You’re probably at least vaguely familiar with the General Data Protection Regulation (GDPR) by now. Hopefully, you’re already incredibly familiar with the legislation it replaces, the Data Protection Act (DPA), which was put in place 2 decades ago, in 1998. As we have covered in previous blog posts, much of the principles posited by the GDPR are already present, or at least suggested as best practice, by the DPA. This means that if you’ve been doing a grand job of complying with the DPA for the past 20 years, chances are you’ll just need to make some small tweaks in order to comply with the new legislation.
That being said, there are a few differences that are worth pointing out. We thought we’d present this to you in a handy table format, broken down by principle, so it’s easy to see side by side the areas in which you’ll need to make changes in order to transition from DPA to GDPR. It may go without saying that we’ve tended to hone in on some of the specific areas which can be considered most applicable to IT asset disposal and data destruction.
|Category||Data Protection Act||GDPR|
|Penalties for non-compliance||Up to £500,000||Up to 20 million euro or 4% of annual turnover (whichever is higher)|
|Scope||Applies in the UK||Applies across all EU member states|
|Reason for processing||Must satisfy one of the “conditions for processing”:
||Must have one of six lawful reasons for processing:
|Individual rights||An individual has:
||An individual has:
|Data processors – contracts||You must choose a data processor that provides sufficient guarantees about security measures, and you must take reasonable steps to ensure these are being put into practice.
There must be a written contract stating what the data processor is allowed to do with the personal data, and require them to take the same security measures as you do.
There is a model contract issued by the European Committee for Standardization, but no specific requirements around what to include.
|Whenever a data controller uses a processor, there must be a written contract in place. It should set out the responsibilities and liabilities of each party.
The GDPR specifically sets out what to include in the contract.
Controllers are liable for compliance and must only appoint processors who can provide “sufficient guarantees” that the requirements of GDPR are being met.
|Liability||Rests solely with the data controller.||Rests with both the controller and the processor. The controller is able to seek damages from the processor.|
|Accountability||No specific requirements around accountability and demonstration of compliance.||Requires that you demonstrate that you comply with the principles and identify and document the person accountable and responsible.|
|Documentation||Other than the contractual element mentioned above for security purposes, the DPA does not set out a specific requirement for maintaining records on data processing.||You must maintain records on processing purposes, data sharing and retention schedules (how long you intend to keep and process data for). These records should be made available to the ICO on request.
This documentation obligation applies to both controllers and processors.
|Consent||Is not defined in the Data Protection Act.||Consent means “offering individuals real choice and control”. It requires positive opt-in from the individual – you cannot use pre-ticked boxes or other consent tricks. Consent should be separate from other terms and conditions, clear and concise. You should also name any third party data controllers who will rely on the consent. Consent to process activities cannot be a precondition of service.|
|Data protection officers||No requirement to appoint one.||You have a duty to appoint a data protection officer if you are a public authority of if you carry out certain processing activities (large scale, regular and systemic monitoring, processing in relation to criminal convictions and offences).|
Key differences to be aware of:
- Steeper penalties – the cost of non-compliance under the GDPR is much higher than that of the DPA. All the more incentive to get compliant!
- The reasons for processing are tightened up, and you are required to be more explicit and transparent with users about how and why you are using their data.
- An individual has many of the same rights as under the DPA, one of the main differences being they can request that any personal data be erased – currently they must be able to prove that it is inaccurate.
- A written contract between the data controller and third party processor specifying liabilities and responsibilities. There are specific guidelines under the legislation as to what this contact should include.
- Both data controllers and processors are liable in the event of a breach.
- You are required to maintain records on data processing purposes, sharing and retention schedules.
- Consent is carefully defined – you must obtain a clear and positive opt-in, and consent must be separate from your terms and conditions and not a precondition of service.
- Public authorities and organisations carrying out certain data processing activities have a duty to appoint a data protection officer.
We hope this post has helped make clear some of the key differences between the current legislation and the upcoming GDPR. If you would like any more guidance or advice on how you can make sure that your end-of-life data processing is fully compliant, we are happy to help out – just https://www.xpoitservices.co.uk/contact-us/.