Before we start comparing, it’s worth highlighting that this is a bit of an “oranges & apples” thing because, technically speaking, the UK DPA (Data Protection Act) 1998 was enacted to bring British law into line with the 1995 EU DPD (Data Protection Directive, aka 95/46/EC) which is the one that is, now, being repealed and superseded by the GDPR (General Data Protection Regulation, aka 2016/679) that was adopted in 2016.
Another important point is that the EU DPD, being a “directive”, is an example of an indirect EU law which needed to be implemented by domestic UK legislation – the DPA – to become applicable and enforceable in the UK. Those domestic UK laws will be unaffected by Brexit and so the DPA will continue unless and to the extent the UK Parliament repeals or amends the DPA, whether to deal with GDPR and/or Brexit.
On the other hand, the GDPR is a “regulation” and, hence, a direct EU law that applies directly in the UK without the need for UK domestic legislation. GDPR comes into force in the UK on 25 May 2018 before the UK will have been able to leave the EU. UK businesses will therefore need to prepare for and start to comply with GDPR notwithstanding Brexit.
One very critical point, as EY puts it, is that the GDPR is a “new privacy model applies to all businesses offering goods or services TO EU”. This means the business or the organization does not have to reside in the EU or even in Europe. It could be in America, Asia, wherever. The moment they decide on holding private information about an EU citizen whom they provide goods or services to, the GDPR applies.
Now that we got this out of the way, let’s start the comparison. To give you the heads-up, the GDPR is a big “upgrade” or, as some people puts it, a “much bigger beast”.
Comparison Area
DPA
GDPR
Marketing Consent
A negative opt-in had been relied on by marketers for gaining marketing consent (for example, tick here if you don’t wish to receive offers).
Must be explicit and in a form of:
· Time limited opt-in
· In plain language (age appropriate to the Data Subject)
· With the requirement that the Data Subject is able to opt-out of profiling and object to the results of profiling.
Sanctions
A maximum £500,000 fine. A key condition was the personal data breach must have caused harm or financial loss to the Data Subject.
Organizations are subject to fines, Enforcement Orders and undertakings with two different types of financial jeopardy:
· Fines for Personal Data Breaches (PDBs); and
· Fines for Administrative breaches.
Both carry between 2-5% of previous year annual turnover for a commercial organization subject to general EU competition law principles of fairness and proportionality. The bar to show PDBs has been substantially lowered as Data Subjects now only need to show ‘distress’ rather than actual harm or financial loss.
Notification & Legal Processing
Organizations were required to 'register' or 'notify' the ICO (Information Commissioner’s Office) through an online questionnaire and then pay a fee, often called Notification in order to carry out data processing of personal data.
Prior notification of personal data processing by the Data Controller has been removed. However, Data Controllers are now under much more rigorous criteria – data processing can legally take place only after the organization has assessed the impact of processing on the Data Subject, the security measures to protect such data & that the appropriate and up-to-date technical & organizational processes & procedures are in place.
Legal Rights of Data Subjects
The Data Subject had the right to request a copy of their data (Subject Access Request) on payment of a nominal fee. In addition, the Data Subject had a common law right of erasure or rectification of their personal data.
These 3 rights are explicit and no longer require a fee. In addition, there is a right to have the Data Subject’s personal data extracted and sent to them in an electronic portable format that will allow them to switch between different providers. In addition, there is a requirement to report a PDB within 72 hours to the Data Subject in order for them to take steps to protect their own personal data being legally obliged to do so.
Definitions of Personal Data
There are 3 main categories of data. Under common law, these have evolved and the categories of personal data expanded.
The 3 main categories have been widened to include a much broader list of items. For example, the Internet of Things (IoT) and location data are formally included in the definition of personal data.
Personal Data Breaches (PDAs)
It is not mandatory to inform the Supervisory Authority if a PDA occurs except under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR).
There is now a mandatory requirement to inform the Supervisory Authority within 24-72 hours of a PDB, and include references to the DPIA/DPCR conducted by the organization.
Data Protection Office (DPO)
Some 38% of EU Member States made the appointment of a DPO compulsory where notification of a PDBwasn’t mandatory under the Data Protection Directive 95/46/EC.
It is highly likely that the appointment of a DPO will be mandatory, subject to certain caveats. For example, they must not have any conflict of interest in carrying out the function. For smaller organizations, there is likely to be an exception where the duties and responsibilities of the DPOcould be outsourced to a 3rd party provider.
As a summary, these are just some of the differences between the DPA 1998 and GDPR and other major differences include how cross-border data transfers will be handled after the recent judgment that declared Safe Harbor was unlawful.
It is essential to understand that, if an organisation complies under the DPA 1998, it doesn’t mean that it will be also be compliant with the GDPR. And, hence, a whole review will be needed to meet the requirements.