What’s the difference between GDPR and the Data Protection Act 1998? Corporate & Commercial

There are a number of key differences to note between GDPR (General Data Protection Regulation) and the Data Protection Act 1998:

Expanded territorial scope: Any person or company, whether they are inside or outside the EU, will be subject to GDPR if they offer goods or services to people in the EU (even where no payment is received) or if they monitor people’s behaviour within the EU.

Increased enforcement powers: GDPR will significantly increase the maximum fines for non-compliance up to €20 million or four per cent of global turnover (whichever is higher).

Consent, as a legal basis for processing will be harder to establish: Where a person’s consent is relied on to process their personal data under GDPR.  This must be freely given and unambiguous for a specific purpose via a clear, affirmative action. Businesses must be able to demonstrate that the data subject gave this consent and will need to be able to prove that consent was validly obtained. The data collected must only be used for the specified purpose and only stored for as long as is necessary to carry out that stated purpose. Clear details must also be provided about how people can opt out or request their data is erased.

New obligations for data processors: GDPR introduces direct compliance obligations for processors (those who process personal data on behalf of another person who controls the data) meaning that processors may be liable to pay non-compliance fines.

The ‘accountability’ principle: GDPR requires businesses to demonstrate that they are complying with the GDPR principles by, for example, implementing appropriate, technical and organisational measures (such as internal data protection policies), maintaining relevant documentation on processing activities and appointing a data protection officer (where required). Compliance involves ongoing awareness and accountability as opposed to a one-off box ticking exercise.