What is the Regulation?
The European Parliament has introduced a General Data Protection Regulation (GDPR) by way of reform of EU Data Protection Law.
The GDPR replaces the current Data Protection Directive, which was implemented into UK Law through the Data Protection Act 1998.
As the GDPR is a Regulation, rather than a Directive, it will be immediately binding on all EU member states immediately once in force.
When does GDPR become Law?
Consultation began in 2009 in recognition of the new challenges for personal data protection, particularly in light of new technologies and globalisation.
The implementation date for GDPR is 25th May 2018.
Implications of BREXIT
The Information Commissioner’s Office (“ICO”) has said that the Government needs to consider the impact of BREXIT on the GDPR.
However, the GDPR cannot be ignored for the following reasons:
We do not know the date that the UK will leave Europe. We will however still be in the EU come the implementation date of 25th May 2018.
Whilst the implementation date is still some time off, there may be a lot to do for organisations (especially large organisations) to ensure they are in a position to comply with the law once in force.
GDPR is still relevant when outside of the EU for organisations operating internationally.
The ICO is of the view that reform of the UK law remains necessary in any event.
The GDPR presents a much more detailed framework and introduces some new principles and concepts.
Whilst the principles of the GDPR are similar to the principles under the Data Protection Act, there are some enhanced obligations.
Steps to take now
The ICO has published guidance on steps that data controllers should be taking now in order to prepare for GDPR.
Ensuing that decision makers and key people in your organisation are aware that the law is changing and to appreciate the impact this is likely to have.
Organise an information audit to document what personal data you hold, where it came from and who you share it with.
View current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Check procedures to ensure they cover all the rights individuals have.
Update procedures in relation to subject access requests.
Look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Consider how you collect information in relation to children.
Make sure you have the right procedures in place to detect, report and investigate data protection breaches.
Familiarise yourself with the guidance the ICO has produced on privacy impact assessments and work out how and when to implement them in your organisation.
Designate a data protection officer within your organisation to take responsibility for data protection compliance.
If your organisation operates internationally, determine which data protection supervisory authority you come under.