It is now less than a year until the UK’s current Data Protection Act will be replaced by the new legal framework within the EU. Despite Brexit, it is important that organisations understand the changes in this law which is due to apply from 25th May 2018. The government has confirmed that the decision to leave the EU will not affect the start date of the new regulation – the General Data Protection Regulation (GDPR).
SMEs and other organisations which hold data need to start preparing now, before the GDPR comes into force next year.
What is the GDPR?
The EU’s General Data Protection regulation will apply across the Union and replaces the Data Protection Act from May 2018. The DPA has been in place since the 1990s, so with the changes in data storage which has happened since it makes sense to introduce some new regulations for businesses about collecting personal data. The framework is more detailed and there are greater punishments for those that don’t follow the new rules.
Key Changes
The new regulation has a much wider scope than the DPA, so it’s imperative that business owners understand what will need to change in data collection and storage. Here are a few areas to consider from the GDPR:
Consent
Consent to store personal data must be actively given – this means no more pre-ticked boxes or presumptions. Companies must prove they have a positive opt-in for each individual they store data on. Additionally, people can withdraw consent at any time so businesses need a simple way to instantly delete data when requested. The GDPR also contains guidelines for protecting children’s personal data.
Data Breaches
The GDPR is going to get tough on organisations which allow data breaches and theft. Companies must contact relevant authorities and inform them of a data breach within 72 hours, and have plans in place to mitigate the effects. In some cases companies will also have a duty to contact individuals who are affected by a personal data breach.
Transfer of Data
There will be restrictions on the transfer of personal data to countries or organisations outside of the European Union. Some transfers may take place subject to the regulation’s appropriate safeguards.
For many UK businesses, the process of collecting and storing data will have to adapt. Read up on the GDPR and how you can prepare here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/