What are the differences between GDPR and Data Protection Act? Following on from my blog on 2nd May 2018 – GDPR an Idiots Guide. Someone asked me the question, what are the differences between GDPR and Data Protection Act? Good question I said, let me do a bit of research and I will come back to you.
The differences between GDPR and Data Protection Act?
After extensive research, and taking information from many different sources. I can now highlight some of the differences between GDPR and Data Protection Act.
The Data Protection Act (DPA) came into force in 1998 and GDPR (General Data Protection Regulations) comes into force in May 2018. First of all, let me point out, the digital world has changed dramatically since 1998. As a result, it was overdue to be updated to reflect current social trends.
- The DPA was only legal in the UK. GDPR is EU wide and at this time of writing, will still be law after Brexit.
- DPA is enforced by the Information Commissioners Office (ICO). GDPR will be monitored by a Supervisory Authority (SA) in each EU country.
- Fines for failure to comply with the DPA can be up to £500,000 or 1% of annual turnover. In fact, Talk Talk were fined £400,000 in October 2015 for the attack that affected nearly 16,000 personal bank account details. Under new GDPR rules, companies can be fined up to maximum of £16.8 million (€20 million). Or, up to 4% of their global turnover.
- DPA does not require any business to have a data controller. GDPA requires you to nominate a dedicated data controller if you have more than 250 employees.
- There is no mandatory requirement to report a data breach under DPA. As a result, now, if you have a data breach you must report this with 72 hours to the Supervisory Authority. Furthermore,in this report, you must give a description of the breach and how it happened. You will need to list the personal details breached and likely consequences following the breach. You will also have to tell them how you are going to mitigate any further breaches.
- Under DPA there is no legal requirement to remove any personal data. GDPR, now has a ‘Right to Closure’ Futhermore, you now need to know where all personal data is being stored. If requested, you must remove all data permanently on that individual.
- There is a new approach called ‘Privacy by Design’. Under DPA, there was no requirement to carry out a Protection Impact Assessment (PIA). Under GDPR a PIA is mandatory. This means, your business must ensure that privacy and data protection is key when starting a new project. These projects could be, New IT systems when a data store is implemented. Embarking on a data sharing strategy or using data for new purposes.
- DPA does not require an ‘opt-in’. One key part of GDPR is the need for individuals to opt-in. Therefore, when you store individual data you must provide a clear privacy notice. These notices, must be in plain language and be clear and concise. Finally, they must be transparent. Each individual, must be able to withdraw their details at any time.
What do you have to do as a business?
One area that GDPR is trying to tighten, is the way businesses become accountable for individual data. Hence, there are quite a few things that you, as a business, must do to comply with GDPR. You can get a full copy of the GDPR act by visiting Information Commissioner’s Office.
Actions to be taken to become GDPR compliant:
- Staff training
- Appoint a Data Controller if you have over 250 users
- Internal auditing of data processing activities
- Meet all the requirements of’ privacy by design’
- Maintain all documentation
- Implement protection impact assessments (PIA)
- Find out where your nearest Supervisory Authority (SA) is located and how to contact them
- Prepare a breach notification template
Unleashed has been advising business on IT solutions for many years. Therefore, If you would like to have a free informal chat about GDPR then please get in touch or call us on 0333 240 0565.