Comparison Between General Data Protection Regulation And Data Protection Act

Data Protection Act

Discuss about the Technology and its Social, Legal and Ethical Context.

The General Data Protection Regulation is a regulation of EU law on data protection and privacy of the individuals in the European Union (EU). The data protection regulation addresses the export of persona data outside EU. The Data Protection Act 1998 was a United Kingdom Act of Parliament was designed with an aim of protecting the personal data stored in the computer or stored in an organized paper filing system. The purpose of the report is to compare the new General Data Protection Regulation against the older Data Protection Act. In this report the main elements of the data protection regulation will be analyzed in order to evaluate the process by which the new data protection regulation offers wider protection than the previous acts. The report will further evaluate whether ethics is sufficient to protect a data without the need of new regulation. The purpose of Data protection Act and General Data Protection Regulation is to control the way the private and the confidential information is handled. The data protection act gives legal to the people who have information stored about them. The data protection act and data protection regulation control the process by which the personal information is used by the organization, any business or even government. These laws ensure that the personal information that is used by the organization is strictly controlled. The data that is protected is accustomed to strict rules which are called data protection principles (Morrison et al. 2017). The people who are using this data are needed to follow these strict rules. The comparison between the Data Protection Act and General Data Protection Regulation is discussed in the following paragraphs.

The General Data Protection Regulation is a new data protection law, the older one being the Data Protection Act 1998. The differences between these two acts are needed to be evaluated in order to understand whether the new law provides greater and wider protection than the previous data protection act.

Data Protection Act: The data protection Act was passed by the Parliament to control the process by which the information is handled. The Data Protection Act 1998 was designed with an aim of protecting the personal data stored in the computers or in traditional paper based systems. Under this Data Protection Act, the individuals had the legal rights to control the information about them that is stored (Kuner 2012). In this act, anyone holding any personal data for other purpose is legally obliged to comply with the rules and regulations of the act. The Data Protection Act defined eight principles of data protection in order to ensure that the information is lawfully processed. This data protection act was however suppressed by the data protection Act 2018 and it supplements the EU General Data Protection Regulation.

General Data Protection Regulation

The main purpose of data protection legislation is to ensure that the personal information is properly and legally used. This legislation imposes certain obligations on people who hold personal information of others. The Data Protection Act came into force in March 2000. The Data protection Act recognises the importance of data being kept for historical purpose and has certain provisions for the same (Kosta 2013). The Data Protection Act however imposes a duty on those who are holding personal data to register such data with the Information commissioner as the person is needed to comply with the eight principles of Data Protection Act. Compliance with the eight principles of the data protection Act is necessary as it allows an individual to access data only in certain circumstances. The Data Protection Act applies to all information about all the living individuals that is held by the public authorities, whatever be the format or structure of the records be (Lynskey 2015). The data protection act was developed in order to give protection and set rules about the process by which data about people can be used. The Data Protection Act is an act of United Kingdom Parliament that defines the ways in which information about living people can actually be used or handled (Charlesworth 2012). The main intention of the data protection act is to protect the individuals from the misuse or abuse of information about them.

General Data protection Regulation: The General Data Protection Regulation lays down certain rules related to the protection of people with relation to the processing of personal data and rules related to free movement of personal data. The regulation protects the fundamental rights and freedoms of the natural person and particularly their rights of protecting the personal data. According to the rules of the general data protection regulation, the free movement of the personal data within the Union shall neither be restricted nor prohibited for reasons connected with the processing of the personal data. The general data protection regulation reform package entered into force in May 2016 (Hoepman 2014). This regulation is the basis of free flow of data across the digital single market. The general data protection regulation brought a considerable change with the data protection act. The general data protection regulation is a regulation in EU law on the protection of the data and privacy of the individuals within the European Union. The general data protection regulation was adopted on April 2016 and became enforceable only on May. This regulation applies to each member state of the European Union and it aims at creating more consistent protection of the consumer and the personal data across the EU nations. The key privacy and data protection requirements under general data protection regulation are as follows (Van der Sloot 2014)-

1. The consent of subjects for data processing is required
2. In order to protect the privacy, anonymity with the collected data is ensured.
3. Under this regulation, the data breach notification is provided.
4. It requires the companies to appoint data protection officer to oversee the GDPR compliance.

