For those wondering the differences between the current 'data protection act' (DPA) and the newest about to be implemented being 'GDPR'. We thought this table may be of benefit to you.
| DPA(Data Protection Act 1998) | GDPR (General Data Protection Regulation) |
|---|---|
| The Data Protection Act was developed to give protection and lay down rules about how data about people can be used. The 1998 Act covers information or data stored on a computer or an organised paper filing system about living people. | EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be directly applicable starting on May 25, 2018, and will replace the DPA |
| Only applies the UK | Applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens |
| Enforced by the Information Commissioner's Office (ICO) | Compliance will be monitored by a Supervisory Authority in the UK with each European country having its own SA |
| Under the current legislation there is no need for any business to have a dedicated DPO | A DPO in some countries will be mandatory for any business or organisation with more than 250 employees |
| There is no requirement for an organisation to remove all data they hold on an individual | An individual will have the 'Right to erasures - which includes all data including web records with all information being permanently deleted |
| Privacy Impact Assessment (PIA) are not a legal requirement under DPA but has always been 'championed' by the ICO | PlAs will be mandatory and must be carried out when there is a high risk to the freedoms of the individual. A PIA helps an organisation to ensure they meet an individual's expectation of privacy |
| Data collection does not necessarily require an opt-in under the current Data Protection Act | The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time |
| Direction sets aims and requirements, implemented through national legislation | Regulation is binding for all member states |
| Personal data and sensitive personal data | In addition, now includes online identifiers, location data, and genetic data |
| Breach notifications not mandatory for most organisations | Mandatory and within 72 hours |
| Any person who has material damage is entitled to claim compensation | Any person who has suffered material or non-material damage |
| Data protection governance down to best endeavours | Recommendation of a data protection officer to be employed from outside the company for organisations with 250+ employees or more than 5,000 subject profiles per annum |
| Maximum fine is 500,000 | Maximum fine 4% of annual turnover or Euro20M whichever is greater |
| Responsibility rest with the Data Controller | Rests with both the controller and processor with the controller being able to seek damages from the processor |
| Parental consent for minors not required | Parental consent for minors now required |
| Accountability is limited | Accountability fully explicit |
| Subject access requests, £10 per transaction and within 40days | Free of charge and within 30 days |
| Data consent free given, specific and informed | Clear affirmation action with the ability to be withdrawn later |
If you are unsure on what to do next or would like to know more? We can aid you in your journey towards GDPR compliance, click here to book a call with one of our consultants. Alternatively contact us here.
If you've found this article useful please share on Twitter, LinkedIn or Facebook and give us a follow.
This post was written by our GDPR consultant, Karl Fontanari
You must be logged in to post a comment.