data protection act nhs

GDPR | Seers Article

How well companies are storing your data before the General Data Protection Regulation?

In the past few months, more so in the past few weeks, we have been receiving letters and emails upon emails from companies about privacy policies changing. Most people, if not all are probably thinking about what is all this about; most specifically what is GDPR (General Data Protection Regulation).

The Data Protection Act 1998 until the 25th May 2018 was the UK law governing how personal data is processed, stored and protected by organisations, businesses and even the government.

Controllers with access to this data followed somewhat strict rules known as the ‘data protection principles’ which means that they had to ensure the information they have access to. Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR).

  • Used fairly and lawfully
  • Utilised for limited, specifically stated purposes
  • adequately used, relevant and not excessive
  • Accurate
  • Kept for no longer than is necessary
  • Handled according to people’s data protection rights
  • Kept safe and secure
  • Not transferred outside the EEA without adequate protection

With especially more stringent legal protection for sensitive information such as:

  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Health
  • Sexual health
  • Criminal records

If the Data Protection Act 1998 was effective in safeguarding citizens’ personal information then why has the General Data Protection Regulation been introduced and why is every company so serious about incorporating this?

Possibly, because many corporate giants are misusing this information in light of recent advancements and developments of modern technologies. Therefore, the Data Protection Act 1998 failed to provide a useful safeguarding measure for the data of today.

Living in a data-central world; all interactions, everything we search, buy or even post on social media is processed and stored by organisations to target and tailor those specific advertisements you see across your Facebook page or even Instagram. Surprised? Well, while this may make life easier, convenient and connected, is anyone aware of what their data is exactly being used for apart from these adverts, it could also be sold to third parties without knowledge or consent. This is why the GDPR came into effect.

The GDPR and following on from this the Data Protection Act 2018 ensures this personal data used properly and legally in this data center world and does not allow organisations to circumvent the previous Data Protection Act and Directive by placing specific legal obligations on organisations making them severely liable for any breaches.

It builds upon the 1998 Act by obligating organisations to be more transparent, accountable, places limits on storage as well as strengthens confidentiality. Additionally, both the GDPR and the Data Protection Act 2018 emphasize the importance of the rights available to citizens such as; access, being informed, rectification, data portability, process restriction, and objection.

The Data Protection act 2018 vs Data Protection act 1998 differs in a lot of ways. The DPA revised in 2018 helps in addressing contemporary issues in the cyber world and the digital age. These updates encompass a lot more than what was already being protected under the data protection act of 1988. The Data Protection Act of 2018 is rather an update on the way technology has affected data collection, data use and storage. These updates also relate to the extension of the right to privacy of individuals on a clearer and deeper level than before.

The key changes between the Data Protection Act of 2018 and the Data Protection Act of 1998 are:

  • The identification of a right to erasure stemming from the right to privacy of individuals
  • Introduction of greater exemptions within this law
  • This is an implementation of the GDPR in the UK 
  • Requires the implementation of all principles of the GDPR audit by organisations processing personal data

Here is a brief analysis of the data protection law of 2018 as compared to the older one:

Pros Cons
Better understanding and relevance as compared to 1998’s law Compliance may require training or expert advice
Clarifies exemptions
Improves coverage of all major concerning aspects

But isn’t this an EU regulation, after Brexit, it will become irrelevant?

While the GDPR may be replacing the previous EU directive and enforcing it as a regulation. It is significant for controlling data of EU citizens by companies outside the EU as well as within. Therefore, the Data Protection Act 2018 enshrines the GDPR into British law and covers data processing. That does not fall under EU law and adjusts the standards to accommodate and work in the national context.

The ICO welcomed the Data Protection Act 2018 eagerly. It believes to “give the UK one of the world’s most progressive data protection regimes”. Rightly so it is a landmark shaping the future of data confidentiality. By preventing theft of identity and exploitation of data by corporate giants and entrenching human rights.


The Data Protection Act of 1998 was a United Kingdom Act of parliament that was created to protect the data of individuals in the face of growing technology of the time. The Data Protection Act of 1998 varies from the Data Protection Act of 2018 due to the changes in the technology and the much-needed additions. The latter one includes many new principles and provisions of individuals and their security both online and offline. Such as the right to erasure, the right to access data, and added web safety for individuals. The Data Protection Act of 1998 did not take into account the use of web cookies and similar technologies for example, which it does not with this revision.


Does the Data Protection Act 2018 replace the Data Protection Act 1998?

The data protection act 2018 is the application of the EU GDPR law in the UK. Whereas the Data Protection Act of 1998 is what the EU GDPR is originally based on. There are some differences in both acts. For example, the identification of a right to erasure stemming from the right to privacy of individuals varies in both. The newer Data Protection Act of 2018 allows greater exemptions within this law. And the Data protection act 2018 also requires companies to run a GDPR Audit.

Listen to Article

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,