If you have not yet taken steps to ensure your business complies with the General Data Protection Regulation (GDPR), the time to start is now: it came into force, on 25 May 2018, from which date the Information Commissioner's Office (ICO) will start to enforce the new data protection regime. Failing to adhere can bring swingeing fines.
The GDPR applies detailed provisions to ensure that personal data – i.e. any data relating to an identifiable person – is properly processed and kept secure, and imposes a significant compliance regime on those who hold such data.
Key to the GDPR is the concept of 'data protection by design', so that data protection risks are considered at all steps of data handling and storage.
The GDPR builds on the existing data protection principles, as set out in the Data Protection Act 1998, but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. There are substantial rights given to individuals as to how information about them is collected and held.
The key principles are that the processing of personal data must be lawful, fair and transparent. This means that only the minimum necessary amount of personal data must be collected and only for specified, explicit and legitimate purposes. The data must be accurate and kept up to date, with access to it and use of it restricted to only those personnel who are necessary for the purpose, and it must be retained for no longer than is necessary and kept secure.
The most significant addition is the 'accountability principle', whereby data controllers must keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity.
The ICO's office has published a guide and checklist for complying with the GDPR.
For advice on how the GDPR affects you, contact us.