In May 2018 new legislation regarding Data Protection will become law. The General Data Protection Regulations Act 2018 (GDPR) will supersede the Data Protection Act of 1998.
There are two key elements of the new legislation. People will have more say over what companies do with their data and it will make Data Protection rules identical throughout the EU. ‘Oh but we are leaving the EU’, I hear you say! Brexit makes no difference as the new laws come in to effect before the UK legally cuts its ties with the EU.
As usual with new legislation there has been a lot of misinformation. It is vital for organisations to assess their present policies and be aware of the new legislation as the penalties that could be imposed for breaking the new Data Protection laws are heavier than before, however the Information Commissioner Elizabeth Denham has stated that, ‘This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point’.*
The details and what it means for UK companies are extensive but it is suffice to say that companies and organisations need to be taking steps now. The Information Commissioners Office have produced a guide that will help everyone begin the process of checking internal procedures in regard to changes. If you are already complying with current law this will be a good starting point as although these laws will remain valid, there will be new elements and significant enhancements that will need to be made.
You could begin by considering the following:-
- Data Protection Officer - designate someone to take responsibility for Data Protection and Compliance.
- Awareness - ensure key people are aware of the changes happening to Data Protection laws.
- Information - document the data you hold, where it originated, and who you share it with.
- Consent - review how you seek, record and manage consent and if you need to be making changes.
- Data Breach - make sure you have the right procedures in place to detect, report and investigate a personal data breach.
The CIPD have commented that the new rules, ‘herald a significant change in the culture, as well as the process of how organisations handle personal data’. Furthermore they highlight that data protection law is a highly technical area and suggest at the most seeking out legal and good practice advice, and at the least communicating the new rules to your workforce so that every employee understands their new responsibilities. **
You can find further information by looking at the ICO. website.