The Data Protection Act 1998 implemented the current EU Data Protection Directive (no 95/46). On 14 April the EU Parliament voted in favour of a new EU General Data Protection Regulation which will replace the Directive in 2018. While many of the provisions under the Regulation mirror those of the Directive, there are some differences. Unlike the Data Protection Directive, the Regulation will not need to be implemented via national law. Instead it will have direct effect, applying directly to public and private data controllers.
The differences include:-
- Greater emphasis being placed on the documentation data controllers must keep to demonstrate their accountability;
- A new right to data portability which is an enhanced form of subject access request where data must be provided electronically and in a commonly used format;
- In most cases no longer being able to charge for complying with a subject access request;
- The timescale for complying with a subject access request being reduced from 40 days to one month;
- Different grounds for refusing a subject access request;
- Provision of additional information such as data retention periods and the right to have inaccurate data changed;
- New protections for children's personal data;
- A wider duty to notify the ICO of data protection breaches;
- A legal requirement to carry out Privacy Impact Assessments in high risk situations; and
- More stringent requirements on obtaining consent from individuals to their personal data being processed.
The Information Commissioner's office has published guidance - "Preparing for the General Data Protection Regulation - 12 steps to take now" - for businesses to help them prepare for implementation of the Regulation in 2018.