Data Protection Act 1998 vs the GDPR – which applies?
As we all know, thanks to the influx of privacy notices in our email inboxes from companies, many of which we have never heard of, the General Data Protection Regulation (GDPR) and resulting Data Protection Act 2018 (DPA 2018) came into force on the 25 May this year, replacing the UK’s previous Data Protection Act 1998 (DPA 1998).
In the aftermath of the furore on the 25 May 2018, the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues, has been left tackling a tricky question; what applies? The DPA 1998 or the GDPR and the DPA 2018?
On the face of it, the answer to this question may seem quite simple. The GDPR came into force and replaced the DPA 1998, so surely there’s no question over the applicability of the GDPR? On the contrary, according to the ICO.
Dixons Carphone Data Breach
On 13 June 2018, Dixons Carphone reported a data breach concerning what was thought to be around 6 million payment card details and just over one million personal data records.
Apparently hackers were able to access the processing systems of companies in the Dixons Carphone Group in order to obtain personal data records. Unfortunately for Dixons Carphone, the system hack and data breach were not discovered for nearly a year.
Dixons Carphone has since confirmed the data breach was significantly higher than first thought. It has disclosed that personal information, names, addresses and email addresses of 10 million customers were accessed during the hack.
So, what has the ICO got to say about Dixons Carphone’s predicament?
On the date of notification of the breach, an ICO spokesperson said:
“It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
Whether you look at the DPA 1998 or the GDPR, there has clearly been a data protection breach at the hand of Dixons Carphone.
Ensuring the appropriate security of personal data has always been a requirement under data protection laws. Dixons Carphone’s hack occurred over a year ago, when the DPA 1998 was still in force and therefore the security systems in place at that time were clearly not appropriate to prevent unauthorised access to personal data.
How does the GDPR come into play, I hear you ask? Well, the GDPR imposes higher obligations on the controller in terms of data security in addition to implementing a process of regularly testing security systems. We know the GDPR came into force on 25 May 2018, however Dixons Carphone did not discover and announce this historic data breach until nearly three weeks after the regulations came into force. It is now for the ICO to decide whether this is a reasonable amount of time to discover a breach of this size or whether heightened security systems should have been in place and ready ahead of the implementation date.
Why does it matter?
Why should Dixons Carphone, or indeed any other company in a similar situation (think Ticketmaster) be concerned over which Act applies?
The answer is: money.
If the ICO decide that the GDPR has been breached, maximum fines are significantly more than those that can be imposed under the DPA 1998. Dixons Carphone will be well aware of this, given Carphone Warehouse were imposed with one of the largest fines ever imposed by the ICO of £400,000 for a similar breach in 2015.
It remains to be seen whether this breach will be one of the first to receive a hefty fine under the GDPR.
For further help or information, please contact Ellie Leatherday
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.