Is there a difference between GDPR and the Data Protection Act (DPA) – In short yes, there are a number differences you must align to.
How is GDPR different from the Data Protection Act?
The overall principles of data protection have not changed greatly, however there are a number of differences to include the following:
- You can no longer charge for ‘subject access requests’ and they have to be provided within 30 days
- There is now a mandatory requirement to appoint a Data Protection Officer (DPO) depending on complexity/sensitivity of personal data activities
- The definition of ‘Personal Data’ has been expanded to include online identifiers, location data, and genetic data
- Notification of breaches is now mandatory (and within a 72 hour timeframe) for breaches that adversely impact a data subject
- The regulations now have responsibilities for both data controllers and data processors
- There is now a right to claim compensation for ‘non material damage’ i.e. where there has been no financial loss
- Parental consent is now required for individuals under 16
- Data consent now has to be ‘clear, affirmative action with the ability to be withdrawn at a later date’
- The maximum penalties for breaches has risen to 4% of global turnover or £20M (whichever is greatest)