Data protection (2023)

Skip to contents of guide

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

(Video) GDPR Data protection basics - The difference between data protection and information security

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

(Video) Data Protection Transformed 2022 | MainStage | Full Keynote

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

(Video) What is Data Protection and Why Do You Need It?

Your rights

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

  • be informed about how your data is being used
  • access personal data
  • have incorrect data updated
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

(Video) Data protection: the basics

  • automated decision-making processes (without human involvement)
  • profiling, for example to predict your behaviour or interests

View a printable version of the whole guide

(Video) Privacy and data protection | Introduction to Privacy | GDPR | What Is Privacy?
(Video) GDPR explained: How the new data protection act could change your life


What to say about data protection in an interview? ›

A strong knowledge of on-point privacy laws. Experience in data protection and legal compliance.
What to listen for:
  • Up-to-date knowledge of GDPR plus any other relevant regulations.
  • An organized and systematic approach with strong attention to detail.
  • A track record of facilitating a culture of data protection.

Where can you get answers regarding data security? ›

National Cyber Security Centre (NCSC)

The NCSC is a simple, clear government website dedicated to IT security.

What are the 5 data protection principles? ›

At a glance
  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security)
  • Accountability.

What are 3 things you must do to comply with data protection? ›

10-Step Checklist to be GDPR-Compliant
  • Know All of the Data Your Business Collects. ...
  • Appoint a Data Protection Officer (DPO) ...
  • Create a GDPR Diary. ...
  • Evaluate Your Data Collection Requirements. ...
  • Instantly Report Data Breaches. ...
  • Be Transparent About Data Collection Motives.

How do you explain data protection? ›

Data protection is the fair and proper use of information about people. It's part of the fundamental right to privacy – but on a more practical level, it's really about building trust between people and organisations.

How do you demonstrate data protection? ›

Mobile Data Protection
  1. Enforcing communication via secure channels.
  2. Performing strong identity verification to ensure devices are not compromised.
  3. Limiting the use of third-party software and browsing to unsafe websites.
  4. Encrypting data on the device to protect against device compromise and theft.

Why do I have to answer security questions? ›

Usually, a security question is asked as a secondary measure to verify your identity when attempting to gain access to a private account. Its purpose is to add an extra layer of security, assuming that an unauthorized user will not answer correctly and be denied entry.

Why do I need to answer security questions? ›

Security questions are part of a verification process meant to ensure the safety of your user account. They are also used to identify you if you forget your password and cannot access your account.

What are the 7 rules of the data protection? ›

The Seven Principles
  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security)
  • Accountability.

What are the 7 golden rules of data protection? ›

Necessary, proportionate, relevant, adequate, accurate, timely and secure: Ensure that information you share is necessary for the purpose for which you Page 2 are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely (see ...

What are the 8 rules of data protection? ›

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

What are the 4 elements of data protection? ›

Protect against these threats by implementing the four pillars of data protection; assessment, governance, training, and response.

What are the 3 key elements of data privacy? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.

What are the 3 levels of data protection? ›

Levels of Data Protection
  • Authentication.
  • Authorization.
  • Access Auditing and Analysis.
Feb 22, 2022

What is the main purpose of data protection? ›

Data protection safeguards information from loss through backup and recovery. Data security refers specifically to measures taken to protect the integrity of the data itself against manipulation and malware. It provides defense from internal and external threats. Data privacy refers to controlling access to the data.

What does data protection cover? ›

Data protection law sets out what should be done to make sure everyone's data is used properly and fairly. You probably have personal data about your customers and clients such as names, addresses, contact details. You might even have sensitive information such as medical data.

What are examples of protected data? ›

Definitions of Selected Types of Protected Data
  • Social Security Number (SSN)
  • Driver's license number, or State-Issued ID card number.
  • Financial account number, credit** or debit card number in combination with any required security code, access code, or password.
  • Personal medical information.
  • Health insurance information.
Jul 20, 2022

What is data protection solution example? ›

A data protection solution, for example, a data backup and recovery solution, ensures the safety of your organization's sensitive data by storing a copy of your data on a separate or third-party server. In most cases, these backups occur autonomously and frequently, resulting in maximum data protection.

How do you comply with data protection at work? ›

Employers must demonstrate data protection compliance by training, auditing and documenting processing activities, and reviewing HR policies. They should also: Appoint a data protection officer (DPO) where appropriate – see below. Only collect personal data that is adequate, relevant and necessary.

What is a good security question and answer? ›

A good security question should have a fixed answer, meaning that it won't change over time. A good example of a security question with a stable answer: “What is your oldest cousin's first name?” This example works because the answer never changes.

What are the two important aspects in data protection? ›

fair and lawful processing; purpose limitation; data minimisation and data retention.

