The General Data Protection Regulations 2018 (GDPR) will come into force in May 2018. GDPR aims to facilitate the free flow of personal data whilst ensuring a high level of data security. The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.
Companies will need to implement appropriate policies and procedures to demonstrate understanding the new regulation and it is recommended that management should:
- Understand and document current data processes and demonstrate that they meet compliance requirements;
- Document what personal data is held;
- Assess the security of data stored, personal data in particular;
- Document where data is shared with 3rd party organisations;
- Review and define justifications for holding personal data;
- Categorise the risk level associated with personal data held; and
- Commit to data retention policies.
In accordance with the requirements of the Information Commissioner’s Office (ICO) companies will be required to nominate a Data Controller and a Data Processor to decide the following:
- To collect personal data in the first place;
- Which items of personal data to collect;
- The purpose the data is to be used for;
- Which individuals to collect data about;
- Whether to disclose the data, and if so, who to;
- Whether the subject has access rights to the data; and
- How long to retain the data, or whether to make non-routine amendments to the data.
- What IT systems to use to collect personal data;
- How to store the personal data;
- The details of security surrounding the data;
- The means used to transfer the data from one organisation to another;
- The means used to retrieve personal data;
- The method for ensuring a retention schedule is adhered to; and
- The means used to delete the data.
The EU GDPR is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy. Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation.
UK organisations handling personal data will still need to comply with GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will apply.