What is the Regulation?
European Parliament has introduced a General Data Protection Regulation (GDPR) by way of reform of EU Data Protection Law.
GDPR replaces the current Data Protection Directive, which was implemented into UK Law through the Data Protection Act 1998.
As the GDPR is a Regulation, rather than a Directive, it is immediately binding on all EU member states.
When did GDPR become Law?
Consultation began in 2009 in recognition of the new challenges for personal data protection, particularly in light of new technologies and globalisation. The implementation date for GDPR was 25th May 2018.
Implications of BREXIT
The Information Commissioner’s Office (“ICO”) has said that the Government needs to consider the impact of BREXIT on the GDPR.
GDPR is still relevant when outside of the EU for organisations operating internationally.
The ICO is of the view that reform of the UK law remains necessary in any event.
The GDPR presents a much more detailed framework and introduces some new principles and concepts.
Whilst the principles of the GDPR are similar to the principles under the Data Protection Act, there are some enhanced obligations.
Steps to take now
The ICO has published guidance on steps that data controllers should have taken for GDPR.
Ensuing that decision makers and key people in your organisation are aware that the law is changing and to appreciate the impact this is likely to have.
Organise an information audit to document what personal data you hold, where it came from and who you share it with.
View current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Check procedures to ensure they cover all the rights individuals have.
Update procedures in relation to subject access requests.
Look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Consider how you collect information in relation to children.
Make sure you have the right procedures in place to detect, report and investigate data protection breaches.
Familiarise yourself with the guidance the ICO has produced on privacy impact assessments and work out how and when to implement them in your organisation.
Designate a data protection officer within your organisation to take responsibility for data protection compliance.
If your organisation operates internationally, determine which data protection supervisory authority you come under.