The current laws relating to the protection and handling of data are set out in the Data Protection Act 1998 (DPA).
However, on the 25th of May 2018 the DPA will be replaced by new regulation - the General Data Protection Regulation (GDPR) - this will not only be enforced across the UK but also across the EU, and will remain in place despite the fact that the UK is set to leave the European Union in 2019.
Why is the law changing?
The Data Protection Act was created in 1998 and was designed to meet the data needs of the time. Times have however have moved on and it has become increasingly clear that the current regulations are not fit for purpose in today's data driven world. This is mainly down to the growth of the internet and the changes in online activity such as advertising, social media and email marketing.
GDPR is an attempt to bring these data regulations up-to-date and will build upon and the current DPA in terms of handling personal data.
The key principles
The current Data Protection Act sets out eight principles in terms of the processing of data. These will remain in place once GDPR is introduced. They are:
- Data must be processed fairly and lawfully;
- Data must only be obtained for specified and lawful purposes;
- Data must be adequate, relevant and not excessive;
- Data must be accurate and up to date;
- Data must not be kept for longer than necessary;
- Data must be processed in accordance with the “data subject’s” (the individual’s) rights;
- Data must be securely kept;
- Data must not be transferred to any other country without adequate protection in place.
In addition to these GDPR will contain the following changes:
- Enhanced documentation to be kept by data controllers;
- Enhanced privacy notices;
- More detailed rules regarding ‘consent’;
- Mandatory data breach notification requirements;
- Enhanced data subject rights;
- New obligations on data processors;
- Expanded territorial scope;
- Appointment of Data Protection Officers;
- Significant increases in the size of fines and penalties for non-compliance.
Terms you need to know
- Data subject – in both DPA and GDPR, this means the subject of personal data.
- Data controller – the data controller is the decision maker. Under the GDPR the data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.
- Data processor – under GDPR this is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. This person acts only under instruction of the data controller, keeping personal data secure from unauthorised access, loss or destruction.
- Processing – in both pieces of legislation this means the obtaining, recording or holding of information or data or the carrying out of any operation or set of operations on the information or data, including: access, storage, retrieval, disclosure and erasure/deletion.