OVERVIEW OF THE GENERAL DATA PROTECTION REGULATION (GDPR)
The GDPR is a new regulation intended to strengthen and unify data protection for all individuals within the European Union (EU).
The GDPR takes force in the UK from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the Data Protection Act (DPA), it is likely that you will also be subject to the GDPR.
The GDPR places specific legal obligations on both controllers and processors, for example, requiring you to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to ‘personal data’ which is more detailed than the current DPA and information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
In summary, you will be required to:
- Prepare and maintain documentation on your policy and for compliance with the GDPR;
- Appoint someone in your business to the point of contact for data protection;
- Review existing procedures for weaknesses and areas to strengthen ahead of the new regulations;
- Ensure you have a legal basis to hold personal data and have a valid reason for holding it;
- Ensure you keep any data protected and secure;
- Have procedures for reporting data breaches; and
- Keep your records up to date.
for further information on the GDPR.
Disclaimer This overview should not be relied upon as comprehensive guidance but as a reminder of some of the key points of GDPR and users should refer to the Information Commissioner’s Office for more detailed guidance. Please see www.ico.org.uk. If you require further help with your planning please contact us.