We may have a pretty good idea what the Data Protection Act set out to achieve in general, but do we know why and how it came into being? Even the need to have to legislate to safeguard data must indicate that something was fundamentally wrong. Data protection legislation stems from two basic developments:

• Digital data can very easily be copied and shared
• Personal data has become very valuable to criminals

What Exactly Does The Data Protection Act Legislate?

Its original format came into being in 1998. The Act evolved gradually, being greatly strengthened in 2018 with the incorporation of the very stringent EU General Data Protection Regulation (GDPR). It distinguishes between personal data and sensitive data and sets out how they should be captured, handled, stored, used and shared.

Personal Data

Includes date of birth, credit card details, drivers licence number etc.

Sensitive Data

Relates to things like medical records and requires explicit permission from the individual before it can be retained.

Consumers have greater control over what data may be held about them and organisations are obliged to permanently delete it should the individual request it. For organisations, the level and extent of protection and tracking of this data has become far more onerous with very severe financial penalties for non-compliance.

What Has Changed To Make Data Protection Laws Necessary?

In the days when data was stored in decks of punched cards and large unwieldy disks, data theft was rare and restricted to commercial secrets, such as might have been held by a R&D department. Computers were standalone. Internet connectivity and networks had not been invented. The fundamental change was connectivity enabled by the Internet

Fast forward 40 or so years and vast numbers of innocuous devices such as fridges and CCTV cameras are Internet enabled and connected to networks. That means each one is an endpoint of its network with potential to act as a gateway for intruder access. In many cases, it is but a few hops across network servers to reach data storage locations. Criminal elements suddenly had relatively easy access to valuable consumer data. Cyber security developed and became a critical defence mechanism.

The Data Protection Act attempted to force some best practices on all manner of organisations that captured and stored personal and sensitive data. The GDPR hardened the requirements considerably, addressing modern network infrastructure weaknesses with strict processes in many cases.

History Of Data Protection

Data concerns began to surface in the late 1960s and Sweden was the first country to enact legislation in 1974 that required holders of personal data to become licensed. The EU moved in 1995 to issue a Data Protection Directive that was the forerunner of the UK’s Data Protection Act that came into being in 1998. That all led to GDPR, which protects the data of all EU citizens, even when it is a non-EU organisation that holds the data. This is a far-reaching initiative that grants far more protection and rights to individuals than has ever been attempted anywhere in the world.

Secure IT Asset Disposal

Data lives on in devices that are earmarked for disposal and presents a real risk of GDPR non-compliance for the unwary. Download our free guide The 6 Hidden Dangers of Non-ADISA Accredited IT Recycling and learn more about how to mitigate the risks inherent in IT asset disposal.