Is there a difference between GDPR and the Data Protection Act (DPA) – In short yes, there are a number differences you must align to.
How is GDPR different from the Data Protection Act?
The overall principles of data protection have not changed greatly, however there are a number of differences to include the following:
- You can no longer charge for ‘subject access requests’ and they have to be provided within 30 days
- There is now a mandatory requirement to appoint a Data Protection Officer (DPO) depending on complexity/sensitivity of personal data activities
- The definition of ‘Personal Data’ has been expanded to include online identifiers, location data, and genetic data
- Notification of breaches is now mandatory (and within a 72 hour timeframe) for breaches that adversely impact a data subject
- The regulations now have responsibilities for both data controllers and data processors
- There is now a right to claim compensation for ‘non material damage’ i.e. where there has been no financial loss
- Parental consent is now required for individuals under 16
- Data consent now has to be ‘clear, affirmative action with the ability to be withdrawn at a later date’
- The maximum penalties for breaches has risen to 4% of global turnover or £20M (whichever is greatest)
If you share customer data, ensure that you comply with the data protection principles. There are 7 data protection principles that ensure confidentiality, integrity and security of data.
We don’t share the customer data we collect?
Regardless of if you share the customer data you collect, the GDPR still applies. There are several Data Protection principles that need to be upheld, to include ensuring confidentiality, integrity and security of data.
The principles are defined below:
Principle (a) Lawfully, fairly and transparently processed;
Principle (b) Obtained only for specific legitimate purposes;
Principle (c) Adequate, relevant, limited in line with data limitation principles;
Principle (d) Accurate and up to date, with every effort to erase or rectify without delay;
Principle (e) Stored in a form that permits identification no longer than necessary;
Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures; and
General Accountability for the above
There are numerous legislative Acts and Regulations that mandate statutory retention periods for documents such as financial records or HR or Health and Safety records. In addition to these, business should be stipulating their own retention periods for the data and records they keep (to include those that contain personal data).
There is no single answer to this question, but it is an area that needs to be addressed by businesses as part of adhering to the principle “Stored in a form that permits identification no longer than necessary”
Once defined, the retention policies need to be adhered to!
What rights do customers and staff have?
All data subjects have ‘rights’ under GDPR, to include staff and clients. The GDPR provides the following rights for individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling
Data subject consent?
This is clearly defined by GDPR, what the data subjects wishes are in processing their data.
What is a freedom of information request?
Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.
In order to provide the information you must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, you should provide the information in a commonly used electronic format.
Our 7 Steps to Success
The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.
Whether you choose to work with one of our isologist consultants or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!
What our clients have to say
The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.
“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”
“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year. We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”
“We have been extremely impressed with the service and support provided by Blackmores. There knowledge and assistance through out our ISO journey has been amazing!”
“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”
“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”
Trusted by leading organisations across all sectors, we support companies of all sizes in any location.
Listen to our Podcast
Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.
Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.