What it is, what you need to do about it.
|The what?||The General Data Protection Regulation, a piece of EU legislation that comes into effect in all member states on 25 May 2018. It will replace the Data Protection Act 1998 (“the DPA”) in the UK|
|Is it different to the existing legislation?||The requirements of the GDPR are similar to those of the DPA. However, there are some key new requirements, and greater enforcement powers and penalties for non-compliance.|
|Who does it apply to?||Any person or organisation who processes personal data. There are differing requirements for those who decide how personal data is to be processed (‘Data Controllers’) and those who process data on behalf of a Data Controller (‘Data Processors’). It does not apply to personal or household processing of data and there are other specific exemptions.|
|What is personal data?||Any information relating to a person who can be directly or indirectly identified from that information.|
|So what’s it all about?||The GDPR is a fairly complex piece of legislation and it is beyond the scope of this update to outline the requirements in full (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ for an in-depth guide), but to give a brief summary of some of the main requirements:
|What about the rights of data subjects?||Data subjects (that is, the persons to whom the data relates) have a number of rights, including:
Data processors should ensure they have a suitable procedure in place for dealing with any data subject access requests.
|What if we don’t comply?||The consequences of non-compliance can be very serious and the GDPR provides for maximum fines of EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.|
|What do we need to do?||The fact that data processers are required to demonstrate compliance and the possible consequences of failure to comply means that the requirements of the GDPR simply cannot be ignored.
What action will be required will vary from company to company, but as a minimum, businesses that process personal data should carry out the following steps well in advance of the GDPR coming into force on 25 May 2018:
|Sounds a bit complicated||Potentially, yes. But we can help. We are pleased to offer a range of services to help you achieve compliance, from conducting a full review overhaul of your data protection procedures and documentation, to offering ad hoc advice or preparation of documents, including procedures, policies, information notices, consent forms and contracts with data processors.
If you would to discuss how we can help you, please contact Alistair Wells on firstname.lastname@example.org or 020 7731 0750.