So, what are the differences between the DPA and the GDPR?
Whilst the law is never nimble enough to keep up with all advances in technology, the GDPR is a significant improvement upon the DPA. It applies to more companies in more places and protects more data. The consequences of non-compliance can no longer be ignored by organisations. They must show that they comply rather than merely say that they comply. If organisations get things wrong and personal data is lost or compromised, the likelihood under the GDPR is that they will have to report the breach. And, finally, all companies will have to look carefully at their legal basis for processing and if that is ‘consent’ recognise that such consent can be withdrawn at any time.
More organisations need to comply with the GDPR
The GDPR applies not only to EU organisations but also non-EU organisations in certain circumstances. For example, if a US company is selling software to an EU individual, or monitoring such an individual for the purpose of targeting advertising to that individual, the GDPR applies to that US company.
The DPA applied only to companies that control the processing of personal data (Controllers). The GDPR extended the law to those companies that process personal data on behalf of Controllers (Processors). For example, if you buy a new television on the internet and give your contact details to the web-based store to enable delivery of that television, only the store would be liable for looking after your personal information under the DPA. Under the GDPR, the store and the delivery company could both be liable.
These two changes closed two loopholes which undermined the protection of individuals within the EU.
There are larger fines for breaching the GDPR
The GDPR allows the regulator to fine non-compliant companies up to 4% of global turnover. Under the DPA, the largest fine allowed was £500,000 and the highest fine ever handed out was £400,000.
For large (possibly multinational) companies with a high turnover, it was felt that a maximum fine of £500,000 was not significant enough to deter bad practice. It should be said, however, that such huge fines are only levied for very serious breaches where organisations willfully ignore the law resulting in a significant effect on the rights and freedoms of individuals. For example, in the case of a large scale loss of special category (sensitive) data.
Organisations need to be able to demonstrate their compliance
The regulator continues to emphasise the need for accountability within organisations and diligent record keeping. Organisations are required to demonstrate compliance with the GDPR. They need to be able to show the regulator that they take data protection compliance seriously and that they have recorded the steps showing such seriousness.
This is a break from the DPA where the perception had often been that many organisations only paid lip service to compliance.
The GDPR’s requirement to notify data breaches to the regulator
Under the DPA the regulator recommended that organisations notify it if they experienced a data breach. However, under the GDPR there is a requirement to notify the regulator and individuals’ affected under certain circumstances.
This change means that organisations can no longer seek to keep quiet about data breaches. Under the GDPR organisations may still choose to keep quiet and not notify, but if the data breach becomes public and the regulator finds that the organisation did not comply with the law, any fine is likely to be a lot higher.