Over the past one to three months, we have received a considerable number of letters and emails, all asking us to make several modifications to our organisation’s privacy policies to be considered compliant with GDPR. Everyone has been worrying about what the General Data Protection Regulation (GDPR) requires and how to comply.
The Data Protection Acts 1998 and 2018 laid the groundwork for UK law on how organisations, businesses, and the government process, store, and protect personal data. The GDPR, which took effect on May 25, 2018, updated these regulations.
In this blog, we will explore the Data Protection Acts 1998 vs 2018, along with the Data Protection Act and GDPR.
data subject access requests
Controllers with access to this data followed somewhat strict rules known as the ‘data protection principles’, meaning they had to ensure the information they had access to. Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR)
- used fairly and lawfully
- utilised for limited, expressly stated purposes
- adequately used, relevant and not excessive
- accurate
- kept for no longer than is necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the EEA without adequate protection
With especially more stringent legal protection for sensitive information, such as
- ethnic background
- political opinions
- religious beliefs
- health
- sexual health
- criminal records
Data protection act 1998
If the Data Protection Act 1998 was influential in safeguarding citizens’ personal information, why has the General Data Protection Regulation (GDPR) been introduced, and why is every company so serious about complying with it?
Possibly because many corporate giants are misusing personal information due to recent advancements and developments with the widespread use of digital technology. Therefore, the Data Protection Act 1998 failed to provide a useful safeguarding measure for personal data in the digital age.
data protection act 2018
Living in a data-central world, all interactions, everything we search for, buy, or even post on social media, are processed and stored by organisations to target and tailor the specific advertisements you see across your Facebook page or Instagram. Surprised?
The GDPR ensures that organisations use data legally and properly while protecting individual privacy and rights.
- GDPR builds on the Data Protection Act 1998, enhancing transparency, accountability, and data confidentiality.
- It places strict legal obligations on organisations, making them liable for data breaches.
- Key rights for individuals include access, being informed, rectification, data portability, process restriction, and objection.
- The Data Protection Act 2018 addresses modern technological issues, updating privacy rights for the digital age.
The Data Protection Act of 2018 differs from the Data Protection Act of 1998 in many ways. The DPA revised in 2018 helps address contemporary issues in the cyber world and the digital age.
The Data Protection Act of 2018 is an update on how technology has affected data collection, use, and storage. These updates also extend the right to privacy of individuals on a clearer and deeper level than before.
Key changes
The key changes between the Data Protection Act of 2018 and 1998 are:
- The identification of a right to erasure stemming from the right to privacy of individuals
- Introduction of greater exemptions within this law
- This is an implementation of the GDPR in the UK
- Requires the implementation of all principles of the GDPR audit by organisations processing personal data
Here is a brief analysis of the data protection law of 2018 as compared to the older one:
UK Data Protection Act on Privacy Management
The United Kingdom first passed the DPA as a domestic law in 1988 to govern how organisations manage personal data and other information. They updated the regulation in 1998 and then replaced it with the UK DPA 2018 on May 25, 2018.
The basic concepts covered in the Data Protection Act include:
- People have a fundamental right to privacy.
- People have a right to find out what information about them is collected and stored by the government and other organisations.
- Organisations that collect information must build trust by managing privacy correctly.
- Personal data must not be collected or used for any purpose other than the explicit purpose that an individual consented to. Personal data can be collected and used for only specified and legitimate purposes. Those purposes must be fair, just, transparent, and legitimate.
- Organisations must ensure records relating to individuals are correct and, where appropriate, kept up to date. They should only keep these records for as long as necessary.
- Organisations that collect data must follow the rules relating to privacy management, including protecting the data from access, processing, loss, damage, destruction without authorisation, and unauthorised or unlawful means.
- Organisations must be cautious about how they handle sensitive personal information.
Does the Data Protection Act of 2018 replace the 1998 Act?
The Data Protection Act 2018 transposes the EU GDPR, which is an earlier version of the Data Protection Act 1998. However, the two Acts differ in some ways. For instance, the right to erasure, imposed on EU individuals under their right to privacy, is defined differently in the two pieces of legislation.
The DPA 2018 allows greater scope for exemptions from the law than its 1998 predecessor. Furthermore, it obliges companies to conduct a GDPR audit.
Will GDPR become irrelevant after Brexit?
While the GDPR may replace the previous EU directive and enforce it as a regulation, it is significant for controlling the data of EU citizens by companies outside the EU as well as within.
With Brexit, the UK enshrined GDPR principles into British law through the Data Protection Act (DPA) 2018, ensuring the continued upholding of data protection standards. The DPA 2018 adjusts these standards to fit the UK’s national context post-Brexit.
The ICO eagerly welcomed the DPA Data Protection Act (2018). It believes it will “give the UK one of the world’s most progressive data protection regimes.”
Rightly so, it is a landmark that will shape the future of data confidentiality by preventing identity theft and data exploitation by corporate giants and entrenching human rights.
Data Protection Act 1998 vs GDPR
If companies have to follow both GDPR 2018 and the Data Protection Act 1998, they should be aware of a few main differences, which are
Geographic reach
- GDPR applies to data processing by organisations operating within the EU.
- GDPR also applies to organisations outside the EU that offer services or goods to individuals in the EU.
- The Data Protection Act 1998 applies only to data processing by organisations operating within the UK.
Data protection
- GDPR mandates organisations with over 250 employees or firms to process more than 5,000 subject profiles annually and appoint a dedicated Data Protection Officer.
- Companies must demonstrate “data protection by design” measures to comply with GDPR.
- This means considering privacy and data protection issues at any system, service, product, or process design phase.
- Companies must continue considering these issues throughout their entire lifecycle.
Consent policies
- One of the defining differences between GDPR and the Data Protection Act 1998 is the consent rules.
- Data collection under the Data Protection Act does not necessarily require an opt-in.
- GDPR requires clear privacy notices.
- This ensures consumers can make an informed decision about consenting to their data being stored and used.
Accountability
- GDPR places a much greater focus on accountability than the Data Protection Act.
- Organisations must prove they comply with the regulation.
- Companies must commit to mandatory activities, such as
- Conducting data audits
- Providing staff training
- Keeping detailed documentation of how they collect, store, and process data
New consumer rights
GDPR gives consumers substantial new rights.
- The right to be forgotten
- The right to object to automated decision-making
- Data portability rights
Bottom Line
In conclusion, the transition from the Data Protection Act 1998 to the Data Protection Act 2018, alongside GDPR, marks a significant advancement in data protection standards.
These changes address modern digital challenges, enhance individual privacy rights, and impose stricter compliance requirements on organisations. As data privacy evolves, leveraging tools and solutions from Seersco.com can help ensure that your organisation effectively meets these robust requirements.
Seers expertise in GDPR compliance and cookie consent management will help you navigate these complex regulations and safeguard your data practices.