The General Data Protection Regulation (GDPR): An Introduction
On May 25th 2017, the Data Protection Act 1998 (DPA) will be replaced by a new piece of legislation, the General Data Protection Regulation (GDPR). This will provide a single data privacy law for all European States in addition to the UK. There will be a degree of continuity as many of the main principles which have embedded themselves in organisations in recent years under the DPA will continue. However, most of the main themes of DPA are further clarified, enhanced and made more stringent. In addition, there are new elements which will impact most aspects of processing information about individuals. Failures in compliance could lead to increased monetary penalties of up to 4% of annual turnover.
Some of the key changes include: enhanced data subject rights; new rules relating to consent; a requirement for more detailed and transparent notices; mandatory data breach notification. A new principle relating to ‘accountability’ is also being introduced which will impact on record keeping and decision making, with an emphasis on the idea of ‘privacy by design’ – i.e. building privacy principles into projects from the outset and documenting your approach.
Over the coming months, resources will be added below which outline the main changes and what you need to do in order to comply when you are processing personal data or making decisions relating to privacy or data protection.