Differences between Data Protection Act and General Data Protection Regulation

The general data protection regulation contains 11 chapters and 91 articles that provide the rules of data protection. It was designed in order to harmonize the data privacy laws across Europe to empower all the EU citizens of data privacy and in reshaping the way an organization handles the data (Hallinan, Friedewald and McCarthy 2012). Therefore, the companies that make use of the data of the citizens under European Union countries will need to comply with the strict rules of protecting the data of the customer. It is expected to set new standards for consumer rights regarding their data use.

However, the compliance with the general data protection regulation might cause some concerns and new expectations of the security teams. The general data protection regulation will take a wide view in the personal identification information and therefore, the companies need to ensure a certain level of protection for elements, which include the IP address of an individual and cookie data associated with name, address and social security number. This regulation was needed as a process for free flow data across the digital single market. One of the high points of this act is that this regulation recognizes that the children deserves specific protection of their personal data as they are generally less aware of the risks, consequences and therefore, their data is needed to be protected (Hallinan, Friedewald and McCarthy 2012). The general data protection regulation foresees that the consent for data processing of a child is authorised by the people who holds parental responsibility of the child. The age limit for this is 16 years. There are a number of benefits of general data protection regulation in comparison to the older data protection act. One of the significant benefits of making use of data protection principle is that the data protection law across all the 14 EU countries will be same which will in turn eliminate the need of consulting the local lawyers in ensuring local compliance. Therefore, it can be said that the data protection definitely provides better and wider protection in comparison to the previous act.

There are a number of differences between the general data protection regulation and old data protection act which are as follows-

1. Geographical Reach and Scope: The standards of the data protection act were generally implemented through the national legislation. While that of general data protection regulation I a binding piece of regulation that applies to all EU nations and every company that are holding the data of EU citizens (Vandekerckhove and Lewis 2012).
2. General data protection regulation expands the definition of personal data in order to include a much wider range of consumer information. While the data protection act only considers the information that is used to identify an individual and their personal details. Therefore, it can be said that general data protection regulation broadens the scope of personal data by including the online identification markers and genetic information.
3. There is a significant difference in the consent policies of general data protection regulation and data protection act. According to the old rules, the data collection did not need or require any opt in but under general data protection regulation, the consumers must be provided with clear privacy notices so that they can make informed decision on whether they provide consent about the storage and use of their personal data (Jenkins 2015).
4. Under the old data protection act the business were under no obligation to report when the data breach is occurring. However, with the general data protection regulation, the data breaches are needed to be reported to the relevant authorities within 72 hours of incident.
5. General data protection regulation places much greater focus on explicit accountability for data protection by making it a direct responsibility of the companies rather than the hands off approach as followed in Data Protection Act. This makes it mandatory for the firms to commit to certain activities such as staff training, internal data audit and detailed documentation.
6. The limits of the fines that are to be imposed is increased in general data protection regulation which was considerably lower in data protection act.

 The above discussed points provide an idea of the major differences between the data protection Act and general data protection regulation.  From the above discussed points, it can be understood that the general data protection regulation is quite complex and offer a better or wider protection that the previous act. The new regulation addresses the loopholes and the drawbacks of the previous act and therefore it can be considered as a reformed version of data protection act. The principles of general data protection regulation and data protection act are discussed in the following section.

Principles of Data Protection Acts

Principles and Issues

The principles of the Data Protection Act are as follows –

1. The first principle of data protection act is that the personal data shall be processed fairly and lawfully.
2. The second principle of data protection act states that the personal data shall be obtained only for lawful purposes and the obtained data shall not be further processes in a manner that might be incompatible with that purpose.
3. The personal data shall be relevant and not excessive in relation to the purposes for which they are processed.
4. Personal data should be accurate and should be kept up to date.
5. According to the data protection act, the personal data that is processed for any purpose should not be kept any longer than necessary.
6. According to the data protection act, the personal data is needed to be processed accordance with the rights of data which indicates that the rights of the people should be respected according to the rule
7. Appropriate technical and the organizational measures shall be taken against unlawful processing of the personal data that covers accidental loss or destruction.
8. According to the data protection act, the personal data shall not be transferred to a country outside the European Economic Area unless the territory ensures proper level of protection that is needed from protection and processing of the personal data.

