations can get lost in the haze of the past. But, knowing how current legislation came to be can give you a leg up in understanding the broader compliance landscape. Take the GDPR for example. You’ve almost certainly heard of it, but have you heard of its predecessor, the Data Protection Act (DPA) of 1988? No? Read on to learn why it should be on your radar.

What was the Data Protection Act (DPA) of 1988?

The Data Protection Act (DPA) of 1988 was a regulation established in the UK. It was created in order to regulate the way that businesses, organizations, and government bodies used the personal information of their users or consumers. This included information that was stored electronically, as well as information physically stored in filing cabinets or elsewhere. The law established accountability – hefty fines were imposed on any organization that didn’t follow the DPA’s guidelines.

The DPA was one of the first of its kind and came about as consumer information was getting collected at a higher rate than ever before. Real accountability for the booming number of organizations holding people’s personal information began to take shape and become a norm. 

Why was the Data Protection Act important?

The DPA was significant to the data protection landscape because it established best practices for years to come. The act created a framework – referred to as the data protection principles – that all organizations that stored personal data were legally compelled to follow. 

These principles (now known as the 7 GDPR principles), which have evolved since the law’s inception in order to keep up with the changing landscape, are outlined as follows:

Lawfulness, fairness, and transparency: Essentially, users need to be able to understand what they are signing up for and who they are giving their information to. Organizations must use plain, clear language to communicate these points.

Purpose limitation: Organizations can only use information for the purpose around which it was collected. 

Data minimization: This principle ensures that only the amount of data actually needed for the purpose is what is collected. Businesses cannot collect an excess amount of data.

Accuracy: Organizations are responsible for keeping accurate records, and for either updating or disposing of any inaccurate information.

Storage Limitation: Organizations have limits on how long they can store personal data, and they must provide reasonable justification for retaining data for longer than a certain amount of time. 

Integrity and confidentiality: Organizations are responsible for the data they collect, and therefore must keep information secure through appropriate safeguards.
Accountability: Businesses must provide proof (records and documentation) of the measures they are taking to keep information safe. 

In addition to these principles that now govern most organizations’ security plans, the DPA also established rights for the people whose information has been collected (now known as the 8 GDPR Rights). These include things like the right of access, the right to be informed, the right to erasure, and even the right to object. These rights were significant because they established a foundation for consumer control over their own personal information. 

The GDPR replaced the Data Protection Act.

If you haven’t heard of the Data Protection Act, that’s likely because it was replaced by the General Data Protection Regulation (GDPR) in 2018. For anyone doing business in Europe – meaning you're based in Europe, you conduct business in Europe, or you collect data from European customers – compliance with the GDPR is required. 

The update from the DPA to the GDPR helped to create a standard that worked across the European business landscape and also addressed many of the developments that have changed the world of personal information and security since the original DPA’s inception. 

Because the GDPR is so comprehensive, it can also feel complex and intimidating for those who are working toward compliance. And, the GDPR imposes some of the heaviest fines for violations in the world – making that compliance all the more necessary. What began as one of the first laws ever imposed around the protection of consumer data has now become one of the most comprehensive measures in information security and privacy to date. 

If you're required to meet the requirements of GDPR, Strike Graph can help. 

If you’re an organization that needs to meet the requirements of the GDPR, Strike Graph is here to help. Our all-in-one compliance platform makes the process of reaching, maintaining, and proving GDPR compliance simple and painless. Our preloaded library of GDPR controls allows you to choose exactly what you need to streamline your compliance process. What’s more, you’ll be able to leverage the work you’ve done for GDPR to reach many other compliance measures that have become necessary. 

The days of 1988 and the DPA may be long past us, but the GDPR is here to stay for the foreseeable future. Strike Graph can make sure you’re ready for GDPR compliance and keep your business successful and secure.