GDPR v DPA – what’s changed?

How much do you really know about GDPR? And do you know how it differs from the current Data Protection Act legislation and what you need to change to ensure you are compliant?

The transition from one law to another can be a bit of a minefield, so we’ve prepared a quick guide of the main differences to look out for:


IssueData Protection ActGeneral Data Protection Regulation
UK-wide legislation, applicable to UK businessesAll 28 EU member states, as well as any businesses that sell products or services to EU individuals and organisations
AccountabilityLimited and more of a ‘box ticking exercise’Explicit and ideally built in to the fabric of an organisation – ‘privacy by design’
Fines£500,000 for the most serious of breaches, which is also the case under PECR€20m or 4% of annual turnover for serious breaches, whichever is higher, and €10m or 2% for minor breaches
Breach notificationsNot a requirementSupervisory authorities must be notified ‘without undue delay’, and no later than 72 hours after the breach has been discovered
Right to erasureNot explicitly required of businesses to complyIndividuals have the right to insist their details are deleted from your database, including backup and secondary backup data stores
Subject Access Requests£10 fee can be charged – must respond in 40 daysFree of charge – must respond in 30 days
ResponsibilitiesData controllers onlyData controllers AND data processors



So now that you know the difference between the two pieces of legislation, here are six principles that underline the GDPR. It’s more than just an update to current laws, it requires a fully realised approach to the whys, the whos and the wheres involved. These principles refer to personal data and state that:

Data is processed lawfully, with fairness and transparency. Subjects must be informed about your data processing methods, know that what is being requested matches what you state you plan to do with that data and must meet expected security and fairness standards.
Data is collected for a specified, explicit and legitimate purpose or purposes, depending on what you’re collecting information for. You must not use that data under any other circumstances.
You must limit the amount of information you collect on an individual adequate and relevant to the purpose you’re collecting that data for.
You keep your data up to date and accurate; you cannot assume that permission to use a subject’s data is granted if they haven’t actively agreed that you can hold this information.
Data must be kept in a form that permits identification of your subjects, but also that you only keep it identifiable for as long as you need it (and even then, that’s only referring to the purpose for which that data was originally collected… confusing, no?)
Data needs to be processed and managed in a way that retains appropriate security and privacy. This will hinge on the size of your organisation, the amount of data you collect and what you need to do with it.


As the biggest overhaul to data protection practices in the last 20 years, GDPR is being touted as the beast that can’t be tamed.

The changes to how data is obtained, stored, managed and used means that marketers need to step up to the plate. But it’s not all doom and gloom, far from it. It’s our firm belief that GDPR presents more opportunities than threats; it’s all about a new mindset and sharpening your working practices.

At Workshop, we’ve been working to ensure that our clients know what GDPR means for marketing and what needs to be in place to be compliant. You can read and download our white paper here or get in touch to arrange a chat about GDPR or marketing in general.

By Toby Walker