Are companies storing your data to comply with the General Data Protection Regulation (GDPR)?
In the past few months, more so in the past few weeks, we have been receiving multiple letters and emails from companies about the required changes with respect to privacy policies for an organisation to comply with the General Data Protection Regulation (GDPR). Most people are thinking and worried about what is required by and how to comply with the General Data Protection Regulation (GDPR).
The Data Protection Act 1998 and 2018; until the GDPR came into effect on the 25th of May 2018; formed the basis for the UK law governing how personal data is processed, stored and protected by organisations, businesses and even the government.
Controllers with access to this data followed somewhat strict rules known as the ‘data protection principles’ which means that they had to ensure the information they have access to. Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR):
- used fairly and lawfully
- utilised for limited, specifically stated purposes
- adequately used, relevant and not excessive
- kept for no longer than is necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the EEA without adequate protection
With especially more stringent legal protection for sensitive information such as:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal records
If the Data Protection Act 1998 was effective in safeguarding citizens’ personal information then; why has the General Data Protection Regulation (GDPR) been introduced and why is every company so serious about complying with it?
Possibly, because many corporate giants are misusing personal information in light of recent advancements and developments with the widespread use of digital technology. Therefore, the Data Protection Act 1998 failed to provide a useful safeguarding measure for personal data in the digital age.
Living in a data-central world; all interactions, everything we search for, buy or even post on social media is processed and stored by organisations to target and tailor those specific advertisements you see across your Facebook page or even Instagram. Surprised? Well, while this may make life easier, convenient and connected, are people aware of what their data is exactly being used for apart from these adverts, it could also be sold to third parties without their knowledge or consent. This is why the GDPR came into effect.
The Data Protection Act 2018 and then the GDPR ensures that this personal data is used properly and legally in the digital age. Organisations cannot circumvent the previous Data Protection Act and Directive by placing specific legal obligations on organisations making them severely liable for any breaches.
It builds upon the Data Protection Act 1998 by obligating organisations to be more transparent, accountable, places limits on storage as well as strengthens confidentiality. Additionally, both the GDPR and the Data Protection Act 2018 emphasise the importance of the rights available to citizens such as; access, being informed, rectification, data portability, process restriction, and objection.
The Data Protection Act 2018 vs Data Protection Act 1998 differs in a lot of ways. The DPA revised in 2018 helps in addressing contemporary issues in the cyber world and the digital age. These updates encompass a lot more than what was already being protected under the Data Protection Act of 1998. The Data Protection Act of 2018 is rather an update on the way technology has affected data collection, data use and storage. These updates also relate to the extension of the right to privacy of individuals on a clearer and deeper level than before.
The key changes between the Data Protection Act of 2018 and the Data Protection Act of 1998 are:
- The identification of a right to erasure stemming from the right to privacy of individuals
- Introduction of greater exemptions within this law
- This is an implementation of the GDPR in the UK
- Requires the implementation of all principles of the GDPR audit by organisations processing personal data
Here is a brief analysis of the data protection law of 2018 as compared to the older one:
|Better understanding and relevance as compared to 1998’s law||Compliance may require training or expert advice|
|Improves coverage of all major aspects of data privacy rights for an individual|
Does the Data Protection Act 2018 replace the Data Protection Act 1998?
The Data Protection Act 2018 is the application of the EU GDPR law in the UK. Whereas the Data Protection Act of 1998 is what the EU GDPR is originally based on. There are some differences in both acts. For example, the identification of a right to erasure stemming from the right to privacy of individuals varies in both. The newer Data Protection Act of 2018 allows greater exemptions within this law. And the Data Protection Act 2018 also requires companies to run a GDPR audit.
Will GDPR become irrelevant after Brexit?
While the GDPR may be replacing the previous EU directive and enforcing it as a regulation. It is significant for controlling data of EU citizens by companies outside the EU as well as within. Therefore, the Data Protection Act 2018 enshrines the GDPR into British law and covers data processing. That does not fall under EU law and adjusts the standards to accommodate and work in the national context.
The ICO welcomed the Data Protection Act 2018 eagerly. It believes it to “give the UK one of the world’s most progressive data protection regimes”. Rightly so it is a landmark shaping the future of data confidentiality. By preventing theft of identity and exploitation of data by corporate giants and entrenching human rights.
The Data Protection Act of 1998 was a United Kingdom Act of parliament that was created to protect the data of individuals in the face of growing technology of the time. The Data Protection Act of 1998 varies from the Data Protection Act of 2018 due to the changes in the technology and the much-needed additions. The latter one includes many new principles and provisions of individuals and their security both online and offline. Such as the right to erasure, the right to access data, and added web safety for individuals. The Data Protection Act of 1998 did not take into account the use of web cookies and similar technologies for example, which it does not with this revision.
Listen to Article