Data protection - current position and future changes

The Data Protection Act 1998 is the main legislation which relates to data protection and includes the powers of the Information Commissioner’s Office (ICO) and duties placed on organisations and their data controller.

The main aspects of the legislation cover the following points:

  • Obligation on certain organisations to register with the Information Commissioner’s Office (ICO);
  • The rights of individuals;
  • Rules relating to sending personal data outside the European Economic Area;
  • The right to compensation;
  • Exemptions;
  • Rules on use of Cookies and Similar Technologies.


New draft regulations were issued in January 2012 and it is expected that the draft regulations will be finalised around the end of 2013. They are likely to come into force in 2016. These regulations are due to be implemented directly by every country in the EEA with the regulations being the same in each country. These new regulations are likely to be more onerous than the legislation currently in place. These regulations can be found here

Some of the main changes proposed by the new Data Protection Regulations are as follows:

  • Only data controllers were subject to the Data Protection Act 1998 whereas data processors will also be liable under the Data Protection Regulations;
  • The potential fines will be increased;
  • Security breaches will need to be documented and notified to the regulator within a short period of time;
  • Data processor will need to alert controller immediately of any breaches;
  • Global transfers of personal data will be more restricted;
  • Non-EEA data controllers will be subject to the new regulations.


The ICO website has various guides on data protection which can be accessed via the 'Related Links' section of this webpage.

ACCA has produced a technical factsheet which gives more detail on the current requirements which can be accessed under the 'Related Documents' section of this webpage.