What you need to know about data protection law

This article explains the basics of the act, your obligations and introduces the Regulation of Investigatory Act (RIPA) which has legal implications for businesses using data encryption.

Data protection law & data encryption

Adhering to the Data Protection Act is something that you will need to do if you store data on clients, employees or suppliers for your business to stay legal and avoid any unnecessary legal action. As an employer taking action now you are going to avoid problems later should your business be investigated. This will save you money and time in the long run, and will only cost you a small registration fee of £35 per annum. RIPA (The Regulation of Investigatory Powers Act 2000) has implications for those using encrypted data. This guide does not constitute legal advice. It is strongly suggested that you receive qualified legal advice to help you if you have any Data Protection Act or RIPA questions or issues.

Understanding the Data Protection Act

We all like to protect our privacy, and the Data Protection Act provides a legal framework to which we all need to adhere if we are to stay above board. By protecting this information you will retain your reputation and prevent time consuming and costly investigations later. There are other regulations that apply to anyone considering a telephone or email marketing campaign called the Privacy and Electronics Communications Regulations. For further detail visit the Privacy and Electronic Communications Guide.

The Data Protection Act allows each of us to know what information is being held about us. Any information that is held must be handled appropriately, and there are 8 guiding principles. Data must be:

  1. Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary
  2. Processed in line with an individual's rights Secure Not transferred to other countries without adequate protection If someone should feel that their data is not being managed according to these principles then they can contact the Information Commissioners Office for assistance.
  3. At this point your small business may be investigated with possible subsequent enforcement action. Regulation of Investigatory Act (RIPA Part III) RIPA is normally associated with investigations into criminals and criminal behaviour using surveillance, not the running of small businesses, but recent changes in legislation may impact your use of IT.
  4. Data encryption is the process of taking normal computer data and files and mixing them up so that they become unreadable to unauthorised users. This process of mixing up or encrypting data uses advanced mathematics, which we won't bother you with. What you do need to understand is the use of electronic keys to unlock encrypted data. These often take the form of long passwords but act as the secret key to all of your encrypted data. Normally you would keep these keys locked away very securely as if you lose them then your encrypted data could be unlocked by unauthorised users. As you can imagine many criminals are now encrypting their data to prevent the authorities accessing it.
  5. To get around this problem legislation was enacted in October 2007 that forces an individual or a business to hand over their secret encryption key. If you fail to do so then you could face a 5 year jail term. This is very important for a small business to remember when putting in place data encryption.
  6. Always keep your encryption keys secure, but remember that the authorities may, in rare circumstances, demand the key to inspect your data.
  7. Of course we know that users of the Business IT Guide are all upstanding citizens but we would hate to see our users end up in jail! What you need to do It is strongly advised that you visit the websites below which carry up to date and accurate information on the Data Protection Act and RIPA as it relates to small businesses.
  8. The Data Protection Act site also carries information on how to register your business, which is highly likely.


Data Protection Act for small businesses Regulation of Investigatory Powers Act

About the author: This article was first published as Data protection law on Business IT Guide, part of e-skills, the Sector Skills Council for IT and telecoms. The Business IT Guide has been developed in collaboration with industry experts to help small businesses find the right IT solutions for the issues that affect them.


If you collect data on clients, employees or suppliers, you will be subject to the Data Protection Act. The Data Protection Act 1998 (DPA) is an Act of Parliament of the UK and defines UK law on the processing of data.  It is the main piece of legislation that governs the protection of personal data in the UK.