What is DPA 2018?

The Data Protection Act of 2018 in the United Kingdom serves as a foundational requirement for companies, mandating the safeguarding of processed information and granting legal rights to individuals regarding their stored data. In alignment with the European Union's General Data Protection Regulation (GDPR), it introduces elevated standards for the protection of personal data, empowering individuals to exert greater control over the usage of their information. While adherence to this legislation is obligatory, it presents challenges due to the absence of specific controls or a standardised security level for businesses to adopt. Consequently, your organisation must establish a tailored framework that aligns with the sensitivity of the data, ensuring its adequate protection. Risk Crew’s DPA 2018 Service provides the skills, framework and deliverables to guarantee your business complies with this critical legislation.
Get a Quote
Data Protection Officers Risk Crew

How Your Organisation Can Benefit From DPA Compliance

Reputational Management Build trust with customers, partners and stakeholders and enhance global reputation by demonstrating a commitment to data protection.
Data Security Compliance assists with reducing the risk of data breaches and protecting sensitive information from unauthorised access.
Legal Compliance Compliance with the Data Protection Act 2018 ensures that you are adhering to data protection laws and regulations, reducing the risk of legal penalties, fines, and legal disputes.

Step-by-Step Process to Get You DPA 2018 Compliant

Risk Crew can help your organisation achieve and maintain compliance through one (or a combination of any) of our four cost-effective services:

In order to help your organisation get started in complying with the DPA 2018 legislation, our Discover service provides the following deliverables:
  • DPA 2018 Compliance Gap Assessment: Risk Crew will assess your current data protection operations, policies, processes and controls against those recommended by the legislation to identify the current compliance “gap” and then generate a comprehensive report of our findings and recommendations to fill that gap. 
  • Compliance Activities Roadmap: Findings will include a detailed list of actions required for your organisation’s full compliance in a project plan format of your choice. The roadmap will cite specific actions required for compliance, proposed action owners, target completion dates and estimated budgets required.
  • Conduct Stakeholder Workshop: Upon completion, Risk Crew will conduct a half-day workshop for key business stakeholders to ensure their understanding of the remedial actions needed for compliance and the estimated resources and timeline required.
These will result in a solid understanding of the law and what’s required from your business to comply.
Need some more help? Our Assist service offers all deliverables from our Discover service plus the following:
  • Identify, Locate, and Classify Assets: Risk Crew will review your business model and interview your key business stakeholders to identify, locate and value the sensitive information assets processed, stored and transmitted by your organisation.
  • Craft Data Classification Schemes: We develop clear marking schemes for secure handling, aligning with regulations like Data Protection.
  • Data Flow Diagrams: Information assets will be documented citing their sensitivity level, ownership, and IT system locations. The register becomes your risk management inventory.
  • Template DPA Documentation for Customisation: Risk Crew offers a DPA documentation template featuring draft policies, privacy statements, data processor agreements, privacy by design and default policies, data retention plans, security controls, breach notification procedures, and customisable forms for subject access requests and privacy impact assessments, all tailored to your organisation's unique business processes and risk objectives.
  • Mock Audit to Ensure Readiness: Once you're prepared, Risk Crew will perform a mock audit to verify the correct implementation of recommended remedial actions. This ensures that your DPA policies and procedures yield tangible evidence, demonstrating full compliance with the law.
This service provides the framework essential for compliance and is ideal for organisations that have operational resources but specifically lack in-house data protection expertise. The outcome serves as the foundation for an effective, data protection programme and requires the implementation of remedial actions, policy customisation, control implementation and education of your users for completion of your compliance requirements.
Our Implement service offers all the deliverables from both our Discover and Assist services outlined above in addition to the following:
  • Customised Data Protection Documentation for the Business: We'll create a fit-for-purpose DPA set of documentation for the organisation to implement.
  • Control recommendations: This includes recommendations on control objectives, control configuration (if required) control evidence, and control testing procedures.
  • Data Protection Security Awareness Training Program: This service is accompanied by an automated vulnerability assessment scanning to identify security weaknesses associated with your business systems and websites
  • Implement Information Security Awareness Training Program: Equip your team with cutting-edge data protection security awareness training from Risk Crew. We'll sharpen their knowledge of cyber threats to your business data, and clarify their roles in policy compliance and incident reporting under the law. Choose from computer-based training or opt for in-person workshops with our data protection experts to suit your preferences and needs.
  • DPA Compliance Workshop with Stakeholders to Ensure Understanding, Roles and Responsibilities: After the tasks above, Risk Crew will host a power-packed full-day workshop with your key business players. They'll grasp the legislation's core goals, KPIs, and their own roles, responsibilities, and ongoing compliance actions. Get ready for a deep dive into legal mastery!
This comprehensive service provides everything you need for your DPA 2018 compliance short of implementing the policies and the procurement of any controls needed and is designed for organisations looking for a cost-effective, turn-key solution.
If your organisation is already compliant with DPA 2018, you're aware that maintaining compliance can be just as challenging as achieving it. Risk Crew can help you meet this challenge with a variety of support services from delivering on-going requirements such as privacy impact assessments and data processor audits to providing continuous ad-hoc advice and assistance to answer questions, clarify requirements and ensure you stay the course of compliance.  

Are you a start-up and need a Data Protection Officer On Demand?

This popular service can be augmented to ensure you have access to a dedicated resource with the skills and experience required for continuous compliance. Learn more

We Don't Sell Products, We Sell Results.

✓ Competitive and Transparent Pricing

Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.

✓ Flexible Delivery

This service can be delivered on-site or remotely using cutting-edge technology to maintain the security of our communications. Whichever method you opt for, quality service and hands-on expertise  are provided.

✓ On-going Support

Risk Crew helps you maintain compliance with a variety of support services including risk assessments, security testing and staff awareness training.

✓ 100% Satisfaction Guarantee

We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.

Our Certifications And Accreditations

Our Clients Come for the Expertise & Stay for Exceptional Service

Risk Crew Testimonial

Speak With a Consultant Today

Instil customer confidence and gain new business with ISO 27001 Certification

Access More ISO 27001 Resources

download

Webinar: Data Privacy Impact Assessment

What is a Data Privacy Impact Assessment? When do you need to conduct one? Learn more on the goals and objectives of this critical data protection requirement.

download

Webinar: What Data Flow Mapping Looks Like and How to Star

Join our Data Protection Sage (and Amateur Brewer) Andy Whitaker for some practical advice and demonstration on how to get this done.

Frequently Asked Questions

Is the UK DPA 2018 the same as the EU GDPR?
Almost. But not quite. The DPA 2018 legislation sets out the framework required for data protection in the United Kingdom. The legislation replaces the old Data Protection Act 1998 and became effective on May 25, 2018. It aligns with (and is based upon) the GDPR and adapts its application to the UK. (i.e. providing supplements and exemptions).
What are the penalties for breaking the Data Protection Law?
Under the DPA 2018 legislation, the UK Information Commissioner’s Office (ICO) may levy a monetary fine on an organisation in the event of a data breach - if they are the data controller responsible for the data.
Do all organisations need a DPO?

Appointing a DPO is mandatory under three circumstances:

  1. The organisation is a public authority or body.
  2. The organisation's core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
  3. The organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
What is a Data Controller?
“A Data Controller” is the person (or organisation) that determines the purposes for which personal data is collected and how it is to be processed.
What is a Data Processor?
A Data Processor is the person (or organisation) responsible for processing, storing or transmitting personal data on behalf of a Data Controller.