Will GDPR replace the DPA?
The Data Protection Act (DPA) 1998 was superseded by the European Union (EU)'s General Data Protection Regulation (GDPR) on 25th May 2018. The GDPR applies to all EU member states and was implemented throughout the UK via the updated Data Protection Act (2018). Since the GDPR governs and shapes data privacy laws in the EU, all personal data that is gathered, processed, and stored in the UK must comply with its UK implementation, the DPA 2018.
In the UK, GDPR compliance is monitored by the Information Commissioner's Office (ICO).
What is the GDPR?
The GDPR is an EU-wide data protection directive. It applies to all organisations operating within the EU, as well as those operating outside of the EU that wish to supply goods/services to the EU or monitor EU citizens. As one of the driving forces behind updating data protection legislation, and since the UK is still in the EU until 2019, Great Britain has implemented GDPR through its updated Data Protection Act (DPA) 2018. The DPA 2018 will continue to be enforced post-Brexit since the UK will still trade within the EU, and since the UK were heavily involved in modernising and creating the new legislation to help keep information secure.
GDPR Key Principles:
- Lawfulness, transparency and fairness
- Only using data for the specific lawful purpose that it was obtained, the most lenient of which is legitimate interests
- Only acquiring data that we strictly need
- Ensuring any data we possess is accurate
- Storage limitation
- Integrity and confidentiality
The GDPR also extends the rights of the individual, known as data subjects. Data subjects are individuals who have personal data held about them which is then out of their control. Given the increasingly technological world in which we live, practically all of us are data subjects, and all of us have plenty of information held about us digitally. As such, the GDPR states that individuals must be granted the following rights:
- To be informed
- To restrict processing
- Data portability
- Objection to processing
- Rights related to automatic decision making including profiling
Changes to Data Protection Following GDPR
As was widely reported in the months leading up to the GDPR's implementation, the new legislation hugely increased the financial penalties that organisations may face for data breaches. Under the GDPR, the ICO can now issue fines of up to €20 million or 4% of a business's annual turnover, whichever is greater, for a serious data breach. Fines of this magnitude could cripple businesses.
The GDPR was implemented to update data protection legislation for the digital age. The intention was to put the power back into data subjects' hands in order to help them feel secure when disclosing personal data on the internet and elsewhere. For example, the right to free access to personal data held about subjects increases transparency by allowing data subjects to see exactly what information organisations and platforms (e.g. social media) store about them. Subjects can then decide whether to restrict sharing permissions, or to invoke their right to erasure, and leave platforms/organisations altogether. Any organisation that handles personal data must ensure that their employees are up to date on these extended rights of the individual.
GDPR's increased focus on accountability means that it's no longer enough for organisations to declare data protection compliance, it must now be demonstrated with clear evidence. Things like Data Protection Impact Assessments (DPIAs) can help organisations implement privacy by design. This should generate a greater sense of trust between the public and the organisations they deal with.