May 2018 will see a major sea change in data protection laws as GDPR is ushered into being.
The European wide General Data Protection Regulations will replace the current UK Data Protection Act. GDPR provides more comprehensive and far-reaching criteria for businesses to adhere too.
You can read more about the introduction of GDPR here but what are the major differences between the new regulations and the 1998 Data Protection Act and how will they impact on UK businesses?
- Reach
DPA – Only applies to the UK
GDPR – Applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens
- Enforcement
DPA – Enforced by the Information Commissioner’s Office (ICO)
GDPR – Compliance will be monitored by a Supervisory Authority in the UK with each European country having its own SA
- Penalties
DPA – Non-compliance can result in fines of up to £500,000 or 1% of annual turnover
GDPR – The potential penalties for non-compliance are much more severe with fines of up to €20 million or 4% of the businesses annual global turnover
- Data Protection Officers
DPA – Under the current legislation there is no need for any business to have a dedicated DPO
GDPR – A DPO should be appointed if you are:
- A public authority or body
- Carry out large scale systematic monitoring of individuals
- Perform large scale processing of special categories of data
- Data breaches
DPA – Businesses are under no obligation to report data breaches though they are encouraged to do so
GDPR – Any data breach must be reported to the Supervisory Authority within 72 hours of the incident
- Data removal
DPA – There is no requirement for an organisation to remove all data they hold on an individual
GDPR – An individual will have the ‘Right to erasure’ – which includes all data including web records with all information being permanently deleted
- Privacy by design
DPA – Protection Impact Assessments (PIA) are not a legal requirement under DPA but has always being ‘championed’ by the ICO
GDPR – PIAs will be mandatory and must be carried out when there is a high risk to the freedoms of the individual. A PIA helps an organisation to ensure they meet an individual’s expectation of privacy
- Opting in
DPA – Data collection does not necessarily require an opt-in under the current Data Protection Act
GDPR – The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time
What is clear from the above brief summary is GDPR differs greatly in scope to DPA with more mandatory regulations and more accountability. Under the new regulations there will certainly be the potential for much stiffer penalties for non-compliance.
Accountability
It is the area of accountability which most businesses will be paying close attention to.
One of the central tenets of the new legislation is businesses and organisations must be able to demonstrate they comply with its principles. Crucially, it is the businesses’ responsibility to ensure compliance.
Mandatory activities to demonstrate compliance include:
- Staff training
- Internal audits of data processing activities
- Internal HR reviews
- Appoint a data protection officer (if over 250 employees)
- Maintain all documentation
- Meet all the principles of data protection by design
- Implement Protection Impact Assessments
For more detailed information on compliance visit the Information Commissioner’s Office website.