How to comply with the Data Protection Act of 1998

Alan Calder explains the basic requirements of the U.K. Data Protection Act of 1998. He highlights how to comply with the Data Protecting Act and discusses the regulations guidelines and basic requirements.

What are the key things I have to do to comply with the Data Protection Act of 1998?
There are a number of basic requirements for the U.K. Data Protection Act of 1998 and some are extremely demanding. As a minimum, every organization that is going to process personal data (and this means any data relating to a living human being, not to an organization) must register with the Information Commissioner ( and describe, in the registration, what the purpose of processing this data is. It must be a permitted purpose. Registration is annually renewable and, once registered, you must comply with the purposes for which you've registered. That's the easy bit. The more complex bit is, in essence, that you must comply with the eight principles of the Data Protection Act. The eight principles are that personal information must be:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection
  • The ICO has comprehensive information ( and the BSI Data Protection Guide provides comprehensive guidance.

    Read more on Regulatory compliance and standard requirements