Introduction
Throughout time, the protection of information has presented an issue that can influence various fields of individuals’ and businesses’ lives and requires careful consideration. Numerous classical writings about the significance of security can be traced back to the 16th century, which implies that the concept of data protection has always been present. Within the last decades, with the introduction of various information technology advancements, the likelihood of breaches, violations, and information security-related crimes has significantly increased. This fact implicates the necessity of strict regulations for information security within different industries that can affect organizations and individuals. According to Safa, Von Solms, and Furnell (2016), “technology cannot solely guarantee a secure environment for information”, which is associated with the influence of the acts and regulations concerning data security (p. 70). The purpose of this paper is to critically discuss the key differences between the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) of 2015.
Main body
The integration of various information technology systems imposes severe challenges for the companies to secure the data that they possess correctly, and the way they assess and analyze it. In 2016, the implementation of the GDPR was voted to replace the Data Protection Directive, aiming to improve the safety of individuals’ privacy and assist the work of businesses (Tikkinen-Piri, Rohunen, & Markkula, 2018). The digitalization of life and work spheres created a need to adopt new measures that will manage to protect the information and its subjects and users effectively. The primary GDPR’s principles purpose is “to strengthen online privacy rights and boost Europe’s digital economy”, which also means increasing individuals’ trust in the collection of personal data (Tikkinen-Piri et al., 2018, p. 134). Technological development brought new opportunities to businesses, which creates a higher demand for the collection of information.
With higher demand, the need for rigid regulations emerges, which can be observed through the data breaches that occurred throughout the last decades and had a significant impact on the way data protection is perceived. One of the severe violations examples in information security can be the revelation of Ashley Madison’s member list, which brought severe damage and had a substantial effect on the businesses (Beckett, 2017). Therefore, it is possible to state that the failures to protect data can result in dramatic consequences for the individuals and for the businesses, where no one has immunity to the information breaches. New possibilities of broad data usage imposed new challenges in the protection of personal data, which led to the introduction of the GDPR.
At this point, it is crucial to look at the essence of the GDPR principles and how they address the increased data protection issues emerging in a digitalized and globalized society. The GDPR highlights the essential data protection principles, including lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality and accountability (“Article 5 GDPR,” n.d.). Those principles concern the possible issues that can arise with the use of personal data and carefully state the regulations for the companies, encouraging them to introduce proper technical measures and organizational control. The GDPR touches on such areas as the consent to provide information, the condition to child’s consent, and the analysis of the exclusive personal data and the processing related to criminal activities (“Chapter 2 – Principles,” n.d.). Therefore, it is possible to say that this regulation aims to cover all the aspects that can emerge in the data gathering and processing stages, protecting the rights of different individuals’ groups.
It was mentioned above that the need to integrate the GDPR emerged due to the new challenges the DPA did not manage to cover. The basis for the GDPR provisions lies in Article 16 of the Treaty for the Functioning of the EU, while the Directive’s principles were based on Article 114 (Nicolaidou & Georgiades, 2017). Thus, the GDPR aims to respond to the legal protection measures presented by the Lisbon Treaty and globalization trends, and the Directive responded to the legal basis of the internal market (Nicolaidou & Georgiades, 2017). It is possible to say that the foundation for the measures and principles introduced by the GDPR and the DPA is different, proposing basic data protection principles, but varying in some aspects.
Besides possessing a different basis for the creation, one of the crucial differences between the GDPR and the DPA is the legal strength. As a Directive, or Act, the DPA serves as a legal instrument “that allows member states a degree of flexibility” (Nicolaidou & Georgiades, 2017, p. 5). It implies that flexibility can lead to uncertainty and to the feeling that the provided protection does not have a substantial influence on illegal activities connected to data breaches. The GDPR, instead, offers a set of regulations, which makes it a more unbending legal instrument with a low or absent degree of flexibility (Nicolaidou & Georgiades, 2017). Therefore, the proposal of new regulation offered a greater extent of the legal order, ensuring that the application of the data protection principles and rules will be more uniform and rigid. The creation of a stricter information security environment aims to make the individuals more trusting and assured of the safety of their data.
Thus, one can see that the GDPR intends to introduce the solution to the issues more strictly, providing uniform measures for the member states. The next critical aspect that the GDPR is offering is the implementation of the Data Protection Impact Assessment (DPIA). Although the Directive did not describe this element precisely, the concept still existed in the field, but the new regulation made it official and more accurate. The DPIA serves as an instrument that recognizes the risks occurring because of “a certain technology or system by an organization” in various individuals’ roles (Bieker, Friedewald, Hansen, Obersteller, & Rost, 2016, p. 21). Consequently, the analysis of the potential risk will be conducted, and it will lead to the proposal and implementation of the required measures and strategies to avoid the threats concerning data protection.
Another crucial point is the definition of personal data and applications. Personal data represents one of the critical elements in information security, which makes this concept integral to data protection measures. The DPA of 1998, defined personal data as the information related to the living individual, “who can be identified from those data”, or which is possessed by the data controller” (Wong, 2019, p. 518). In such a way, this definition excluded some of the information related to individuals, which, with the rapid technology growth, became a challenge for information security. The GDPR offers a description that includes all types of information, stating that “any information relating to an identified or an identifiable living individual” constitutes personal data (Wong, 2019, p. 518). Hence, the new regulation broadens the meaning of personal data, which leads to a higher extent of protection and a more considerable number of aspects taken into consideration while regulating the information safety environment.
In the aspect of personal data, the childminders group plays an essential role, which also overcomes the changes with the implementation of the GDPR. The information commissioner’s office (ICO) will continue being responsible for the administration of data protection laws, and under the new regulation, all data concerning childminders have to be registered (Martland, 2018). Thus, the new stricter definition of personal data can lead to a significant increase in the costs for the ICO.
