Data Protection Act vs GDPR vs UK GDPR : Getting to grips with the changes

The Data Protection Act 1998 (DPA) came into force over 20 years ago. At that time, Google was three people in a garage. Offices were still using word processors. Telephone numbers were kept in a Rolodex. And most people had never heard of the internet. A lot has changed in the last 20 odd years and the law is still trying to catch up.  

The DPA sought to protect individuals’ personal information. At the same time, it recognised that the free flow of personal information within the European Union had economic benefits which needed preserving. That was (and is still) a tricky balance.

The changes brought in by the General Data Protection Regulation (GDPR) sought to maintain this balance, but there are crucial differences which businesses should be aware of. These differences have sprung largely out of inadequacies identified over the last 20 odd years in the DPA which the GDPR sought to address.

So, what are the differences between the DPA and the GDPR?

Whilst the law is never nimble enough to keep up with all advances in technology, the GDPR is a significant improvement upon the DPA. It applies to more companies in more places and protects more data. The consequences of non-compliance can no longer be ignored by organisations. They must show that they comply rather than merely say that they comply. If organisations get things wrong and personal data is lost or compromised, the likelihood under the GDPR is that they will have to report the breach. And, finally, all companies will have to look carefully at their legal basis for processing and if that is ‘consent’ recognise that such consent can be withdrawn at any time.

More organisations need to comply with the GDPR 

The GDPR applies not only to EU organisations but also non-EU organisations in certain circumstances. For example, if a US company is selling software to an EU individual, or monitoring such an individual for the purpose of targeting advertising to that individual, the GDPR applies to that US company.

The DPA applied only to companies that control the processing of personal data (Controllers).  The GDPR extended the law to those companies that process personal data on behalf of Controllers (Processors). For example, if you buy a new television on the internet and give your contact details to the web-based store to enable delivery of that television, only the store would be liable for looking after your personal information under the DPA. Under the GDPR, the store and the delivery company could both be liable.

These two changes closed two loopholes which undermined the protection of individuals within the EU.

There are larger fines for breaching the GDPR 

The GDPR allows the regulator to fine non-compliant companies up to 4% of global turnover. Under the DPA, the largest fine allowed was £500,000 and the highest fine ever handed out was £400,000.

For large (possibly multinational) companies with a high turnover, it was felt that a maximum fine of £500,000 was not significant enough to deter bad practice. It should be said, however, that such huge fines are only levied for very serious breaches where organisations willfully ignore the law resulting in a significant effect on the rights and freedoms of individuals. For example, in the case of a large scale loss of special category (sensitive) data.

Organisations need to be able to demonstrate their compliance

The regulator continues to emphasise the need for accountability within organisations and diligent record keeping. Organisations are required to demonstrate compliance with the GDPR. They need to be able to show the regulator that they take data protection compliance seriously and that they have recorded the steps showing such seriousness.

This is a break from the DPA where the perception had often been that many organisations only paid lip service to compliance.

The GDPR’s requirement to notify data breaches to the regulator 

Under the DPA the regulator recommended that organisations notify it if they experienced a data breach.  However, under the GDPR there is a requirement to notify the regulator and individuals’ affected under certain circumstances.

This change means that organisations can no longer seek to keep quiet about data breaches.  Under the GDPR organisations may still choose to keep quiet and not notify, but if the data breach becomes public and the regulator finds that the organisation did not comply with the law, any fine is likely to be a lot higher.

Consent is getting more specific

Organisations need a legal basis to process personal information. One of those legal bases is “consent”.  This was the case under the DPA and continues under the GDPR. However, under the GDPR, that consent has to be more specific and more granular. For example, instead of getting consent for marketing by ‘opt out’ or, so called ‘soft opt in’, organisations have to obtain separate, specific ‘opt in’ consent for marketing by email, by telephone and by in product messaging. Also, under the GDPR, organisations have to inform individuals that they can withdraw such consent at any time.

These changes were deemed necessary because it was felt that individuals did not have sufficient control under the DPA over what their personal information was used for.

I’ve written a great (even if I do say so myself) article on this.

The definition of personal data has been extended 

The GDPR (like the DPA before it) applied to the processing of “personal data”. However, the GDPR extended the scope of that definition and also makes it more specific and up to date. For example, the GDPR makes it explicit that “online identifiers’ may make an individual identifiable and, therefore, any information related to that individual will be “personal data”. This is of particular importance to the online advertising industry and its use of cookies and tracking IDs.

The change was necessary because the DPA was borne out of a predominantly offline world of filing cabinets and telephone sales. Whilst such things still exist, the GDPR needs to protect individuals in an online world of targeted online advertising and in app messaging.

GDPR vs UK GDPR

Just when we’d got used to the differences in the UK between the DPA 1998 and the GDPR, along came Brexit and the UK GDPR.  Don’t worry, there is no need to be confused.  Basically, all the UK GDPR does is retain the GDPR in UK law post-Brexit with minor amendments so it makes sense in a domestic only context (eg. maximum fines are in £ instead of €).  We are now in the position where we have the GDPR and the UK GDPR.  As of updating this article in April 2022 they are identical.  Therefore, if you comply with the GDPR, you comply with the UK GDPR.  Things have got a little complicated around non EU/UK international data transfers as a result of the UK no longer being in the EU, but that’s for another day!