There is now less than a year until the EU General Data Protection Regulation (“GDPR”) enters into effect on 25th May 2018.
The GDPR will replace the UK’s Data Protection Act 1998 (“DPA”) which currently regulates the use of personal data to protect individuals and will provide a uniform standard regulating data protection throughout the EU.
The GDPR builds and expands upon the concepts and principles enshrined in the DPA. There are some interesting changes, however, which include the regulations applying directly to those businesses which are engaged to process data on behalf of others and increased fines which can be levied (including fines of up to 4 percent of annual turnover for the most significant non-compliance).
The Information Commissioner’s Office (“ICO”) has provided a useful Overview of the GDPR to help businesses understand the upcoming changes, including some information on the following: –
- organisations it applies to;
- data it aims to protect;
- conditions for processing the data;
- rights afforded to individuals;
- new data breach reporting obligations; and
- greater significance placed on accountability and transparency, including when an organisation will be required to appoint a data protection officer.
As the ICO’s resources on the introduction of the GDPR are a work in progress, updates are expected to be provided by the ICO in the coming months.
However, in the meantime the ICO has published an updated guide with a number of steps which businesses can be taking now to prepare for the introduction of the GDPR and a self-assessment checklist which small and medium-sized enterprises may find it useful to consider.
A focus of the ICO’s guidance is that action should be taken sooner rather than later to plan for the GDPR coming into effect, including reviewing the: –
- data they hold;
- basis on which that data is processed;
- policies and procedures they have in place; and
- the privacy notices they use.
Companies which share data may also consider it useful to review their contracts for the sharing of that data.
In light of recent cyber security breaches, having robust systems in place for ensuring compliance with any data protection regulation will likely be at the forefront of most businesses’ concerns.