In light of impending changes to Data Protection Act (DPA) policies in the UK, we would like to highlight what the Data Protection Act means, and how things will change based on upcoming General Data Protection Regulations (GDPR). As part of our ethics clearance, a DPA form is required to ascertain that data collected is ethically collected, securely stored, and appropriately disposed of. Our survey information will be anonymous, thus negating the need for a specified DPA plan. However, future work involving our application almost certainly would require a detailed DPA plan, as marketing and testing work is likely to involve human participants who would require their personal details to be collected. As shown through the Cambridge Analytica scandal, DPA policies are crucial for the appropriate handling of personal data, as the correct methods will ensure the safety and privacy of participants, and additionally, not jeopardise either study participants or researchers. Even seemingly trivial data can be used to make inferences about participants, as is seen by targeted advertisements by digital marketing companies. With the advent of the DPA soon changing to GDPR on May 25th 2018, there are some aspects of data collection policies which will change. The following are some key changes between the two:
Geographic Scope
Currently, DPA extends only to the United Kingdom. The GDPR is an EU initiative which will apply to all companies which process data within the European Union. An interesting aspect of this is that any non-EU companies processing the data of EU citizens must also adhere to GDPR, as well as the company needing to appoint a representative within the EU.
Fines and Accountability
Fines under GDPR will be significantly harsher, with failures to comply resulting in a fine of upto 4% of global turnover, or €20m fines, depending on which is higher. Current DPA fines are upto £500,000 or 1% of annual turnover, depending on which is higher.
Right To Be Forgotten and Right To Access
DPA currently has no legislation regarding a person’s right to have their information removed from an organisation. GDPR includes the “right to erasure”, often referred to by “right to be forgotten” which gives the individual control over their own information. In certain cases, businesses and organisations are now required by law to comply with the deletion of data, which includes archived backups and data shared with third parties. Similarly, an individual can request a copy of the information held by them, free of charge. This empowers individuals to have greater control over their data which is held by organisations and related third parties.
Data Breaches
Under DPA, organisations are not required to report data breaches within organisations. Under GDPR, data breaches must be reported within 72 hours to a supervisory body. Additionally, the organisation must also report the breach to the individual(s) it affects if the breach will be a risk to the individual’s personal rights and freedoms.
These are just some of the major changes which will be implemented when GDPR replaces DPA in the UK. If further studies were to be conducted by team POPS for HobbyLink, we would need to carefully consider whether our work is adhering to these new guidelines. One particular consideration will be that of the geographic scope of data used by our project and app, as participants and users may have a global reach, which extends beyond the European Union due to the user base being comprised of students. It is possible therefore that these user’s local data protection polices may also apply to our data. Future ethics considerations will also reflect new GDPR policies, and so it cannot be assumed that what has passed previous ethical clearance will now pass GDPR regulation. Overall, while GDPR will give the team more to consider for future work, it is ultimately a positive force for individuals whose data is used by organisations, as it puts the power back into the hands of those individuals, and not the organisations who hold their data.
GDPR Key Changes. No Date. Available at: https://www.eugdpr.org/key-changes.html [Accessed: 29 April 2018].
The Difference Between DPA and GDPR. 2017. Available at: https://www.ebuyer.com/blog/2017/03/the-difference-between-gdpr-and-dpa/ [Accessed: 29 April 2018].