With just under a year before the General Data Protection Regulation (GDPR) is in force across all EU Member States, time is running out for organisations to become compliant before the 25 May 2018 deadline.
While many UK organisations may be compliant with the current Data Protection Act 1998 (DPA), there are several significant differences between the Act and the GDPR that organisations may struggle to adhere to, particularly by the deadline.
The technological landscape has dramatically changed in the last two decades, for instance when the DPA was passed, only 9% of UK households had Internet access, compared to 89% in 2016, according to the Office for National Statistics. With a huge growth in Internet use across multiple devices, the DPA has become increasingly outdated as data subjects can handover their personal data at the tap of a button. The GDPR aims to empower data subjects and reconsiders protection and processing practices in the light of new technologies such as Big Data, Over-the-Top messaging and voice calling services such as WhatsApp, Skype and Snapchat.
So, what are some of the major differences between the DPA and the GDPR?
One of the biggest challenges for organisations, particularly with regard to direct marketing, is going to be that of consent. The principles of consent being freely given, specific and informed remain, however, the current “grey areas” regarding pre-checked opt outs will be forbidden under the GDPR. Consent must be positive, explicit and unambiguous meaning opt-in will need to be sought for all processing and marketing activities. As a result, organisations will be heavily reliant on legitimate interests as a lawful basis for processing which remains largely unchanged from the current DPA definition.
Under the DPA, the Data Controller is solely responsible for any breach, being the ultimate decision maker as regards to how personal data is used, with the Data Processor only accountable under contractual mechanisms. However under GDPR, this accountability is extended to Data Processors who may now also be subject to the hefty fines which can range from €20m to 4% global turnover.
Right to Access
While Subject Access Requests are a common occurrence under the DPA, the Regulation prohibits charging data subjects for the information. However, the ICO state that if a data subject’s requests are particularly unreasonable or repetitive, a fee, proportionate to the administrative work required, can be charged.
While the aim of the GDPR is to provide better control for data subjects over how their data is used, and encourage free flow of data throughout the EU, there is still a high degree of uncertainty regarding the true impact of the Regulation on UK organisations. Only time will tell…