Understanding the Data Protection Act (DPA): What UK Businesses Need to Know

Handling personal data has become a core part of running a business in the UK. Whether you’re collecting customer emails for marketing, storing employee records, or managing online transactions, you need to follow strict rules about privacy and security. That’s where the Data Protection Act (or DPA) comes in.

If you’re not sure what the DPA means for your small business-don’t stress. In this guide, we’ll break down the essentials of the DPA in plain English. We’ll cover what the law requires, who it applies to, how it links with UK GDPR, and what steps you should take to stay compliant. Setting up your data protection right from the start isn’t just about avoiding fines-it’s about building trust and future-proofing your business growth.

Let’s get you up to speed on the DPA so you can focus on growing your business confidently and ethically.

What Is the DPA and Why Does It Matter for UK Businesses?

The Data Protection Act 2018 (DPA) is the main piece of legislation that governs how personal data is used, stored, and shared in the UK. It works hand-in-hand with the UK General Data Protection Regulation (UK GDPR) to give people more control over their personal data and place greater responsibilities on businesses that process data.

So, what does this mean for you as a business owner? Here’s a quick rundown:

• If you collect, store, or use personal information about individuals in the UK-even if it’s just names and email addresses-you need to comply with the DPA and UK GDPR.
• This includes data about your customers, employees, suppliers, or anyone you interact with in a business capacity.
• The DPA applies to all types of businesses, whether you’re a sole trader, limited company, partnership, nonprofit, or even a hobbyist who does some trading on the side.

Not following the DPA can lead to significant fines, legal disputes, reputation damage, or lost trust. But with some clear steps and professional contracts in place, staying compliant is absolutely achievable.

How Does the DPA Work With UK GDPR?

You might have seen a lot about the GDPR (General Data Protection Regulation), especially since the big changes in 2018. In the UK, we now follow the UK GDPR, which sits alongside the DPA 2018. Here’s how they fit together:

• The UK GDPR sets out core principles-like lawfulness, fairness, transparency, and the rights of individuals over their data.
• The DPA 2018 provides more specific rules for how these principles are applied in the UK, including some UK-only rules and exceptions (such as those for law enforcement and national security).

For business owners, this means that DPA and UK GDPR are essentially inseparable-when you comply with one, you’re nearly always addressing the requirements of the other. Think of the DPA as the UK’s official “manual” for applying GDPR rules in our local context.

If you're curious about how both laws work together, you’ll find a clear breakdown in our guide to the Data Protection Act 2018 and UK GDPR.

What Counts as Personal Data Under the DPA?

Personal data means any information that relates to a living individual who can be identified from that information. It goes beyond the obvious-like names, addresses, or National Insurance numbers. Under the DPA and UK GDPR, personal data can also include:

• Email addresses, phone numbers, and physical addresses
• Online identifiers (such as IP addresses and cookies linked to individuals)
• Photos, CCTV footage, or audio recordings (if a person is identifiable)
• HR records, payroll details, and disciplinary records for your employees
• Location data and biometric information (like facial recognition)
• Special category data (such as health data, religious beliefs, or trade union membership-these get extra protection)

If you’re collecting any of the above as part of your business, the DPA applies to you.

Who Needs to Comply With the DPA?

Almost every business in the UK needs to comply with the DPA, but the main responsibilities fall on two types of organisations:

• Data Controllers: If you decide why and how personal data is processed (even if you use a third party to do the work), you’re a controller. Most self-employed business owners, companies, charities, and even clubs will be controllers.
• Data Processors: If you handle data only as instructed by another business (your client), you’re a processor. For example, a payroll company handling payslips for other firms is a processor. (But usually, most small businesses are controllers or both!)

You can find out more about determining your role in our explainer on controllers versus processors.

What Rights Do Individuals Have Under the DPA?

The DPA, working with UK GDPR, gives people in the UK a set of rights over their personal data. These rights are crucial when you’re handling staff, customer, or supplier information. Get familiar with these key rights:

• Right to be informed about how you collect and use personal data (which is why a Privacy Policy is essential!)
• Right of access (subject access requests - people can ask to see their data)
• Right to rectification (people can correct errors in their data)
• Right to erasure (“right to be forgotten”-deleting personal data when requested and allowed)
• Right to restrict processing or object to certain uses
• Rights regarding data portability (transferring data in a usable format)
• Rights regarding automated decision-making and profiling

If you receive a request from someone exercising these rights, you need to know how to respond promptly and correctly-or risk a complaint to the ICO (the UK’s data watchdog).

Top tip: Our guide to subject access requests has practical steps for handling these requests the right way.

What Are the Key Principles of the DPA?

The DPA (echoing the UK GDPR) sets out seven key principles for businesses to follow. These are the backbone of data protection in the UK:

1. Lawfulness, Fairness, and Transparency: Only collect data fairly and tell people how it will be used.
2. Purpose Limitation: Only use data for the specific purpose you collected it for.
3. Data Minimisation: Only collect what you really need.
4. Accuracy: Keep personal data up to date and correct inaccuracies promptly.
5. Storage Limitation: Don’t keep data for longer than necessary. Set clear retention policies.
6. Integrity and Confidentiality (Security): Keep data secure - with strong passwords, access controls, and proper policies.
7. Accountability: Be able to show how you follow all these rules (documentation, records, policies, staff training, etc.).

