Data Protection Act (DPA) VS General Data Protection Regulation

October 9th, 2017
Data Protection Act (DPA) VS General Data Protection Regulation


For those wondering the differences between the current 'data protection act' (DPA) and the newest about to be implemented being 'GDPR'. We thought this table may be of benefit to you.

DPA(Data Protection Act 1998) GDPR (General Data Protection Regulation)
The Data Protection Act was developed to give protection and lay down rules about how data about people can be used. The 1998 Act covers information or data stored on a computer or an organised paper filing system about living people. EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be directly applicable starting on May 25, 2018, and will replace the DPA
Only applies the UK Applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens
Enforced by the Information Commissioner's Office (ICO) Compliance will be monitored by a Supervisory Authority in the UK with each European country having its own SA
Under the current legislation there is no need for any business to have a dedicated DPO A DPO in some countries will be mandatory for any business or organisation with more than 250 employees
There is no requirement for an organisation to remove all data they hold on an individual An individual will have the 'Right to erasures - which includes all data including web records with all information being permanently deleted
Privacy Impact Assessment (PIA) are not a legal requirement under DPA but has always been 'championed' by the ICO PlAs will be mandatory and must be carried out when there is a high risk to the freedoms of the individual. A PIA helps an organisation to ensure they meet an individual's expectation of privacy
Data collection does not necessarily require an opt-in under the current Data Protection Act The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time
Direction sets aims and requirements, implemented through national legislation Regulation is binding for all member states
Personal data and sensitive personal data In addition, now includes online identifiers, location data, and genetic data
Breach notifications not mandatory for most organisations Mandatory and within 72 hours
Any person who has material damage is entitled to claim compensation Any person who has suffered material or non-material damage
Data protection governance down to best endeavours Recommendation of a data protection officer to be employed from outside the company for organisations with 250+ employees or more than 5,000 subject profiles per annum
Maximum fine is 500,000 Maximum fine 4% of annual turnover or Euro20M whichever is greater
Responsibility rest with the Data Controller Rests with both the controller and processor with the controller being able to seek damages from the processor
Parental consent for minors not required Parental consent for minors now required
Accountability is limited Accountability fully explicit
Subject access requests, £10 per transaction and within 40days Free of charge and within 30 days
Data consent free given, specific and informed Clear affirmation action with the ability to be withdrawn later


gdpr workbook download

If you are unsure on what to do next or would like to know more? We can aid you in your journey towards GDPR compliance, click here to book a call with one of our consultants. Alternatively contact us here.

If you've found this article useful please share on Twitter, LinkedIn or Facebook and give us a follow.

This post was written by our GDPR consultant, Karl Fontanari