GDPR – 11 Key Changes from the Current Data Protection Act

Following on from “The Basics” we have highlighted below the key differences to the data protection regulations that will come into effect with GDPR next May 2018.

  1. GDPR Enforcement – there will be a Supervisory Authority (SA) which will monitor and enforce the GDPR in the UK. Similar SAs will be responsible for monitoring and reporting in other EU countries.
  2. GDPR applies to all – this means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.
  3. GDPR widens the definition of personal data – any data that can be used to identify an individual is personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
  4. GDPR tightens the rules for obtaining valid consent to using personal information – organisations need to ensure they use simple language when asking for consent to collect personal data, they need to be clear about how they will use the information, and they need to understand that silence or inactivity no longer constitutes consent. Consent of personal data must be freely given, specific, informed and unambiguous. Consent is not freely given if a person is unable to freely refuse consent without detriment.
  5. GDPR makes the appointment of a DPO mandatory for certain organisations – public authorities processing personal information are required to appoint a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. The GDPR does away with the criterion of number of employees and focuses instead on what organisations do with personal information.
  6. GDPR introduces mandatory Privacy Impact Assessments (PIAs) – inclusion of mandatory privacy impact assessments (PIAs) in the GDPR is mainly due to the influence of the UK’s Information Commissioner’s Office, which has worked a lot with PIAs in the past. The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimise risks to data subjects.
  7. GDPR introduces a common data breach notification requirement – Data controllers must notify the Data Protection Authorities as quickly as possible, where applicable within 72 hours, of the data breach discovery.
  1. GDPR introduces the right to be forgotten – this change is one of the most useful changes for the average person managing their data protection risks. A person will be able to require their data to be deleted when there is no legitimate reason for an organisation to retain it. Following this, the organisation must also take appropriate steps to inform any third party that might have any links or copies of the data and request them to delete it. One of these is the data minimisation principle that requires organisations not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject.
  1. GDPR expands liability beyond data controllers – previously only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all that touch personal data.
  2. GDPR requires privacy by design – GDPR requires that privacy is included in systems and processes by design. Software, systems and processes must consider compliance with the principles of data protection. Proper erasure of information, for example, is not something often seen in software. But in the future, all software will be required to be capable of completely erasing data, which will be a challenge.
  3. GDPR penalties – GDPR penalties for any breach are set to be much higher for non-compliance. Previously set at 1% of annual turnover, they could now reach up to 4% of global turnover.

GDPR introduces the concept of a one-stop shop as the legislation will be applicable in all EU states without the need of implementing national legislation. Having a single set of rules will benefit businesses as they will not need to comply with multiple authorities, streamlining the process and saving an estimate of €2.3 billion a year.

Below is a summary table version comparing current Data Protection Act Legislation to the new proposals for GDPR.

Key PrinciplesDPA (Current)GDPR (25th May 2018)
1. EnforcementEnforced by the Information Commissioner’s Office (ICO)A Supervisory Authority (SA) will monitor and enforce the GDPR in the UK. Similar SAs will be responsible for monitoring and reporting in other EU countries
2. ReachApplies only in the UKApplies to the whole of the EU and any company (globally) that holds data belonging to EU citizens
3. PenaltiesFailure to comply with the DPA can result in fines of up to £500,000 or 1% of annual turnoverPenalties for non-compliance of GDPR regulations are expected to reach $20m or 4% of global turnover – a significant increase
4. Right to be ForgottenThere is currently no legal requirement for companies to remove the data they hold on an individualIndividuals can exercise their ‘right to be forgotten’ which involves permanently deleting all personal data from company systems
5. Data Protection Officers (DPO)There is currently no obligation for a company to employ a dedicated DPOYou should assume that you need a DPO unless you can demonstrate that you don’t
6. Opting InUnder the current legislation, businesses do not require an opt-in when collecting dataConsent underpins the new regulations. When collecting data, the reasons for collecting personal data and its uses must be outlined at the point of collection and in the company Privacy Policy
7. Reporting a data breachUnder the current regulations, there is no legal obligation for a data controller to report a breach to the ICO or to individuals whose information has been lost or stolenWhere a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. Organisations are also obliged to report a data breach to the relevant supervisory authority (ICO) within 72 hours of becoming aware of it
8. Personal DataPersonal data and sensitive personal dataAny data that can be used to identify an individual is personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information
9. Privacy Impact Assessment (PIA)Privacy Impact Assessment (PIA) are not a legal requirement under DPA but has always been ‘championed’ by the ICOPIA’s will be mandatory and must be carried out when there is a high risk to the freedoms of the individual. A PIA helps an organisation to ensure they meet an individual’s expectation of privacy
10. Expanding LiabilityResponsibility rests with the Data ControllerLiability extended to all those that touch personal data within an organisation
11. Privacy by DesignThere is no requirement for an organisation to remove all data they hold on an individualGDPR requires that privacy is included in systems and processes by design. Software, systems and processes must consider compliance with the principles of data protection. An individual will have the right to erasures – which includes all data being permanently deleted

You may also find the following article useful https://www.atg-it.co.uk/gdpr/dpa-vs-gdpr/

Leave a comment