Happy Birthday! GDPR and Data Protection 1 year on
Following 12 months since the implementation of the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018), we look at the impact of the regulations. Like the millennium bug before it, GDPR has been and gone and the Data apocalypse failed to materialise. However, for those not listening to the scaremongering the Information Commissioner's Office (ICO) stated that this was an evolution not a revolution.
What has changed?
GDPR and DPA 2018 did bring about some significant changes to data protection, but they also reaffirmed the requirements set out in the Data Protection Act 1998 (DPA 1998).
One of the biggest changes has been consent. Under the GDPR, marketing consent must be explicit and an opt in process. The burden of proof to show consent has shifted to the Data Controller and businesses will now need to prove consent wasn’t required due to legitimate processing conditions being met.
Another change has been fines and claims. Under the DPA 1998, fines were a maximum of £500,000. Under the GDPR, businesses are now subject to fines of between 2-4% of their previous year’s annual turnover.
Claims by individuals for data breaches now only need to show ‘harm' rather than actual financial loss, which is a much lower evidential burden than under the DPA 1998.
Under the DPA 1998, individuals had the right to request a copy of their data known as a Subject Access Request (SAR) on payment of a fee. Under GDPR SAR’s no longer require a fee. In addition, individuals now have a right to have their personal data transferred, the right to rectification, and the right to erasure.
These are just some of the changes implemented by GDPR and the DPA 2018, which businesses should be implementing in addition to assessing their compliance with data protection.
Our head of Employment and Dispute Resolution Ryan Bickham states: ’12 months on from the GDPR implementation the fear of small businesses being hit with massive fines was an exaggeration, however this should not mean businesses should be complacent. We have already seen an increase in businesses and individuals seeking advice on data breaches and the potential claims for compensation. We would advise businesses to continue to review their data protection compliance and ensure that individuals data is protected. One of the biggest areas of risk is when data is shared with third parties. Businesses should ensure that they have rigorous procedures in place to deal with sharing and allowing access to personal data.’
If you need advice or assistance with your Data Protection compliance, then please contact Ryan Bickham at our Shrewsbury office either by email or by telephone on 01743 248148.
PCB Solicitors have offices throughout Shropshire and Mid Wales in Shrewsbury, Telford, Church Stretton, Ludlow, Knighton and Clun (by appointment).