Data Protection Act Compliance
With over 30 Data Privacy Assessments undertaken using our proprietary Data Protection Act Data Security Standard (DPA-DSS), MTI is able to deliver elegant and pragmatic solutions to Data Privacy issues, regardless of the context. MTI is a well respected independent player in the information assurance vertical and has extensive experience advising clients in the Data Privacy arena.
MTI Data Protection Act Compliance: Overview
The Data Protection Act requires anyone who processes personal information to comply with eight basic principles:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for lawful purposes
- Personal data shall be adequate, relevant and not excessive
- Personal data shall be accurate and kept up to date
- Personal data shall not be kept longer than necessary
- Personal data shall be processed in accordance with the rights of data subjects under this Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing
- Personal data shall not be transferred to a country or territory outside the EU
Your DPA Compliance Questions Answered
Q1. Does the UK Data Protection Act apply to my organisation?
Compliance with the Data Protection Act is a legal requirement for all organisations operating in the United Kingdom which collect, store or process personally identifiable information.
Ensuring ongoing compliance with the Act is therefore an essential management activity for any company or organisation which engages is the abovementioned activities.
Q2. What are the issues around Data Privacy that I should be aware of?
Most modern organisations are reliant on their brand reputation to attract and retain customers and partners in the private sector or to achieve their organsational or statutory goals in the public sector.
A breach of data privacy could have far wider consequences than any sanction imposed by the Information Commissioner or any other regulatory body and could compromise a key commercial relationship or prejudice your organisation's ability to win and retain customers.
Q3. What does my organisation need to do to ensure compliance?
The process should begin with the selection of an expert third party advisor.
In conjunction with the expert advisor, assess your organisation against the eight principles of Schedule One of the Act and determine a remediation plan that will close off any shortcomings identified in the most pragmatic and cost efficient manner.
The expert advisor will also recommend how best to deal with subject data requests by data subjects whose personal data your organisation controls.
Q4. What measures will I have to undertake to ensure compliance with the Act?
Compliance with the Data Protection Act is achievable through a regime of analysis and assessment, training and awareness initiatives, organsational support and policy implementation all of which need to be underpinned by appropriate technological architectural and infrastructure investments.
Q5. We are compliant with the Act but we outsource processing of our data to 3rd parties. What about them?
Whilst your data processing maybe outsourced, your responsibility to ensure that the data is handled in accordance with the requirements of the Act is not. Your organisation must take measures to ensure that any third party with whom your organisation shares data with is compliant with the Act.
Q6. We offshore data to a call centre/data centre outside the EEA, is this a crime?
Technically it is a crime to offshore data to any legal jurisdiction that has not met the requirements of equivalency to the protection provided by the UK Data Protection Act. In reality, there are mechanisms available to organisation which, when implemented, allow the offshoring of data in controlled circumstances.
If you would like more information regarding DPA Compliance please contact the MTI security consultancy team to discuss your requirements.