GDPR vs the Data Protection Act 1998 (DPA)?

While many of the themes of the GDPR are the same of those in the DPA, there are some significant differences between the GDPR and the DPA. Including:

  • The introduction of a new accountability requirement. The GDPR requires businesses to have comprehensive but proportionate governance measures in place and to show how they comply with the core GDPR principles, for example by documenting the decisions they take about their processing activities.
  • Unlike the DPA which only placed obligations on data controllers, the GDPR places obligations on both data controllers and data processors.
  • Data processors will have significantly more legal liability if they are responsible for a breach of the GDPR.  However, this does not mean that data controllers are relieved of their obligations where a data processor is involved because the GDPR places obligations on data controllers to ensure that their contracts with data processors comply with the GDPR (for more information on these obligations see the “Contracts with third party service providers” page). 
  • The DPA only applied to processing carried out by organisations operating with the UK but the GDPR applies to processing carried out by organisations operating within the EU and to organisations based outside the EU which offer services or goods to individuals based within the EU.
  • The definition of personal data under the GDPR is more detailed and includes genetic and biometric data. The GDPR also makes it clear that IP addresses and other online identifiers can be personal data. Personal data that has been pseudonymised can also fall within the scope of the GDPR depending on how difficult it is to identify a particular individual from the pseudonym.
  • The GDPR contains stricter obligations in relation to obtaining consent from data subjects for the use of their personal data (for more information on these obligations see the “Consent” page).
  • The GDPR requires organisations to adopt new technical and organisational “data protection by design” measures to demonstrate compliance with the GDPR.
  • Data subjects are given substantial new rights under the GDPR including the right to be forgotten, the right to object to automated decision making and data portability rights (for more information on these new rights see the “Rights of Individuals” pages).
  • The fines for non-compliance under the GDPR have increased to a maximum of 4% of annual global turnover and the fines can be imposed by reference to the revenues of an entire group not just the individual company responsible for the breach. (for more information see the “Penalties for non-compliance” page).
  • The GDPR places a new obligation on certain organisations to appoint a Data Protection Officer (DPO).