How is GDPR different from the Data Protection Act?

/ Security
July 17th, 2017

GDPR - What is the difference between GDPR and DPA

The 25th of May 2018 marked the beginning of far-reaching changes to data protection requirements, as the General Data Protection Regulations (GDPR) officially came into effect.

Designed to strengthen and standardise data protection across the EU, the new regulations imposed stricter standards for businesses who collect and process EU residents’ data – with heavy financial penalties for those who failed to comply.

The GDPR built on the groundwork of the 1998 Data Protection Act but also introduces a number of new restrictions that are more relevant to the modern data-driven world. Below are six of the key differences between the two acts.

1. Who it affects

Who does GDPR apply to

The Data Protection Act

Only applies to those in the UK


Applies to any organisation who holds or processes EU citizens’ personal data, even if that organisation is not based in the EU. This also means that UK companies which process the data of EU citizens have to comply even after Brexit.

2. Marketing Communications

GDPR marketing communications

The Data Protection Act

If you market directly to prospects or customers a negative opt-in is all that is required, for example, tick a box to state you do not wish to receive further communications. Individuals need to be informed that their personal data will be used for marketing and given the option to opt out


Companies sending out marketing communications must secure a positive opt-in from their audience. When making a request to collect personal data, that request must in a simple language and clearly explain how the data will be used.

3. Requests

GDPR Data Requests

The Data Protection Act

Individuals have a right to get a copy of the information companies’ hold about them, this is known as a subject access request. Individuals can make a subject access request to any organisation processing their personal data. Organisations can charge a fee of up to £10 (£2 if it is a request to a credit reference agency for information about your financial standing only). However, there are special rules which apply to the fees for paper-based health records (maximum fee: £50) and education records (£1-£50 depending on the number of pages).


An individuals rights to access their personal information remain broadly similar, except organisations can no longer charge a £10 subject access fee and they also must comply with the request as soon as possible – within one month of the request being made. The only time an organisation can charge a subject access fee is where requests are manifestly unfounded or excessive. The GDPR does not state a particular fee but rather states it must be “reasonable, taking into account the administrative costs of providing the information”.

4. Individual’s Rights

GDPR Rights

The Data Protection Act

According to the Information Commissioner’s Office (ICO), individuals have the following rights:

  • Access:

    • A right of access to a copy of their personal data
  • Limit:

    • A right to prevent processing that is likely to cause or is causing damage or distress
  • Prevention:

    • A right to prevent processing for direct marketing
  • Objection:

    • A right to object to decisions being taken by automated means
  • Correction:

    • A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • Compensation:

    • A right to claim compensation for damages caused by a breach of the Act


Creates some new rights for individuals and strengthens some of the rights which currently exist under the Data Protection Act

  • The right to be informed.

    • Encompasses a company’s obligation to provide “fair processing information”, typically through a privacy notice. The information a company supplies to an individual depends on whether that personal data was obtained directly or indirectly. Information about the processing of personal data should be provided free of charge and be concise, transparent and easily accessible.
  • The right of access.

    • An individual has the right to obtain; confirmation that their data is being processed, access to their personal data; and other supplementary data. Companies must provide a copy of the information free of charge. They may only charge a “reasonable fee” where the request is manifestly unfounded, excessive or repetitive. The information must be provided without delay and within one month of the request,
  • The right to rectification.

    • Individuals are entitled to have personal data rectified it is inaccurate or incomplete. Companies must respond within one month unless the request is complex, and if you have disclosed the personal data in question to third parties you must also inform them of the rectification where possible.
  • The right to erasure.

    • Also known as “the right to be forgotten”. Individuals have a right to have personal data erased and to prevent processing in certain circumstances. For example, to comply with a legal obligation
  • The right to restrict processing.

    • Similar to the DPA, individuals can block or suppress processing of their personal data. In these cases, companies can store the personal data, but not process it.
  • The right to data portability.

    • This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
  • The right to object.

    • Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing; and processing for the purposes or scientific or historical research and statistics.
  • Rights in relation to automated decision making.

    • The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to those under the DPA.

5. Reporting a data breach

GDPR Data Leak

The Data Protection Act

Reporting a breach was only mandatory if the breach was also covered by the Privacy and Electronic Communications Regulations 2011 (PECR). This regulation pertains to any data security breach at telecoms providers or ISPs.


Reporting is mandatory if the data breach is likely to result in a risk to an individual’s rights and freedoms. You must communicate the breach to the supervisory authority as soon as possible and within 72 hours of discovery. Where a breach is likely to result in a “high risk” to individuals, you must notify those concerned directly.

6. Fines

GDPR fines

The Data Protection Act

Carried fines of up to £500,000 for serious breaches of the legislation. The largest fine to date is £400,000, which was given to TalkTalk following their data breach in October 2016.

Note: since then, Facebook’s Cambridge Analytica scandal resulted in a £500,000 fine – the largest fine possible under the Data Protection act – in 2018.


Fines for data breaches carry an upper limit of 20 million euros or 4% of global annual turnover – whichever is higher. This could result in serious financial difficulties for organisations under this regulation. Additional fines, such as for failure to notify, can also be levied.


As the GDPR expands on the Data Protection Act, it’s likely that organisations will already comply with certain areas. However, there are a number of new regulations they may still be falling foul of. Particularly the ability to provide people with a copy of all data stored on them.

With the GDPR in full force, it’s imperative that firms start taking responsibility now. There are a number of actions firms need to carry out if they haven’t done so already, such as appointing a Data Protection Officer and reviewing their data storage and processing procedures, as well as looking into what solutions can assist in meeting compliance. Automated systems will play a key role in performing compliance and risk checks. The more you can automate, the less likely things will fall through the net.