As of 25 May 2018, the UK Data Protection Act 1998 (DPA) will be replaced by new legislation which will apply across the EU, primarily comprising the General Data Protection Regulation (GDPR).
The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
This means that businesses and public bodies across the UK and the EU will have just over a year to make sure they are compliant with the new rules imposed by the GDPR.
The UK Information Commissioner gives the following guidance on the significance of the GDPR:
- The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
- If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
This is particularly important if your business transfers personal data outwith the EU – you will need to confirm that the process of transferring the data is compliant with the new regulations.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
- Personal Data – this definition is similar to the DPA, which is data that can identify the identity of an individual whether directly or indirectly, for example, their name, date of birth, address etc. The GDPR will expand on this to include online identifiers such as an IP address
- Sensitive Personal Data – this is similar to the DPA, and includes, racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health or sex life and will now include genetic or biometric information which when processed can indentify an individual
So remember to get your systems ready for the GDPR by 25 May 2018.