I guess you have heard, the UK will be implementing the General Data Protection Regulation (GDPR) in May 2018. Now is the time for businesses to start planning a compliance strategy, identifying those business areas where the GDPR is likely to have the greatest impact.
The purpose of the Regulation is to provide people with greater control over their personal data and aims to strengthen the rights of an individual. It will transform the way personal data is collected, shared and used.
The Data Protection Act 1998(DPA) remains the primary source of the current UK data protection rules. Many UK businesses fail to implement adequate data protection policies and practices required by the DPA. The GDPR reforms our data protection legislation providing a coherent set of rules, simplified procedures and most importantly for those of us running a business, greater enforcement powers to the supervisory authorities for non-compliance.
Much in the GDPR will be familiar to those who are familiar with the current DPA and guidance, such as the right of subject access. Any organisation seeking to comply with the GDPR is strongly advised to consider the reasons on which it relies in respect to data processing activities and make sure it implements any required changes. The GDPR will set the bar higher with respect to justification.
The GDPR applies to both controllers and processors of data. A controller must make sure that they have legal justification for processing data. The processor acts upon those instructions provided by the controller. The GDPR places specific obligations on the shoulders of processers in respect of maintaining data and processing activities. There is increased accountability under the new regime with processers being subject to significantly more legal liability in regards to any breach. The controllers do not get away lightly either with the GDPR placing additional obligations on them to, ensuring any contracts held with processors comply with the Regulation.
Consistency in the enforcement of the data protection rules is key to the GDPR data protection regime, with administration fines being a central element to that enforcement. For many businesses, compliance with GDPR will be a significant piece of work but non compliance could result in a hefty fine.
There is no need to panic. Start planning – identify any gaps between the current DPA requirements and those in the GDPR. A good starting point would be to prioritise those business areas where the new regime will make the greatest impact.
If you wish to find out more about GDPR and your obligations regarding data protection, please contact one of our expert solicitors at Farleys Solicitors on 0845 287 0939 or contact us online.