Under current legislation, the Data Protection Act 1998 covers the processing, obtaining, recording and holding of data, or carrying out any operation or set of operations on the data.
The eight data protection principles which flow from the legislation state that data controllers must ensure that personal data is:
- Processed fairly and lawfully and, in particular, shall not be processed unless:
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. - Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The current Data Protection legislation is only applicable in the UK as different EU countries have enacted their own versions of the original Data Protection Directive.
As a result of inconsistencies in the scope of data protection legislation in the various European member states, in 2011 the European Parliament agreed and approved reform of the Data Protection Directive resulting in the creation and ratification of the General Data Protection Regulation (GDPR) which will take effect from May 2018.
In addition to the eight data protection principles detailed above, GDPR introduces two important over-arching concepts:
- Accountability
- Transparency
The GDPR is also a Regulation not a Directive which has the effect of it being directly applicable in each member state (one continent = one law) as opposed to 28 conflicting laws flowing from the Data Protection Directive.
Distinctions can be drawn between the current Data Protection Act 1998 and the GDPR as follows:
The Data Protection Act |
GDPR |
|---|---|
| Applies to “data controllers” established in the EU and multiple laws apply and conflict | Applies to controllers and processors
Applies to non-EU controllers offering goods or services to EU residents or monitoring the behaviours of EU citizens consistency mechanism |
| Personal data defined as: data which relates to a living individual who can be identified from those data or from those data; other information in the possession of, or is likely to come into the possession of the data controller | Personal data defined as: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identified or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person |
Breach Notification |
Breach Notification |
| Legal obligation on communications providers only to notify the ICO of a breach | Compulsory notification for ALL breaches unless unlikely to result in a risk for the rights and freedoms of individuals. Without undue delay and where feasible within 72 hours. Notice must include specific information. Obligation to notify data subject where there is a high risk to the rights and freedoms of individuals |
Data Protection Officer |
Data Protection Officer |
| Not compulsory in the UK | Compulsory for certain organisations |
Registration |
Registration |
| Compulsory | Not necessary |
Risk Exposure |
Risk Exposure |
| Undertakings and substantial fines up to £500,000 | Fines up to 4% of global turnover or 20,000,000 euros whichever is greater |
New rights for data subjects |
New rights for data subjects |
| Personal data retained for as long as necessary
Rights to rectification, erasure or blocking |
Right to erasure and to be forgotten
Right to data portability |
Privacy Notices |
Privacy Notices |
| Data Controllers need to be transparent in relation to what information is collected, how it is used and with whom it is shared | Introduces a much stricter regime by introducing minimum information requirements |
Impact Assessments |
Impact Assessments |
| Not currently required but best practice | Required where processing, likely to result in a high risk to individual’s rights and freedoms |
Access to Information |
Access to Information |
| Individuals who request access to information may be charged up to £10 by the organisation which controls the data. The Data Controller must respond within 40 days of the request and can refuse vexatious or repeat requests by individuals | There are significantly enhanced rights for data subjects who have rights to additional information.The time limit for the Data Controller to respond to subject access requests will be reduced from 40 days to one month.
The right to charge a fee for providing information is removed unless it is for copies.
|
Consent |
Consent |
| Is not defined
Regulator Guidance says that it must be fully informed and freely given. |
“Clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.” |
International Transfers |
International Transfers |
| Transfers prohibited unless adequate protection
Applied differently across jurisdictions |
Maintains same mechanisms for transfer but ensures consistent interpretation across Member States
Additional derogation where transfer is limited and in the legitimate interests of the Data Controller provided adequate safeguards in place. |
Nicola Parr is an Associate at Nelsons. For more information, contact Nicola on 0800 024 1976 or email [email protected].