The EU has introduced the GDPR to update and harmonise data protection practices across the EU. It will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK leaves the EU), UK individuals and organisations must ensure compliance with the new regime by then.
The Information Commissioner’s Office (ICO) and the government have confirmed that they expect UK individuals and organisations to adhere to the GDPR, as post-Brexit the UK’s data protection legislation (currently the Data Protection Act 1998 (DPA)) must meet the GDPR standard.
What is similar to the existing Data Protection Act?
- The definitions of ‘processor’ and ‘controller’.
- The ICO as the UK’s regulator.
- The eight principles still apply.
- International data transfers (excluding self-assessment).
What is changing?
- Data processors – must now maintain records and are directly liable if responsible for a breach.
- Data controllers – new obligations including a duty to ensure that your contracts with processors comply with the GDPR.
- Accountability principle – you must show how you comply e.g document what you have done and why.
- Privacy impact assessments – must be carried out to assess the risk to individuals’ rights, eg, when using new technology.
- Higher standards for consent.
- Enhanced rights for individuals, including the right to be informed, object and be forgotten as well as rights regarding access, rectification, erasure, restrictions on processing, data portability and automated decision-making.
- Data protection officer – not mandatory for all organisations but an appropriately senior individual must be responsible for GDPR compliance.
- The duty to report a breach quickly will apply to all and failure to report will result in a fine.
- Increase in maximum fines (4% of global annual turnover).
GDPR applies to processing of personal data where the controller or processor is in the EU, and/or offers goods and services.
These changes will impact more businesses than many consider. Please do not ignore the changes and hope it does not impact on you, as it is very likely to do so.
As a start, you must evaluate whether your existing practices and procedures meet GDPR standards and then plan how you will address any shortcomings. Going forward, you will need to be audit ready at the time of any enquiry or inspection.
As a minimum, contract clauses on the sharing of data with others should be reviewed to check for compliance with the GDPR.
Further announcements are due. So, we will be offering a seminar during October 2017 that will cover GDPR and the potential impact on you.
This article is to provide some background information on the General Data Protection Regulation legislation. This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.