How will the General Data Protection Regulation (GDPR) differ to the Data Protection Act
17 July 2017
The 25th May 2018, will mark the beginning of far-reaching changes to data protection requirements, as the General Data Protection Regulations (GDPR) officially come into effect.
Designed to strengthen and standardise data protection across the EU, the new regulations will impose strict standards for businesses who collect and process EU residents’ data – with heavy financial penalties for those who fail to comply.
Organisations were originally given a two-year transition period to get ready for the GDPR, but with less than 12 months to go many still have a lot of work to do. The GDPR will build on the 1998 Data Protection Act (DPA) but will also introduce a number of new restrictions. Below we have outlined six of the key differences between the two Acts.
1. Who it affects
The DPA: Only applies to those in the UK
The GDPR: Applies to any organisation who holds or processes EU citizens’ personal data, even if that organisation is not based in the EU. This means that UK companies will have to comply even after Brexit.
2. Marketing Communications
The DPA: If you market directly to prospects or customers a negative opt-in is all that is required, for example, tick a box to state you do not wish to receive further communications. Individuals need to be informed that their personal data will be used for marketing and given the option to opt out
The GDPR: Companies sending out marketing communications must secure a positive opt-in from their audience. When making a request to collect personal data, that request must in a simple language and clearly explain how the data will be used.
The DPA: Individuals have a right to get a copy of the information companies’ hold about them, this is known as a subject access request. Individuals can make a subject access request to any organisation processing their personal data. Organisations can charge a fee of up to £10 (£2 if it is a request to a credit reference agency for information about your financial standing only). However, there are special rules which apply to the fees for paper-based health records (maximum fee: £50) and education records (£1-£50 depending on the number of pages).
The GDPR: An individuals rights to access their personal information remain broadly similar, except organisations can no longer charge a £10 subject access fee and they also must comply with the request as soon as possible – within one month of the request being made. The only time an organisation can charge a subject access fee is where requests are manifestly unfounded or excessive. The GDPR does not state a particular fee but rather states it must be “reasonable, taking into account the administrative costs of providing the information”.
4. Individual’s Rights
The DPA: According to the Information Commissioner’s Office (ICO), individuals have the following rights under the DPA
- A right of access to a copy of the information comprised in their personal data
- A right to processing that is likely to cause or us causing damage or distress
- A right to prevent processing for direct marketing
- A right to object to decisions being taken by automated means
- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
- A right to claim compensation for damages caused by a breach of the Act
The GDPR: Creates some new rights for individuals and strengthens some of the rights which currently exist under the DPA
- The right to be informed – encompasses a company’s obligation to provide “fair processing information”, typically through a privacy notice. The information a company supplies to an individual depends on whether that personal data was obtained directly from the individual or indirectly. Information about the processing of personal data should be provided free of charge and be concise, transparent and easily accessible.
- The right of access – an individual has the right to obtain; confirmation that their data is being processed, access to their personal data; and other supplementary data. Companies must provide a copy of the information free of charge – unless the request is manifestly unfounded, excessive or repetitive, then companies may charge a “reasonable fee”. The information must be provided to the individual without delay and within one month of the request,
- The right to rectification – Individuals are entitled to have personal data rectified it is inaccurate or incomplete. Companies must respond within one month unless the request is complex, and if you have disclosed the personal data in question to third parties you must also inform them of the rectification where possible.
- The right to erasure – Also known as “the right to be forgotten”, individuals have a right to have personal data erased and to prevent processing in certain circumstances, for example, to comply with a legal obligation
- The right to restrict processing – Similar to the DPA, individuals can block or suppress processing of their personal data. In these cases, companies are allowed to store the personal data, but not process it.
- The right to data portability – This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object – Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing; and processing for the purposes or scientific or historical research and statistics.
- Rights in relation to automated decision making – The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to those under the DPA.
5. Reporting a data breach
The DPA: Reporting a breach was only mandatory is the breach was also covered by the Privacy and Electronic Communications Regulations 2011 (PECR) – which pertain to any data security breach at telecoms providers or ISPs.
The GDPR: Reporting is mandatory if the data breach is likely to result in a risk to an individual’s rights and freedoms. The breach must be communicated to the supervisory authority as soon as possible and within 72 hours of discovering the breach. Where a breach is likely to result in a “high risk” to the rights and freedoms of individuals, you must notify those concerned directly.
The DPA: Carried fines of up to £500,000 for serious breaches of the legislation, although to date the largest fine handed out is £400,000 – which was given to TalkTalk following their data breach in October 2016.
The GDPR: Fines for data breaches carry an upper limit of 20 million euros, or 4% of global turnover – whichever is higher, which could result in serious financial difficulties for organisations under this regulation. Additional fines, such as for failing to notify the supervisory authority of a breach in good time, can also be levied.
As the GDPR will expand on the rights and regulations set out by the DPA it is likely that organisations will already comply with certain areas, however, there are a number of new regulations to be aware of.
With the GDPR running to a very strict timetable it’s imperative that firm’s leadership, compliance and IT teams start taking responsibility now. There are a number of actions firms will need to carry out, such as appointing a Data Protection Officer and reviewing their data storage and processing procedures, as well as looking into what solutions can assist in meeting compliance. Automated systems will play a key role in performing compliance and risk checks, as the more you can automate the less likely things will fall through the net.