What are the main differences between GDPR and the Data Protection Act?
With the new General Data Protection Regulation coming into effect in May 2018, it has never been more important for businesses to recognise how it differs from the existing Data Protection Act, and what steps they need to take to prepare.
The clock is ticking ahead of the imminent introduction of the Europe-wide General Data Protection Regulation (GDPR), which will usher in a new era of enhanced data protection standards when it comes into effect in May 2018.
The introduction of GDPR represents the most significant shift in data security standards for several decades, and yet many businesses across the country remain largely unaware of its implications, and how the new rules will differ from the existing UK Data Protection Act.
Although many of the underlying principles remain the same, the fact remains that GDPR's scope is far more comprehensive and wide-reaching, meaning businesses will need to amend their data protection policies accordingly - or potentially face serious consequences.
On a basic level, the GDPR is designed as a direct replacement for the Data Protection Act, which was introduced in 1995 as a UK equivalent to the EU's 1995 Data Protection Directive.
Affecting all UK companies that collect or process personal information on EU citizens, the new laws are intended to help protect the privacy and rights of individual consumers, giving data subjects more clearly delineated rights regarding what data is held about them, how it can be used, and when it should be deleted.
Although the new law reduces the overall number of principles from eight to six, the revamped regulations will be much broader in scope than the existing ones, handing the consumer greater control over their own personal data, and imposing harsh penalties on organisations that fail to comply. It's also worth remembering that the laws apply to any company holding data on EU citizens, regardless of where they are based; as such, their continued relevance will not be affected by the UK's departure from the EU, which is why the British government is working to enshrine them in UK law post-Brexit.
Given the broad-based impact of GDPR and the speed at which the deadline for compliance is approaching, it's essential that every company takes the time to consider the key differences between the new and old rules.
Geographic reach and scope: The previous European Data Protection Directive utilised much more of a light-touch approach than GDPR, setting out aims and requirements for data protection standards that were then implemented through national legislation, such as the UK's Data Protection Act. By contrast, GDPR is a binding piece of regulation, which will be legally enforceable as soon as it comes into effect on May 25th, and will apply to all EU nations and every company holding data on EU citizens.
Definition of personal data: GDPR will expand the definition of "personal data" to include a much wider range of consumer information. Whereas the Data Protection Act only pertains to information used to identify an individual or their personal details, GDPR broadens that scope to include online identification markers, location data, genetic information and more.
Consent policies: This is one of the defining differences between GDPR and the Data Protection Act. Under the old rules, data collection does not necessarily require an opt-in, but under GDPR clear privacy notices must be provided to consumers, allowing them to make an informed decision on whether they consent to allow their data to be stored and used. This consent can then be withdrawn at any time.
Data breach policies: With the current rules in place, businesses are under no obligation to report when data breaches occur, although they are encouraged to do so. This will change with the advent of GDPR, with any future breaches having to be reported to the relevant authorities within 72 hours of the incident.
Accountability: GDPR will place a much greater focus on explicit accountability for data protection, placing a direct responsibility on companies to prove they comply with the principles of the regulation, rather than the hands-off approach of the Data Protection Act. This means firms will need to commit to mandatory activities such as staff training, internal data audits and keeping detailed documentation if they wish to avoid falling foul of the GDPR rules.
Data protection governance: The Data Protection Act does not stipulate how the governance of data security functions should be allocated, requiring only a basic commitment to the concept from management. GDPR will change this, as any company employing more than 250 people will be mandated to appoint a dedicated data protection officer, as will any firm processing more than 5,000 subject profiles annually.
Penalties and compensation: Currently, non-compliance with the Data Protection Act can see companies fined up to £500,000, or one per cent of annual turnover. Under GDPR, these limits will rise significantly to €20 million, or four per cent of annual turnover, whichever is higher. It's also worth remembering that GDPR will allow individuals to claim compensation for material and non-material damage resulting from data security lapses, whereas the current rules only cover material damage.
How should businesses react?
The scope of these changes underlines the need for companies to move fast to adjust their data protection policies to account for GDPR, if they have not already done so.
This includes carrying out a thorough audit of current data usage practices and policies, with staff training and HR reviews conducted to make sure everyone is up to speed with the new rules. Documentation should also be comprehensively collated to make sure that compliance with GDPR rules can be demonstrated when needed.
By taking these steps, companies can make sure they maintain their status as trusted custodians of private data beyond May 2018.