GDPR and Data Protection Act (DPA) 1998 & 2018

30 Min free consultancy

The GDPR regulation of May 25th, 2018 provided much-needed improvements to the Data Protection Act (DPA) of 1998 & 2018. It was felt by many to be long overdue since the DPA 1998 was no longer considered fit for the purpose for which it was originally designed.

“The guidelines under the Data Protection Act 2018 stated that a business in the United Kingdom that is collecting, storing or processing an individual’s details and information must adhere to the regulations as defined by the Data Protection Act of 2018For businesses that did not adhere to these regulations, fines could be issued to the organisations of up to £500,000 for failure to comply with the Data Protection Act 2018.”

Any fines issued under the DPA 2018 were typically for data breaches and very often not issued. However, the Data Protection Act 2018 did not fully cover the changes that took place in the business world particularly, within the technology sector as businesses changed the ways in which they manage and use personal data. With the advent of online shopping, the rapid rise of social media due to data analysis tools and online marketing tools using personal data and information from current user trends.

Breach of Data Protection Act 2018 can take place if there is a misuse of personal data, illegal processing of personal data, or if a person is unaware that his/her data is in use for online marketing or any other marketing purposes for which the user did not provide their consent to the organisation.

Summarising the principles of the Data Protection Act (DPA) 2018

The Data Protection Act 2018 applies to every business and organisation based in the UK which processes an individual’s personal data and information. A set of guidelines, mainly for self-management, are available for businesses.

The key points under the Data Protection Act (DPA) 2018 are set out below; these are the fundamental points that businesses need to comply with in order to meet the regulations set out by the DPA 2018. Businesses and organisations must ensure that personal data should be:

  • be used properly and legally.
  • collected, held and processed for only specified purposes.
  • sufficient and relevant and by no means excessive.
  • accurate and kept up to date.
  • should not be retained for an excessive period if it is no longer applicable.
  • an individual’s rights must be protected and not be forgotten when processing data.
  • securely stored and processed.
  • should not be transferred outside of the UK unless sufficient legal protection is in place.

Any business that is found to be in breach of the Data Protection Action 2018 could be at risk of being penalised up to £500,000 by the regulator: Information Commissioner’s Office (ICO). With the urgent need for the Data Protection Act (DPA) 2018 to be reviewed, it was replaced with the EU General Data Protection Regulation (GDPR) in May 2018.  In summary, each and every business in the EU needs to comply with the GDPR law or they could be at risk of hefty fines, possible imprisonment, reputational risk and loss of business.

data protection act

The General Data Protection Regulation (GDPR)

If you have a business in the EU, then you will be aware of the General Data Protection Regulation (GDPR).

“The European Commission laid down the basis to reform the data protection regulation to be applied across all member states within the EU in 2012.”

These reforms were put in place to ensure that Europe is in line with an ever-evolving and modern digital revolution. This necessitated extra protection for users who readily divulge private information online. The new regulation is applicable to all organisations in Europe but also globally for any organisation that transacts with customers in the EU or processes data of individuals within Europe.

What are the main entities of the GDPR?

Under the GDPR there are three data entities:

  1. The data controller can be a single person within an organisation, or it may be a public authority or agency. Ultimately, the data controller is the body that determines “the purposes and means of the processing of personal data”;
  2. The data processor can be a public body or an individual who carries out the processing of personal data on the controller’s behalf.
  3. Data Protection Officer (DPO) is a new role brought into force by the GDPR. The role of the DPO is “to ensure that an organisation processes the personal data of its staff, customers, data providers or any other individuals (also referred to as data subjects) with GDPR compliance with the applicable data protection rules.”

The GDPR audit places a higher level of responsibility upon processors and controllers who are legally required to ensure that an organisation, its staff members, its customers and any third-party suppliers/contractors/vendors are compliant under GDPR.

  • The GDPR law ensures that there are solid standards for the protection and privacy of data that is held by organisations and that businesses can benefit in this global digital economy in the correct manner.
  • The regulations are developed over many years to manifest how we live in this digital era, mainly while focusing on the areas of protection, privacy and consent.
  • The GDPR law has been designed in such a way to help speed up global business internet usage and ensure that the data privacy rights of individuals are protected.

