Changes to the Data Protection Act - GDPR - Data Protection - University of Derby

Changes to the Data Protection Act - GDPR

The Data Protection Act 1998 is changing; its replacement is called the General Data Protection Regulation (GDPR).  The new regulation will extend the rights of the individual and ensure legislation matches the ever changing technology around us.  The GDPR comes into effect on 25th May 2018 and isn't affected by our decision to leave the EU.

Some of the changes under the GDPR include:

New rights for data subjects

  • The right to be forgotten - an individual can ask for their personal data to be erased.
  • The right to data portability - where individuals have provided personal data to a service provider, they can request the provider to 'port' the data to another provider.
  • The right to object to profiling - the right not to be subject to a decision based solely on automated processing.

Changes to consent

  • Must be explicit, non-ambiguous and given freely.
  • Can be withdrawn.

Increased fines for data breaches

  • Fines are substantial - the ICO will have the power to impose fines of up to 4% of total annual turnover or €20,000,000.

Data Protection Officers

  • A designated post of Data Protection Officer who will be strategically responsible for GDPR

Mandatory breach notification

  • Organisations must notify breaches 'without undue delay' or within 72 hours.  If there is a high risk to individuals, they must be informed as well.

Privacy by design

  • Organisations should design data protection into development of business processes, new systems and undertake Privacy Impact Assessments (PIAs)

Need Advice?

Contact foi@derby.ac.uk or call (01332) 592151.