GDPR: A TRAINING GUIDE FOR CONTACT CENTRE AGENTS 2018
COPYRIGHT: THE DMA (UK) LTD 2018
5
This table provides a top line view of the key areas of the new Data Protection Act.
What has changed?
Area Data Protection Act 1998 New Data Protection Act
(GDPR)
Denition of Personal Data “personal data” - any data that
can be used to identify a living
individual: name and address,
telephone number or email
address.
Now includes on-line identiers i.e.
location data; an online name; IP
addresses and mobile device IDs.
Consent “…any freely given specic and
informed indication of his wishes by
which the data subject signies his
agreement to personal data relating
to him being processed”.
If processing data on the basis
of Consent (and not Legitimate
Interest) it needs to be
unambiguous; Requires a positive
opt-in; Be specic and granular
(channel); Keep evidence of
Consent – Who, When, How and
What you told people.
Privacy Statement information available to the data
subjects (the individuals whom
the data relates to), so far as
practicable: who the data controller
is; the purpose or purposes for
which the information will be
processed; any further information
which is necessary in the specic
circumstances to enable the
processing to be fair.
This applies whether the personal
data was obtained directly from the
data subjects or from other sources.
The privacy notice is a key
component in outlining exactly
who will be using data, the context
in which it will be used, thus
informing and further shaping the
data subject’s realistic expectations.
There is a fundamental obligation
to tell data subjects what their
personal data will be used for
and the privacy notice is where a
business must showcase and record
such activities.
The GDPR includes a longer and
more detailed list of information
that must be provided in a privacy
notice than the DPA does. from data
subjects or from a third party:
There are also some dierences in
what you are required to provide,
depending on whether you are
collecting the information directly
from data subjects or from a third
party:
Identity and contact details of the
controller and where applicable, the
controller’s representative) and the
data protection ocer