Skip over navigation
Ultima Risk Management Logo linking to homepage
  • Contact us
  • Site map
  • Home
  • Consultancy
    • Introduction
    • Information Security (ISO 27001)
    • Business Continuity Management (BS 25999)
    • PCI DSS
    • IT Service Management (ITIL & ISO 20000)
    • Data Protection
    • Information Risk Management
    • Software Asset Management
    • Polices & Procedures
  • Training
    • Training Courses
    • CISMP - ISEB Certificate in Information Security Management Principles
    • PCBCM - ISEB Practitioner Certificate in Business Continuity Management
    • PCIRM - ISEB Practitioner Certificate in Information Risk Management
    • SAM - ISEB Certificate in Software Asset Management Essentials
    • PCSAM - ISEB Practitioner Certificate in Software Asset Management
    • BCM - BCI Understanding BCM Principles and Good Practice
    • All other courses
    • Training Schedule
  • Products
    • ISO 27001 Risk Assessment Tool
    • BS 25999 Risk Assessment Tool
  • Events
    • BS 25999 Implementation Seminar
  • Case Studies
    • Audatex - Global first Dual certification
  • About us
    • Company Profile
    • URM's Partners
    • How to contact us
Home / Consulting / Data Protection
getting the balance right
Getting the Balance Right

Data Protection Act 1998

The Data Protection Act (DPA), which came into force on 24 October 1998, requires all organisations that process personal data to comply with eight data protection principles. The eight principles focus on all aspects of processing personal data including how the data is collected, the reasons for its processing, how long it is held, maintaining its confidentiality and integrity and the ongoing transmission.

Failure to comply with the Act can either lead to enforcement by the UK's Information Commissioner, or criminal and/or civil prosecution. Notwithstanding the extent of any punitive action taken by the Information Commissioner or the courts, the damage to an organisations brand or reputation, should it be found to be not complying with the law, could be severe. The fears of non compliance combined with the ongoing occurrence of high profile data leakages has served to keep data protection high on management agendas. Despite the high profile of the DPA, however, there is still a huge amount of uncertainty and misunderstanding surrounding the Act. This can often serve to be counter productive as staff can become over cautious and defensive which may lead to the obstruction of valid business processes.

Complying with the Data Protection Act

URM’s consultants have been involved in assisting organisations comply with the DPA since its inception in 1998. URM believes a critical factor in achieving compliance is to ensure that the associated costs and bureaucracy do not become burdensome. This is where the consultants experiences can assist organisations achieve the optimum balance between security and productivity.

URM's recommended approach to compliance is pragmatic and involves the following stages:

  • Identifying personal data information assets
  • Determining the different ways that personal data is processed (including how data is obtained, stored, secured and transmitted)
  • Comparing the way data is processed with:
    • the requirements of the eight data protection principles and other legal and regulatory requirements
    • the organisations registration at the Information Commissioner’s Office
  • Reporting any mismatches between stages 2 and 3
  • Ensuring appropriate policies and procedures are in place, i.e. a Data Protection System, so that compliance is achieved by staff adhering to them.

Having conducted a large number of DPA gap analyses URM has found that the aspects of the DPA which many organisations appear to struggle with are principles 1 and 7 i.e. that information must be obtained fairly and the information must be kept secure. It is also URM’s experience that the registration is often inaccurate. In addition to conducting gap analyses, URM offers a range of remediation services which include the development of the data protection system (e.g. writing of policies and procedures and staff awareness training programmes).

Data Protection Training and Workshops

In addition to URM’s consultancy services URM offers an introductory course to the DPA, as part of its public training programme. The course is aimed at providing a comprehensive understanding of the requirements of the DPA to those individuals responsible for their organisation’s compliance. For those organisations which are looking to raise awareness and understanding across a number of departments, URM holds on-site training courses and workshops. These on-site courses allow for the training material to be tailored more closely to the organisations needs e.g. comparing the actual processing of personal data against the registration with the Information Commissioner’s Office.

  • Introduction
  • Information Security (ISO 27001)
  • Business Continuity Management (BS 25999)
  • PCI DSS
  • IT Service Management (ITIL & ISO 20000)
  • Data Protection
  • URM's approach to Data Protection
  • Information Risk Management
  • Software Asset Management
  • Polices & Procedures

Copyright © Ultima Risk Management, 2008. All Rights Reserved.

contact us | careers | terms of use | privacy | site map