Share this post

The difference between GDPR and DPA

May 2018 will see a major sea change in data protection laws as GDPR is ushered into being.

The European wide General Data Protection Regulations will replace the current UK Data Protection Act.  GDPR provides more comprehensive and far-reaching criteria for businesses to adhere too.

You can read more about the introduction of GDPR here but what are the major differences between the new regulations and the 1998 Data Protection Act and how will they impact on UK businesses?

  • Reach

DPA – Only applies to the UK

GDPR – Applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens

  • Enforcement

DPA – Enforced by the Information Commissioner’s Office (ICO)

GDPR – Compliance will be monitored by a Supervisory Authority in the UK with each European country having its own SA

  • Penalties

burning euros gdpr penalties

DPA – Non-compliance can result in fines of up to £500,000 or 1% of annual turnover

GDPR – The potential penalties for non-compliance are much more severe with fines of up to €20 million or 4% of the businesses annual global turnover

  • Data Protection Officers

DPA – Under the current legislation there is no need for any business to have a dedicated DPO

GDPR – A DPO is mandatory for any business or organisation with more than 250 employees

  • Data breaches

DPA – Businesses are under no obligation to report data breaches though they are encouraged to do so

GDPR – Any data breach must be reported to the Supervisory Authority within 72 hours of the incident

  • Data removal

DPA – There is no requirement for an organisation to remove all data they hold on an individual

GDPR – An individual will have the ‘Right to erasure’ – which includes all data including web records with all information being permanently deleted

  • Privacy by design

DPA – Protection Impact Assessments (PIA) are not a legal requirement under DPA but has always being ‘championed’ by the ICO

GDPR – PIAs will be mandatory and must be carried out when there is a high risk to the freedoms of the individual.  A PIA helps an organisation to ensure they meet an individual’s expectation of privacy

  • Opting in

DPA – Data collection does not necessarily require an opt-in under the current Data Protection Act

GDPR – The need for consent underpins GDPR.  Individuals must opt-in whenever data is collected and there must be clear privacy notices.  Those notices must be concise and transparent and consent must be able to be withdrawn at any time

opt in to gdpr

What is clear from the above brief summary is GDPR differs greatly in scope to DPA with more mandatory regulations and more accountability.  Under the new regulations there will certainly be the potential for much stiffer penalties for non-compliance.

Accountability

It is the area of accountability which most businesses will be paying close attention to.

One of the central tenets of the new legislation is businesses and organisations must be able to demonstrate they comply with its principles.  Crucially, it is the businesses’ responsibility to ensure compliance.

Mandatory activities to demonstrate compliance include:

  • Staff training
  • Internal audits of data processing activities
  • Internal HR reviews
  • Appoint a data protection officer (if over 250 employees)
  • Maintain all documentation
  • Meet all the principles of data protection by design
  • Implement Protection Impact Assessments

For more detailed information on compliance visit the Information Commissioner’s Office website.

Share this post

Craig Ellyard

Token old guy in the office and lifelong Hull City fan with all the psychological issues that brings. To relax I enjoy walking my two Labradors, as well as running and cycling. Set in my ways I like reading, abhor social media and just don’t get Game of Thrones.

1 comment

Add yours
  1. Jon 16 March, 2017 at 10:02

    “Data breeches”eh? Are they the trousers, preferably brown, you should be wearing when the new Data Protection Auditor pays you a visit?

Post a new comment