GDPR and online services

The bottom line is that every aspect of daily life now revolves online, whether it involves:

  • Social networking
  • Online banking
  • Online shopping

These online experiences continue to change and evolve.  The GDPR has been designed to cover existing and new developments efficiently unlike the now outdated DPA 1998. Practically every online service involves the collection and analysis of personal data, and most people are happy to accept and take privacy risks due to the convenience of using online services. Conversely, third party “behind the scene” organisations that track and monitor data online are the primary subject of the GDPR.

These organisations are typically ISPs, (Internet Service Providers), who are legally obliged to track and monitor data to ensure the smooth running of networks and prevent security attacks. ISPs have been permitted in many instances to collect and sell private data without permission and have access to billions of online e-commerce transactions which allows them to analyse data and understand individual buying trends.

The GDPR, at last, has protected an individual’s data and information against such practices. Online conglomerates make it their business to collect data to compose a valuable resource of data to be sold to marketers and advertisers. Companies such as those listed below have been a huge financial success, not just down to the user experience that they offer. But mainly due to their rudimentary business models for advertising and their ability to deliver related adverts to customers based on the previous browsing history.

  • Facebook
  • Google
  • Amazon
  • YouTube

Income is being generated by the likes of Facebook. Each time an advert is delivered to a target user or a link is clicked for example. Every link you click is tracked, and accessed by the likes of Facebook and based on your previous searches and browsing history, these websites can determine exactly what advertising should be displayed to you.

Internet privacy and the question of data collection and storage has been simmering for many years — the fact that data breaches are resulting in stolen or lost information and the negligent sharing of private data. Private data are the chief problem that the GDPR will hopefully resolve. Data breaches have been taking place for years but with the outdated DPA regulations and financial penalties, these were not a sufficient deterrent to the larger online businesses.

✓ Comply or indemnify

The GDPR fines are much higher than the financial penalties under the DPA. An organisation can be fined up to 20 Million Euros or 4% of their annual turnover, whichever is higher if they are found to be in breach of the GDPR.  It is a mistake to assume that a small business will fall outside of these regulations and penalties. Thus, all businesses should take preventative action to ensure that personal data is collected, stored, processed, accessed and manipulated in a legal manner.

✓ Protection of data and personal information

Personal data refers to data that has the potential to identify an individual, and includes but is not limited to:

  • Names
  • Addresses
  • Photos
  • IP addresses
  • Genetic data
  • Biometric data
  • Account numbers

Businesses are required to ensure that they have compliant with GDPR with the use of proper processes and procedures, policies and documents, compliant cookie consent banner and risk assessments tools such as DPIA, subject request management etc. The organisation must take into account:

  • How is personal data captured?
  • How is the personal data stored?
  • How is the personal data used?
  • How is the personal data going to be accessed outside of the EU?

Once this exercise is established, your business must carry out impact assessments on data protection and privacy. To help your organisation to identify and deal with potential issues in the event of a security breach. How your business deals with a GDPR data breach is a process of paramount importance. One that has to be taken seriously in order to ensure compliance with GDPR.

Article 35 of the GDPR gives guidance on the areas that should be covered by an impact assessment. For a business to understand and ensure GDPR compliance, key policies (incl. privacy policy, cookie policy, terms and conditions, breach policy etc.), proper processes and procedures, as well as, training for all staff members on GDPR should be undertaken.

The emphasis for all organisations should be on policies, procedures, and systems which are designed for data protection in mind. It is crucial in this digital age for an organisation to have effective and integral security policies, processes and procedures in place to protect the data they hold.

✓ Rights of individuals

A major change brought about by the GDPR is a greater degree of rights for individuals on how their private data is held, used, processed, managed, shared, accessed and manipulated including the right to:

  • understand what data and information is held by an organisation;
  • to refuse the use of such data;
  • to delete their personal data held by organisations.

✓ Fair and transparent data processing

The GDPR has imposed duties upon businesses to provide detailed explanations directly to their data subjects in a clear and transparent manner. Businesses are being urged therefore to incorporate these explanations into their policies and procedures in such a way as to make them available to individuals. Such policies have to provide a comprehensive outline of the basis and purpose of the organisation for using such data and the correct measures to be in place for protecting this data. 