Should you answer security questions truthfully? ›

ClearanceJobs always recommends answering the question that is being asked of you fully and truthfully. If one misdemeanor is all you have on your record from a few years ago, remember that time passed and positive patterns in terms of behavior are mitigating factors.

Can a security guard question you? ›

Authority to Question and Basis for Making Decisions

A security guard/proprietary private security officer is an agent of the owner of the private property and, in this role, can exercise the owner's right to ask people on the (owner's) property what they are doing there, who they are, etc.

What is the 6 data protection principle? ›

What is the sixth principle about? “Appropriate security” includes “protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”.

What are examples of sensitive data? ›

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • trade-union membership;
  • genetic data, biometric data processed solely to identify a human being;
  • health-related data;
  • data concerning a person's sex life or sexual orientation.

How many data protection rules are there? ›

The GDPR (General Data Protection Regulation) outlines six data protection principles that summarise its many requirements.

What are the five key terms for secure personal data handling? ›

In this chapter, we focus on the five core principles of privacy protection that the FTC determined were "widely accepted," namely: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress.

Which is one of the major components of data protection? ›

Confidentiality, Integrity and Availability

Confidentiality, integrity and availability (CIA), also known as the CIA triad, are key components that must be maintained in order to ensure the protection of data. A data protection strategy should define CIA standards and measures to maintain them.

What are the key elements of a data protection policy? ›

A data protection policy should cover the following aspects:
  • The scope of required data protection.
  • Data protection techniques and policies applied by relevant parties such as individuals, departments, devices, and IT environments.
  • Any applicable legal or compliance requirements for data protection.

What are the three basic states of data? ›

Three states of data is a way of categorizing structured and unstructured data. The three states of data are data at rest, data in motion and data in use. Data can change states quickly and frequently, or it may remain in a single state for the entire life cycle of a computer.

What are the 3 main types of data classification? ›

Data classification generally includes three categories: Confidential, Internal, and Public data.

What skills are required for data protection? ›

Excellent communication (both oral and written) is also a must as is the ability to work well in a team. Data privacy officers must also have strong project management skills and interpersonal skills. Skills of a data protection officer: Expert knowledge in data protection laws and practices.

What are the three key responsibilities of a data protection officer? ›

A data protection officer is responsible for educating a company's employees about data compliance, training members of staff who are involved in processing data, and carrying out regular security audits. They also serve as the main point of contact between the company and the relevant data protection authorities.

Why do you think data protection is important? ›

Data protection is important, since it prevents the information of an organization from fraudulent activities, hacking, phishing, and identity theft. Any organization that wants to work effectively need to ensure the safety of their information by implementing a data protection plan.

What is considered a good data protection practice? ›

Classify all data

To ensure data confidentiality, integrity and availability, an organization has to know what data it has. Conduct a data inventory so stakeholders can better understand the quality and value of the data they are responsible for and classify it appropriately.

What is an example of sensitive personal data? ›

genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.

What is employee data protection responsibility? ›

Employee data protection is the act of ensuring the protection of an employee's personal data while working in a company. Personal data includes information like name, address, social security numbers, bank account details, etc.

What is the role of employees in data protection? ›

Employees' rights

Employees have a number of rights under GDPR, including the right to: Information about the collection and processing of their personal data. Access the personal data and supplementary information held about them by the data controller.

What is the difference between data protection and data privacy? ›

While data protection focuses on preventing unauthorized access, data privacy is geared toward ensuring authorized access, with much of it coming down to determining who has legal access to the data. As a result, data protection is much more technical, and data privacy is more policy-focused.

What is not classed as personal data? ›

Examples of data not considered personal data

a company registration number; an email address such as ; anonymised data.


1. Privacy and data protection | Introduction to Privacy | GDPR | What Is Privacy?
2. Do I need to pay the ICO data protection fee?
(1st Formations)
3. What are the 7 principles of GDPR?
(Privacy Kitchen)
4. Data Protection and Privacy
5. Data Privacy and Consent | Fred Cate | TEDxIndianaUniversity
(TEDx Talks)
6. Data Protection Explained | Privacy International
(Privacy International)
Top Articles
Latest Posts
Article information

Author: Catherine Tremblay

Last Updated: 02/03/2023

Views: 5764

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Catherine Tremblay

Birthday: 1999-09-23

Address: Suite 461 73643 Sherril Loaf, Dickinsonland, AZ 47941-2379

Phone: +2678139151039

Job: International Administration Supervisor

Hobby: Dowsing, Snowboarding, Rowing, Beekeeping, Calligraphy, Shooting, Air sports

Introduction: My name is Catherine Tremblay, I am a precious, perfect, tasty, enthusiastic, inexpensive, vast, kind person who loves writing and wants to share my knowledge and understanding with you.