How is GDPR different from the Data Protection Act?

GDPR v DPA banner

Is there a difference between GDPR and the Data Protection Act (DPA) – In short yes, there are a number differences you must align to.

How is GDPR different from the Data Protection Act?

The overall principles of data protection have not changed greatly, however there are a number of differences to include the following:

  • You can no longer charge for ‘subject access requests’ and they have to be provided within 30 days
  • There is now a mandatory requirement to appoint a Data Protection Officer (DPO) depending on complexity/sensitivity of personal data activities
  • The definition of ‘Personal Data’ has been expanded to include online identifiers, location data, and genetic data
  • Notification of breaches is now mandatory (and within a 72 hour timeframe) for breaches that adversely impact a data subject
  • The regulations now have responsibilities for both data controllers and data processors
  • There is now a right to claim compensation for ‘non material damage’ i.e. where there has been no financial loss
  • Parental consent is now required for individuals under 16
  • Data consent now has to be ‘clear, affirmative action with the ability to be withdrawn at a later date’
  • The maximum penalties for breaches has risen to 4% of global turnover or £20M (whichever is greatest)


ISO Download

Download the ISO Standards Blueprint

A step-by-step checklist for getting ISO certified

Share this post: