DPA (Data Protection Act) compliance

The DPA is the United Kingdom’s data protection legislation. After Brexit, it replaced the GDPR in the UK and largely mirrors its principles. Mobile data processors and controllers operating in the UK must comply with the DPA to ensure the lawful and secure processing of personal data.
 
This law can lead to fines in case of non-compliance. For example, the credit reporting agency Equifax was fined £500,000 over its 2017 data breach by the UK Information Commissioner’s Office.

DPA requirements applying to mobile data

Security of Processing

This section outlines the security measures organizations must implement to protect personal data from unauthorized access, loss, or destruction. It includes provisions such as encryption, access controls, regular security assessments, and incident response procedures.

Data Minimization

Organizations must collect and retain only the personal data necessary for specific purposes. This may involve assessing and limiting the volume of data collected through mobile devices and applications.

Data Transfers​

This requirement covers the transfer of personal data outside UK jurisdiction. Organizations must ensure adequate safeguards, such as standard contractual clauses, binding corporate rules, or approved certification mechanisms.

How to comply

Complying with the UK DPA involves protecting all company smartphones, computers, applications, and any environment where customer data is stored or accessed.

If your organization uses mobile devices, this means deploying a Mobile Threat Defense solution to protect smartphones and tablets from malware, phishing, and network exploits.

For companies developing applications, it means ensuring apps handle personal data securely and remediating risky behaviors and vulnerabilities using source code analysis and Compliance Audits.

Scroll to Top