GDPR vs Data Protection Act – what are the changes?

Blog > GDPR > GDPR vs Data Protection Act – what are the changes?

You’re probably at least vaguely familiar with the General Data Protection Regulation (GDPR) by now

Hopefully, you’re already incredibly familiar with the legislation it replaces, the Data Protection Act (DPA), which was put in place 2 decades ago, in 1998. As we have covered in previous blog posts, much of the principles posited by the GDPR are already present, or at least suggested as best practice, by the DPA. This means that if you’ve been doing a grand job of complying with the DPA for the past 20 years, chances are you’ll just need to make some small tweaks in order to comply with the new legislation.

That being said, there are a few differences that are worth pointing out. We thought we’d present this to you in a handy table format, broken down by principle, so it’s easy to see side by side the areas in which you’ll need to make changes in order to transition from DPA to GDPR. It may go without saying that we’ve tended to hone in on some of the specific areas which can be considered most applicable to IT asset disposal and data destruction.



Category Data Protection Act GDPR
Penalties for non-compliance Up to £500,000 Up to 20 million euro or 4% of annual turnover (whichever is higher)
Scope Applies in the UK Applies across all EU member states
Reason for processing Must satisfy one of the “conditions for processing”:

  • Individual has consented
  • Processing is necessary
  • Protects vital interests
  • Administering justice
  • Legitimate interests
Must have one of six lawful reasons for processing:

  • Consensual
  • Contractual
  • Legal obligation
  • Protects vital interests
  • Public interest
  • Legitimate interests
Individual rights An individual has:

  • The right of access to a copy of their personal data
  • The right to object to processing
  • The right to prevent processing for direct marketing
  • The right to reject decisions made by automated means
  • The right to have inaccurate data rectified, blocked, erased or destroyed
  • The right to claim damages caused by a breach of the Act
An individual has:

  • The right to be informed about collection and use of their personal data
  • The right of access to their data
  • The right to have inaccurate data rectified
  • The right to have any personal data erased
  • The right to request the suppression or restriction of their personal data
  • The right to obtain and reuse their personal data across different services (“data portability”)
  • The right to object to processing on legitimate interests/direct marketing and processing for the purposes of research and statistics
Data processors – contracts You must choose a data processor that provides sufficient guarantees about security measures, and you must take reasonable steps to ensure these are being put into practice.
There must be a written contract stating what the data processor is allowed to do with the personal data, and require them to take the same security measures as you do.
There is a model contract issued by the European Committee for Standardization, but no specific requirements around what to include.
Whenever a data controller uses a processor, there must be a written contract in place. It should set out the responsibilities and liabilities of each party.
The GDPR specifically sets out what to include in the contract.
Controllers are liable for compliance and must only appoint processors who can provide “sufficient guarantees” that the requirements of GDPR are being met.
Liability Rests solely with the data controller. Rests with both the controller and the processor. The controller is able to seek damages from the processor.
Accountability No specific requirements around accountability and demonstration of compliance. Requires that you demonstrate that you comply with the principles and identify and document the person accountable and responsible.
Documentation Other than the contractual element mentioned above for security purposes, the DPA does not set out a specific requirement for maintaining records on data processing. You must maintain records on processing purposes, data sharing and retention schedules (how long you intend to keep and process data for). These records should be made available to the ICO on request.
This documentation obligation applies to both controllers and processors.
Consent Is not defined in the Data Protection Act. Consent means “offering individuals real choice and control”. It requires positive opt-in from the individual – you cannot use pre-ticked boxes or other consent tricks. Consent should be separate from other terms and conditions, clear and concise. You should also name any third party data controllers who will rely on the consent. Consent to process activities cannot be a precondition of service.
Data protection officers No requirement to appoint one. You have a duty to appoint a data protection officer if you are a public authority of if you carry out certain processing activities (large scale, regular and systemic monitoring, processing in relation to criminal convictions and offences).

Key differences to be aware of:

  • Steeper penalties – the cost of non-compliance under the GDPR is much higher than that of the DPA. All the more incentive to get compliant!
  • The reasons for processing are tightened up, and you are required to be more explicit and transparent with users about how and why you are using their data.
  • An individual has many of the same rights as under the DPA, one of the main differences being they can request that any personal data be erased – currently they must be able to prove that it is inaccurate.
  • A written contract between the data controller and third party processor specifying liabilities and responsibilities. There are specific guidelines under the legislation as to what this contact should include.
  • Both data controllers and processors are liable in the event of a breach.
  • You are required to maintain records on data processing purposes, sharing and retention schedules.
  • Consent is carefully defined – you must obtain a clear and positive opt-in, and consent must be separate from your terms and conditions and not a precondition of service.
  • Public authorities and organisations carrying out certain data processing activities have a duty to appoint a data protection officer.

We hope this post has helped make clear some of the key differences between the current legislation and the upcoming GDPR. If you would like any more guidance or advice on how you can make sure that your end-of-life data processing is fully compliant, we are happy to help out – just


The author: Mark Cotterell
No comments to read

Leave a Reply

Your email address will not be published. Required fields are marked *