What is the Regulation?

The European Parliament has introduced a General Data Protection Regulation (GDPR) by way of reform of EU Data Protection Law.

The GDPR replaces the current Data Protection Directive, which was implemented into UK Law through the Data Protection Act 1998.

As the GDPR is a Regulation, rather than a Directive, it will be immediately binding on all EU member states immediately once in force.

When does GDPR become Law?

Consultation began in 2009 in recognition of the new challenges for personal data protection, particularly in light of new technologies and globalisation.

The implementation date for GDPR is 25th May 2018.  

Implications of BREXIT

The Information Commissioner’s Office (“ICO”) has said that the Government needs to consider the impact of BREXIT on the GDPR.

However, the GDPR cannot be ignored for the following reasons:

We do not know the date that the UK will leave Europe.  We will however still be in the EU come the implementation date of 25th May 2018.

Whilst the implementation date is still some time off, there may be a lot to do for organisations (especially large organisations) to ensure they are in a position to comply with the law once in force.

GDPR is still relevant when outside of the EU for organisations operating internationally.

The ICO is of the view that reform of the UK law remains necessary in any event.

Content

The GDPR presents a much more detailed framework and introduces some new principles and concepts.

Whilst the principles of the GDPR are similar to the principles under the Data Protection Act, there are some enhanced obligations.

Steps to take now

The ICO has published guidance on steps that data controllers should be taking now in order to prepare for GDPR.

These include:

• Ensuing that decision makers and key people in your organisation are aware that the law is changing and to appreciate the impact this is likely to have.

• Organise an information audit to document what personal data you hold, where it came from and who you share it with.

• View current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

• Check procedures to ensure they cover all the rights individuals have.

• Update procedures in relation to subject access requests.

• Look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

• Review how you are seeking, obtaining and recording consent and whether you need to make any changes.

• Consider how you collect information in relation to children.

• Make sure you have the right procedures in place to detect, report and investigate data protection breaches.

• Familiarise yourself with the guidance the ICO has produced on privacy impact assessments and work out how and when to implement them in your organisation.

• Designate a data protection officer within your organisation to take responsibility for data protection compliance.

• If your organisation operates internationally, determine which data protection supervisory authority you come under.

USEFUL LINKS

ORGANISATION	PURPOSE	LINK
	GDPR in Recruitment Group	Join Here
	Lawful basis interactive guidance tool	Interactive Tool
	Latest on GDPR from the ICO	What's New
	Overview of the General Data Protection Regulation (GDPR)	ICO Overview
	Getting Ready for the GDPR	ICO Guidance
	GDPR Privacy Policy Template	Template
	Is Your Business GDPR Compliant?	Fact Sheet
	Summary of Key Changes	Fact Sheet
	Checklist	Fact Sheet
	IT & Marketing	Fact Sheet
	GDPR Testing	Outline
	GDPR We Can Help	Help
	Your GDPR Questions Unpicked	Podcast
	How to Use GDPR to Your Recruitment Agency's Advantage	eBook
	How to Choose the Right DPO	Fact Sheet
	GDPR Awareness Training Video	Video
	GDPR Guide for Recruitment Agencies	Guide
	GDPR Vendor Due Diligence Checklist	Checklist
	Compliance Guide for Your Website	Compliance Guide
	GDPR Resource Hub	Resource Hub
	Test your knowledge of the GDPR	Quiz