GDPR is widely regarded as the biggest change to the data protection regime in the UK for nearly 20 years. It came into effect on 25 May 2018.
GDPR affects how you process (for example, collect, store, use and dispose of) personal data. Personal data is any information relating to a person or which might be traced back to a particular person. Name, address, email address, phone number, age, ethnicity, medical and financial details are all examples of personal data.
GDPR imposes more stringent requirements in a number of areas with a view to giving individuals more control over their personal data and failure to comply with GDPR can lead to significant fines.
The Difference Between GDPR and Data Protection Act 1998
So here are some of the key differences between GDPR and the former Data Protection Act 1998:
- Expanded territorial scope – Any person or company, whether they are inside or outside the EU, is subject to GDPR if they offer goods or services to people in the EU (even where no payment is received) or if they monitor people’s behaviour within the EU.
- Increased enforcement powers – GDPR significantly increases the maximum fines for non-compliance up to €20 million or four per cent of global turnover (whichever is higher).
- Consent, as a legal basis for processing will be harder to establish – if you wish to process data, under GDPR you must have the consent of the person whose data you hold. This must be freely given and unambiguous for a specific purpose via a clear, affirmative action. Businesses must be able to demonstrate that the data subject gave this consent and will need to be able to prove that consent was validly obtained. The data collected must only be used for the specified purpose and only stored for as long as is necessary to carry out that stated purpose. Clear details must also be provided about how people can opt-out or request their data is erased.
- Obligations for data processors – GDPR introduced direct compliance obligations for processors (those who process personal data on behalf of another person who controls the data) meaning that processors may be liable to pay non-compliance fines.
- The ‘accountability’ principle – GDPR requires businesses to demonstrate that they are complying with the GDPR principles by, for example, implementing appropriate, technical and organisational measures (such as internal data protection policies), maintaining relevant documentation on processing activities and appointing a data protection officer (where required). Compliance is showing ongoing awareness and accountability as opposed to a one-off box-ticking exercise!
Get in Touch for More Information
If you have any questions about GDPR regulations, please contact Beswicks Legal today.