Breaches and violations in data security have substantial consequences for both individuals and organizations. It is significant to mention that the breaches also have financial costs for the companies and a negative impact on the business’s image. The Directive imposed small fines for violating security laws, and the GDPR allows the authorities to impose penalties up to 4% of the global turnover in the most severe cases (Houser & Voss, 2018). Thus, the GDPR brings the financial burden for the violations to the next level, substantially increasing the fines for the companies, which can influence the businesses, especially the big international ones.
For instance, with the implementation of the GDPR, in case of critical violations, the fines for such a company as Facebook can reach $1 billion, and more than $3 billion for Google (Houser & Voss, 2018). Thus, the introduction of the new regulation in the EU “could result in massive fines for the US companies,” which makes the businesses carefully treat data privacy laws (Voss & Houser, 2019, p. 287). One can state that high financial losses represent an incentive for the companies to comply with all the regulations and strictly follow and check the procedures to secure the information.
In such a way, the GDPR, with the administrative fines and assessment analysis, has economic implications. The goals of the regulation are to “provide effective remedies for ensuring personal data rights and change controllers’ policies so that they become more aware of privacy protection” (Chamberlain & Reichel, 2019, p. 1). It is essential to mention the difference between the regulation for the fines for the companies and the processors. As the paragraph above mentions, the penalties for the organizations are higher with the implementation of the GDPR. However, Article 83 discusses the liability for the controllers in an interpretable way, while Article 82 provides rigid details concerning the fines for the businesses (Chamberlain & Reichel, 2019). Thus, while introducing new financial burdens in comparison to the Directive, the GDPR leaves room for flexibility for the data controllers and processors.
One more critical aspect of the GDPR implementation is the provision of stronger rights for the subjects of information. The GDPR provides the “right to be forgotten”, which implies the possibility of the individual to request their data to be erased, eliminating the possibility of further processing (Mittal, 2017, p. 68). In theory, the individuals will be able to request the removal of their data from the systems, which, in reality, can have numerous challenges. Article 17 of the GDPR requires the data controller to inform other controllers to erase any copies or links to the specific personal data (Mittal, 2017). In such a way, each controller has to remove the information, which might make the process complicated and impose problematic issues for the controllers’ collaboration.
Besides the right to erase personal data, the GDPR states other possibilities that broaden the users’ control of their individual information. In such a way, the GDPR also introduces stricter rights of access and the right to rectification following the transparency principles (Wachter, 2018). Those new standards grant the right to the data subjects to access the process data at any time and to change incorrect information or complete the gaps (Wachter, 2018). Therefore, the new regulation significantly increases the level of the users’ influence on their data and the operation that they can conduct with it.
With the new standards, principles, control level, and users’ rights, the GDPR has a crucial influence on the organizations as well. According to the GDPR, any company that possesses information about the EU citizens “must comply with it, no matter where they are based or where the data is stored” (Tankard, 2016, p. 5). Besides, the new regulation includes the same requirements for cloud storage (Tankard, 2016). Thus, with the GDPR, more businesses become subject to control and have to re-evaluate carefully their activities connected to the data collection and processing. Moreover, companies that have vast information processing activities need to have a data protection officer who functions independently (Tankard, 2016). Hence, with the new requirements and additional rules, the GDPR aims to make information security more reliable and trustworthy.
Conclusion
In conclusion, the integration of the GDPR has substantial effects on all the parties involved in data collection, processing, and assessment activities. In comparison to the Directive, the new regulation imposes more rigid rules and principles for the data controllers and the businesses. Under the GDPR, the personal data concept is redefined, and the data subjects possess more rights related to their information. Although the GDPR maintains specific challenges, it serves as a measure of strengthening information security and introducing new ways of protecting data.
References
Article 5 GDPR – Principles relating to processing of personal data. (n.d.). Web.
Beckett, P. (2017). GDPR compliance: Your tech department’s next big opportunity. Computer Fraud & Security, 2017(5), 9-13.
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., & Rost, M. (2016). A process for data protection impact assessment under the European general data protection regulation. In S. Schiffner, J. Serna, D. Ikonomou, & K. Rannenberg (Eds.), Privacy technologies and policy (pp. 21-37). Cham, Switzerland: Springer.
Chamberlain, J., & Reichel, J. (2019). The relationship between damages and administrative fines in the EU General Data Protection Regulation. Stockholm Faculty of Law Research Paper Series, 72, 1-19.
Chapter 2 – Principles. (n.d.). Web.
Houser, K. A., & Voss, W. G. (2018). GDPR: The end of Google and Facebook or a new paradigm in data privacy. Richmond Journal of Law and Technology, 25(1), 1-70.
Martland, R. (2018). Preparing for the GDPR. Child Care, 15(3), 2-3.
Mittal, S. (2017). Old wine with a new label: Rights of data subjects under GDPR. International Journal of Advanced Research in Computer Science, 8(7), 67-71.
Nicolaidou, I. L., & Georgiades, C. (2017). The GDPR: New horizons. In T. E. Synodinou, P. Jougleux, C. Markou, & T. Prastitou (Eds.), EU Internet law: Regulation and enforcement (pp. 3-18). Cham, Switzerland: Springer.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82.
Tankard, C. (2016). What the GDPR means for businesses. Network Security, 2016(6), 5-8.
Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134-153.
Voss, W. G., & Houser, K. A. (2019). Personal data and the GDPR: Providing a competitive advantage for US companies. American Business Law Journal, 56(2), 287-344.
Wachter, S. (2018). Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR. Computer Law & Security Review, 34(3), 436-449.
Wong, B. (2019). Delimiting the concept of personal data after the GDPR. Legal Studies, 39(3), 517-532.