How Has the Data Protection Act Been Changed?

People talk about the General Data Protection Act (GDPA), which came into effect in May 2018 in the UK, as something new.  However, in many ways it is an update of the pre-existing 1996 Data Protection Act which was thought to need revision because of the rapidly-changing technology since the 1990s.  The new guidelines run to 99 articles which fill 88 pages and mean that Europe boasts the strongest data protection laws in the world. 

There are two main aspects to the GDPA.  The first part of the legislation details the obligations of businesses which regularly have to process data – whether they are in the private or public sector.  The GDPA has been encapsulated in 8 principles of conduct that all organisations should abide by.  These rules emphasise that people’s data should be used fairly and transparently, and all efforts should be made to ensure it is both accurate and up-to-date.  Personal data should be used for the explicit purpose for which its collection was intended and be erased when it is no longer needed.  There is also stronger protection for what is considered ‘sensitive’ information.  This includes details about someone’s political affiliation, religion, state of health, etc. 

In light of recent data breaches which have affected many different businesses from airlines to social media, the GDPA states that people’s data should be securely protected from any unlawful access, loss, damage, etc.  If security is compromised, the firm has 72 hours to inform the ICO (Information Commissioner’s Office).  This is the regulator which is responsible for overseeing the implementation of the legislation and if necessary, carrying out criminal investigations.  Firms which employ more than 250 employees must hire a DPO (Data Protection Officer) so that firms can ensure their compliance.

As part of their regulatory role, the ICO has greater powers to punish offenders.  Under the previous Data Protection Act, they could only impose fines of up to £500,000.  However, now they are entitled to fine businesses 2% or 4% of a company’s global turnover or 10/20 million euros (whichever is the greater). 

The revised GDPA has a second aspect which directly affects customers and/or consumers.  They now have the right to find out what data has been stored about them by submitting a Subject Access Request completely free of charge.  As a result of this access, they can ask for data to be updated, demand that processing is restricted or stopped, or have data erased.  The Act also allows for greater portability of personal details so consumers can give permission for their data to be sent to another company and be reused.  In certain circumstances, they can opt out of their data being used for automated decision-making processes or for consumer profiling.

In a world where so much is stored on computer, revising the original Data Protection Act was long overdue.  This doesn’t necessarily mean the internet is solely negative, especially as you can access online payday loans.  Apply online here for a streamlined application procedure.