Below are some differences found online to explain the difference between Data Protection and GDPR
being ‘GDPR’. We thought this table may be of benefit to you.
| DPA(Data Protection Act 1998) | GDPR (General Data Protection Regulation) |
|---|---|
| The Data Protection Act was developed to give protection and lay down rules about how data about people can be used. The 1998 Act covers information or data stored on a computer or an organised paper filing system about living people. | EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be directly applicable starting on May 25, 2018, and will replace the DPA |
| Only applies the UK | Applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens |
| Enforced by the Information Commissioner’s Office (ICO) | Compliance will be monitored by a Supervisory Authority in the UK with each European country having its own SA |
| Under the current legislation there is no need for any business to have a dedicated DPO | A DPO in some countries will be mandatory for any business or organisation with more than 250 employees |
| There is no requirement for an organisation to remove all data they hold on an individual | An individual will have the ‘Right to erasures – which includes all data including web records with all information being permanently deleted |
| Privacy Impact Assessment (PIA) are not a legal requirement under DPA but has always been ‘championed’ by the ICO | PlAs will be mandatory and must be carried out when there is a high risk to the freedoms of the individual. A PIA helps an organisation to ensure they meet an individual’s expectation of privacy |
| Data collection does not necessarily require an opt-in under the current Data Protection Act | The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time |
| Direction sets aims and requirements, implemented through national legislation | Regulation is binding for all member states |
| Personal data and sensitive personal data | In addition, now includes online identifiers, location data, and genetic data |
| Breach notifications not mandatory for most organisations | Mandatory and within 72 hours |
| Any person who has material damage is entitled to claim compensation | Any person who has suffered material or non-material damage |
| Data protection governance down to best endeavours | Recommendation of a data protection officer to be employed from outside the company for organisations with 250+ employees or more than 5,000 subject profiles per annum |
| Maximum fine is 500,000 | Maximum fine 4% of annual turnover or Euro20M whichever is greater |
| Responsibility rest with the Data Controller | Rests with both the controller and processor with the controller being able to seek damages from the processor |
| Parental consent for minors not required | Parental consent for minors now required |
| Accountability is limited | Accountability fully explicit |
| Subject access requests, £10 per transaction and within 40days | Free of charge and within 30 days |
| Data consent free given, specific and informed | Clear affirmation action with the ability to be withdrawn later |
Cyber Ethics 