However, there are certain issues associated with the data protection. Under this act, the data can only be used for purpose for which has been collected. Furthermore, when the information is to be shared publicly, the information is needed to be suitably anonymised.

There principles of general data protection regulation are as follows (Burton and Anna 2013)-

1. According to this regulation, the personal data is needed to be processes lawfully in a transparent manner.
2. The personal data can only be collected for specified, explicit and legitimate purposes and should not be processed in a manner that is incompatible with the purposes of the data.
3. The personal data must be relevant and limited to what is necessary in relation to the purposes for which these data is processed (Kerr 2014).
4. The personal data that is to be protected should be accurate and should be up to data.
5. Under this regulation, the data should be kept in a form that permits identification of the data subjects.
6. This regulation ensures that personal data is to be processed in a manner so that it ensures appropriate security of the personal data that is stored. The data is protected from any unauthorized access or unlawful processing apart from providing protection against accidental loss, destruction or damage. This is ensured by using appropriate technical or organizational measures.

The ethics alone may not be enough to protect the data without the new regulation. With the improvement in business ethics, increasing emphasis is given on the ethical standards of the business however without the enforcement of any standard rule or law, protection of the data privacy may not be easy (Floridi and Taddeo 2016). However, law may not be enough to protect the data and for that proper ethical standards are needed to be maintained. The need of new rules for treating the personal data is however important for ensuring that there is no misuse of the data that is stored for public use. Ethics is important as it fills the gap between what’s legal and what’s acceptable and ethics mainly comes into play while decision making.

Conclusion

The report compares the old data protection act and the General Data Protection Regulation. The principles of both the data protection acts are discussed in the report. It is seen that the reforms made by the new act provides a greater security and data protection to the stored data. The new rule is found to be strict and is expected provide much better protection to the data that is stored. The principles of each of the act are evaluated in order to identify the benefits provided by the new data act. The new regulation is not worse off but can be described as an improvement of the data protection act. The report further establishes the fact that ethics alone is not enough to protect the data without the new regulation and proper law is essential for ensuring data protection.

References

Burton, C. and Anna, P., 2013. Status of the Proposed EU Data Protection Regulation: Where Do We Stand?. PVLR, 12, p.1470.

Charlesworth, A., 2012. Data Protection, Freedom of Information and ethical review committees: Policies, practicalities and dilemmas. Information, Communication & Society, 15(1), pp.85-103.

Floridi, L. and Taddeo, M., 2016. What is data ethics?.

Hallinan, D., Friedewald, M. and McCarthy, P., 2012. Citizens’ perceptions of data protection and privacy in Europe. Computer law & security review, 28(3), pp.263-272.

Hoepman, J.H., 2014, June. Privacy design strategies. In IFIP International Information Security Conference (pp. 446-459). Springer, Berlin, Heidelberg.

Jenkins, P., 2015. Client confidentiality and data protection. In Handbook of professional and ethical practice for psychologists, counsellors and psychotherapists (pp. 65-75). Routledge.

Kerr, D.J., 2014. Policy: EU data protection regulation—harming cancer research. Nature Reviews Clinical Oncology, 11(10), p.563.

Kosta, E., 2013. Consent in European data protection law. Martinus Nijhoff Publishers.

Kuner, C., 2012. The European Commission’s proposed data protection regulation: A copernican revolution in European data protection law.

Lynskey, O., 2015. The foundations of EU data protection law. Oxford University Press.

Morrison, M., Bell, J., George, C., Harmon, S., Munsie, M. and Kaye, J., 2017. The European General Data Protection Regulation: challenges and considerations for iPSC researchers and biobanks. Regenerative medicine, 12(6), pp.693-703.

Van der Sloot, B., 2014. Do data protection rules protect the individual and should they? An assessment of the proposed General Data Protection Regulation. International Data Privacy Law, 4(4), p.307.

Vandekerckhove, W. and Lewis, D., 2012. The content of whistleblowing procedures: A critical review of recent official guidelines. Journal of Business Ethics, 108(2), pp.253-264.