Getting these right from the start lays solid foundations for your business and goes a long way towards compliance.

What Practical Steps Should a UK Business Take to Comply With the DPA?

Taking action on the DPA doesn’t mean drowning in paperwork-think of it as a checklist to tick off as you get your business in order. Here’s a practical roadmap:

• Draft and publish a Privacy Policy that clearly explains what you collect, why, and how people can exercise their rights. Avoid copying templates-have it tailored for your business! See what to include in our Privacy Policy guide.
• Complete a data audit: List what personal data you collect, where it’s stored, how it’s secured, and who has access.
• Train staff members on data protection and how to handle breaches or requests for access.
• Set up secure systems: Use strong passwords, two-factor authentication, and keep software updated. Limit access to sensitive data.
• Review contracts with suppliers or partners who process personal data on your behalf. Make sure you have a clear Data Processing Agreement with each one.
• Register with the ICO and pay your data protection fee (unless you’re exempt). See our ICO registration guide for details.
• Plan for data breaches: Know what to do if data gets lost or stolen. The law requires you to notify the ICO (and affected individuals in some cases) within 72 hours. Check out our data breach response guide here.
• Regularly review and update your practices: Privacy compliance isn’t a one-time task. Schedule check-ins to refresh training, policies, and security.

If you’re just starting out, focus on the basics: clear Privacy Policy, staff awareness, and secure storage of all personal data. You can build more sophisticated protections as you grow.

What Happens If You Don’t Comply With the DPA?

Ignoring your DPA duties can lead to enforcement action by the Information Commissioner’s Office (ICO) or even civil claims by individuals. The ICO has the power to:

• Investigate complaints about your data practices
• Order changes to your processes or demand data is deleted
• Impose fines-these can run up to £17.5 million or 4% of worldwide annual turnover (whichever is higher) in extreme cases

But for most small businesses, the biggest risks are lower-level fines, public investigations, and reputational fallout. If customers lose trust in your ability to safeguard their data, it can have a long-term impact on your business’s brand and bottom line.

Remember: even an accidental data breach (like sending an email to the wrong address) can trigger investigations. It’s far better to have proper systems and policies from the outset.

What Documents and Contracts Should Every Business Have for DPA Compliance?

While day-to-day best practices are essential, having the right legal documentation is your primary safeguard. Here are some must-haves for DPA and data protection compliance:

• Privacy Policy: Clearly sets out your data handling processes for customers and staff. (See our Website Terms & Conditions bundle for related documents.)
• Internal Data Protection Policy: Sets standards for your staff on handling personal data safely and lawfully.
• Data Processing Agreements: Required when any third party (like a software supplier or marketing agency) handles personal data on your behalf.
• Data Breach Response Plan: A clear plan for your team to follow if something goes wrong. (Check out our template and recommended steps.)
• Cookie Policy: Required if your website uses cookies to track visitors (see our Cookie Policy guide).

Avoid using generic templates or drafting legal documents yourself-data protection is a fast-moving area, and mistakes can be costly. It’s a smart move to get professionally tailored policies that match your business’s unique operations and data risks.

What Else Do UK Businesses Need to Know About Ongoing DPA Responsibilities?

Staying on the right side of the DPA is all about being proactive-it’s not a “once-and-done” exercise. Here’s what ongoing compliance looks like:

• Keep an eye on changes in the law: Data protection requirements can change, with updates from the ICO or new legislation. Know when to update your contracts and internal documents.
• Refresh employee training regularly: Make sure your team stays up to date with new risks, scams, and best practices.
• Review and update your legal documents-like your Privacy Policy, Cookie Policy, and contracts-at least annually or when you launch new products, add services, or expand locations.
• Keep communication open with your legal advisor: Having an expert on hand will protect you from new threats or changes you might miss.

Key Takeaways: Setting Up Your Business for DPA Success

• The DPA (working alongside UK GDPR) is the main law for handling personal data in the UK and applies to almost all businesses.
• If you process any personal information about individuals-customers, staff, suppliers-you need to comply with the DPA’s principles.
• The law gives individuals rights over their data and makes you responsible for fairness, security, and transparency.
• Essential DPA compliance steps include: having a robust Privacy Policy, conducting regular data audits, training staff, securing your IT, making data breach plans, and registering with the ICO.
• Make sure your legal documents and contracts are tailored and up-to-date-don’t rely on generic templates for something as critical as data protection.
• Fines and enforcement are real risks, but so are lost customers and reputation damage. Prioritise data protection from day one to set your business up for trust and long-term growth.
• Consider regular legal reviews and expert advice-your circumstances may change as you grow, so staying current is crucial.

If you’d like expert help making sure your business is fully DPA compliant, or need tailored legal documents to protect your operations, our friendly team is here to help. Reach us at team@sprintlaw.co.uk or call 08081347754 for a free, no-obligations chat about safeguarding your business and building customer trust from day one.