What is the General Data Protection Regulation (GDPR) and how is it different to the existing UK Data Protection Act 1998 (DPA)?
The GDPR was agreed by the members of the European Parliament and the European Council in April 2016, with a two-year preparation period.
GDPR will replace and expand the current UK Data Protection Act 1998 and will come into force on May 28, 2018. Its introduction is not affected by Brexit’s outcome or any ongoing negotiations.
The GDPR is a new framework for data protection laws across Europe that concerns organisations, businesses and individuals in the UK and the EU. It will also add more clarity to what constitutes personal data and how it can be used, ensuring that legislation is harmonised across the UK and Europe.
There are significant changes between the existing DPA and the incoming GDPR on how organisations can collect, handle, use and store data, what constitutes personal or sensitive data, and the rights of individuals to access personal information and determine how it can be used.
Who regulates the GDPR in the UK?
In the UK, the Information Commissioners Office (ICO) is the body responsible for regulating GDPR. The ICO is empowered to ensure compliance through a series of public warnings and fines.
The ICO is also where individuals can make complaints about organisations not adhering to the GDPR.
If I am GDPR compliant in the UK, am I covered in the EU?
Yes. The GDPR harmonises the relevant legislation and regulations and is the same for the UK and the EU.
Why is it important that I prepare for GDPR?
GDPR will be part of the UK law and mandatory for your organisation to comply with.
It is essential that your organisation is aware of your responsibilities and puts in place any changes (or initiates) business processes, policy and practice to make sure you are compliant by May 28, 2018.
GDPR affects all areas of your business. You may require significant changes to your business practice and for your staff to be re-trained on how to process and manage data correctly.
The ICO will be the statutory body in charge of ensuring that GDPR is being adhered to in the UK. It has the power to issue warnings and substantial fines for non-compliance.
When does GDPR come into effect?
GDPR becomes legislation on 28th May 2018. The ICO will expect you to be compliant by this date.
Are there any consequences to not complying?
There are substantial fines that the ICO can levy for non-compliance of the GDPR.
If you cannot show that you are compliant with the GDPR, other businesses that you partner with or supply services to will see this as a risk to doing business with you.
How do I make sure that my organisation will be compliant with GDPR?
To make sure that that you are compliant, you will need to prove that your organisation has the correct process, policy, and practices in place.
This can be done in five distinct steps and, if documented, can assist in any conversations required with the ICO:
1. Undertake a compliance audit
Using guidelines and checklists from the ICO, check if current uses, processes and practices of managing personal information and data adhere to the GDPR
2. Create action plan for addressing issues highlighted by the audit
Outline any projects or tasks that need to be completed to improve or fix any areas of non-compliance
3. Training and awareness of GDPR
Ensure relevant staff are properly trained on; what GDPR is, their responsibilities, correct organisational processes and policies, how to handle questions, comments or complaints from the public
4. Updating policy statements and data collection forms
Ensure that all relevant policies (including information that needs to be available to the public) have been updated or created and that any requests for personal data (digital, phone, print, SMS) includes the correct information and opt-in/unsubscribe options to be compliant
5. Payment of the Data Protection Fee to the ICO by 1 April 2018
Details of the cost of this fee are still to be confirmed. It is payable by any organisation that collects personal data. Check ICO for latest details
Helpful resources and additional information on GDPR
- General overview of GDPR from the Information Commissioners Office (ICO)
- Collection the ICO’s GDPR content for organisations
- ICO’s blog with updates and developments on GDPR
- Getting Ready for GDPR – Data Protection Self-Assessment
- E-Learning for SME staff – Responsible for information
- Training for Staff on Privacy – Think Privacy
- Toolkit for staff on individual rights to request access to data you might have on them – Are you access aware?