While the GDPR contains all the same principles as the DPA, there are some additional requirements, in particular regarding the need to obtain proper consent to retain personal information about a living individual. In addition, the regulations increase the rights of an individual in respect of how their data is kept and includes the right to be “forgotten”.
- Data subjects have to explicitly ‘opt in’ to allowing their data to be shared
- It must be made clear for what purpose their data is being used
- Data subjects have new rights, such as data portability and the right to be forgotten
- There is new guidance around Subject Access Requests
- Data must only be used for the purpose it was gathered for and should be deleted when it is no longer needed for that purpose.
- New and existing staff and other key data users must have suitable training and awareness as well as additional sources of guidance and support when required.
- Data breaches must be reported where this is required, to the ICO within 72 hours of the breach.
- A new principle of ‘accountability’ puts the burden on PCCs for compliance, requiring them to produce and maintain documents that demonstrate what actions have been taken to achieve compliance with GDPR.
Updated June 2023