The General Data Protection Regulation (GDPR) replaced the existing Data Protection Act with effect from 25 May.
The GDPR will require all organisations that deal with individuals living in a EU member state to protect the personal information belonging to those individuals and to have verified proof of such protection. Failure to comply with the new regulation will result in significant fines.
Whilst there are similarities between the Data Protection Act and the GDPR, there are some new and different requirements that all businesses need to be aware of. This factsheet will help you consider whether you have carried out the steps to ensure you have adequately prepared and are compliant with the regulations.
We have also produced a related factsheet entitled 'Data Security - General Data Protection Regulation', which covers the principles behind the new regulations.
Here we summarise the new/modified requirements of the GDPR in comparison to the Data Protection Act.
There are perhaps a number of overriding principles and key words within the GDPR. These include transparency, accountability, consent, compliance and privacy by design. Some of the areas where these impact, include:
The ICO have produced a twelve step checklist to help organisations get themselves ready for compliance.
Documentation of the processing activities carried out by the organisation is required. Documentation should cover the purposes of processing data, data sharing and data retention policies and procedures.
A good starting point might be the firms’ existing Data Protection Act annual registration form. However, this is only a starting point - the GDPR requirements for documentation are much more explicit than under the Data Protection Act.
Data controllers and data processors have their own separate obligations, and these are covered in more detail here.
There are limited exemptions for firms employing <250 employees – and in this case documentation is only required for processing activities that:
A more detailed step by step guide on how to proceed with the documentation process can be found using the url above.
As well as the necessity to comply with the GDPR, there are various other Acts and regulations in the UK which have a bearing on data security. These include: