Important changes to the legislation governing data protection in the UK will be introduced on 25 May 2018 – when the upcoming General Data Protection Regulation (GDPR) will come into force, affecting businesses and individuals alike in a variety of ways.
Under existing rules, all businesses operating in the UK that process personal data of any kind are expected to comply with the Data Protection Act 1998 (DPA).
Compliance with this Act also extends to companies that simply hold data – i.e. personal information about their employees or clients.
However, the rules surrounding data protection in the UK will change significantly once the GDPR takes effect – and it is important that businesses and individuals are aware of their new obligations and/or rights under the new regime.
It is also important to note that, although the GDPR is effectively a piece of EU legislation, it will form part of UK legislation from 25 May 2018 onwards regardless of the UK’s position in terms of Brexit negotiations come that time. Individuals will receive a number of new rights under the GDPR – which will also strengthen some of the existing rights offered under the DPA.
According to the Information Commissioner’s Office (ICO), once the new legislation takes effect, individuals will have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Whilst many of the principles from the DPA will remain, however, the GDPR will bring with it several new concepts and approaches – and the new legislation has been described as a “game changer for everyone”.
Businesses, in particular, will be adversely affected – as many will need to implement organisation-wide changes to ensure that any personal data is processed in compliance with the GDPR’s requirements.
One notable change is that companies that currently rely on ‘consent’ as a legal basis for processing personal data will need to assess the consents that they currently hold and the mechanisms through which such consents are provided in future. This is because ‘implied consent’ will no longer be deemed valid under the GDPR.
It is crucially important that businesses ensure they are fully compliant with the new regime, as enforcement powers will also increase under the GDPR – meaning that non-compliance may result in harsher ICO investigations than was previously the case and significant fines for those responsible for the most serious data breaches.
The ICO has published full guidance to the GDPR on its website here.
If you need help with GDPR compliance or training, we can put you in touch with specialists who provide this.
Link: Overview of the GDPR