Potential issues to take into consideration

✓ Data breaches

All organisations should be utterly aware across all departments and personnel as to what would constitute a security breach.

The GDPR stipulates:

“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches as an outcome of both accidental and deliberate causes. It also means that a breach is not just about losing personal data.”

The ICO website is a useful resource for a more detailed explanation of data breaches and clear examples of what constitutes a breach.

It will significantly assist an organisation in providing thorough GDPR training and putting in place strict policies and procedures. This is vital for all personnel as they need to recognise and apprehend any breach and act quickly to inform the regulator and take the necessary precautions when such a breach occurs.

✓ Third-party contracts

Many organisations use third-party suppliers and contractors, it is the norm in business but how will this be affected under the GDPR?

Any well-reputed organisation will always want to avoid entering into detrimental relationships with third-party businesses. A method of ensuring that your organisation remains compliant with GDPR is to carry out checks on each of your suppliers to understand that they too comply with the GDPR law. Organisations should conduct a proper data privacy impact assessment (DPIA)  to assess the risks and undertake measures to mitigate these risks. Regardless of where your suppliers are based if they are holding and processing data from the EU, they must also adhere to the GDPR. 

GDPR and Data Protection Act 2018 Summary

The GDPR is all about creating transparency and long term trust between organisations and their data subjects.  It is clear the GDPR has come a long way since the DPA law of 1998 and 2018, and this is clearly what was needed for so many years. The provisions change the way in which data is acquired along with consent from individuals and by implementing well thought out policies and procedures.  This will ensure your organisation is GDPR compliant and avoid GDPR fines for not adapting to the regulations.

“Regular reviews of the GDPR and keeping abreast of your policies and procedures will ensure you stay GDPR compliant and also gain the trust of not only your customers but other third-party organisations who would like to transact with GDPR compliant organisations.”

The Data Protection Act of 2018 is the implementation of the EU GDPR (General Data Protection Regulation) in the UK. The data protection act outlines and prescribes ways to address data privacy in the digital world. It stipulates that information must flow with ease, and without discomfort. The data subjects, private individuals and businesses to a great extent are also covered under the data protection act 2018.

This act ensures that:

  • All data subjects in the digital world are free from unwanted use of their information
  • No unwanted marketing or propaganda related communication is directed towards private individuals without their consent
  • Harm through identification or information leakage to unwanted parties is limited and reduced 
  • All unlawful use of information, exchange or monetary deals on the exchange of information are limited
  • Reduction of any risk to the private individuals in case of  exposure to their personal information
data protection act

The actions undertaken by all firms in the UK are subject to the Data Protection Act of 2018. This allows individuals to be in control of their own information. The act ensures better safety provisions for people whose sensitive information may be shared or used.

How to become GDPR compliant?

There is much more that organisations need to understand in order to become compliant with GDPR, far more than was necessary for the Data Protection Act 2018. Companies such as Seers, offer AI-based, cutting edge, “one-stop-shop” privacy and consent management solutions such as cookie consent management solution, GDPR assessments and audits,  GDPR training, policies and documentation, subject request management, data privacy impact assessment and data privacy experts to ensure that your organisation is compliant with GDPR and other privacy regulations. 

Conclusion

Changes in the way human beings engage in commercial activity, the rapid rise of online communications and the increase in the virtual nature of the business, home and social life resulted in the need for a revised legislative system. The data protection act 2018 has been thus upgraded in the form of the GDPR law

The GDPR and data protection act 2018, both elaborate on the same principles of privacy and data security. Whilst, the GDPR also takes into account the data subjects, identifying that they have a right not to be subject to automated decision making or profiling. As compared to the DPA 2018 that allows data subjects to be profiled and subject to an automated decision if there are adequate legitimate grounds for doing so and safeguards can protect individual rights and freedoms. The remaining principles are the same for both legal acts.

The key points of the GDPR remain the same as the key points of the data protection act 2018 but are more detailed and comprehensive on the aspect of cybersecurity and practical implementation with respect to the rights of data privacy for individuals.