When the anonymous civil servants who drafted the Data Protection Act (DPA) in 1998 set about their work, they were smart enough to realise that the world of computers was likely to evolve considerably.

Keeping the law up to speed with the pace of technological change was always going to be a challenge, and the principles-based approach that underpins the DPA has worked well. Precedents set through case law have allowed the Act to encompass technical developments ­ although Marks & Spencer’s challenge to the Information Commissioner’s enforcement of laptop encryption represents a new test.

But even such legal foresight was unlikely to have taken into consideration the internet, cheap storage, USB drives, broadband, social networking and all the data-intensive applications upon which modern business life depends.

So it is right to heed the calls for a review of the DPA that will see it through its next decade.

But today, law enforcement is not enough to securely protect data. A new DPA needs to go hand in hand with best practice IT management.

When the DPA came into force in March 2000, the article in Computing concentrated on the specifics of the new law and the challenges it posed for IT departments.

Any similar feature now would cover the legal aspects in just a few lines. The complexity of the IT protecting people’s personal information has increased exponentially. And with it, the awareness of identity theft and the potential for misuse of our data has grown in parallel.

Self-regulation and self-discipline are now just as important as legislation.

Every employee needs to be constantly reminded to protect corporate data as if it were their own. And processes such as information lifecycle management need to sit alongside all the security procedures necessary to treat our information with the care we each wish it to be handled.

A review of the law is timely. The review of your IT management practices should be constant.