General Data Protection Regulation
This is new and it brings in wider requirements, fines and redress for breaches in the regulations. The General Data Protection Regulation (GDPR) will apply from 25 May 2018 and this will continue after the exit from the EU. It applies to all businesses, even those located outside the EU, where they offer goods or services to individuals within the EU or monitor the activity of people within the EU (eg. internet profiling).
The Information Commissioner’s Office (ICO) have a very informative area on their website which they are committed to enhancing to help meet the 25 May 2018 target date and this may be accessed here.
Under the Data Protection act there are defined roles for data ‘controllers’, and ‘processors’ and these have the same definition as under the GDPR However the obligations for processors are new requirements under the GDPR.
The definition of ‘personal data’ under the GDPR is more detailed and wider. The legislation applies to those who will be holding data that a company has collected in both digital and physical form and also those holding records as part of a case administration.
The ICO has set out 12 steps to prepare for the GDPR which may be found here.
This guidance will help you prepare for your obligations under the GDPR.
The ICO has a useful self-appraisal webpage where you can review how prepared your organisation is for these requirements and this link can be found here
Finally, a word on the tougher fines as GDPR significantly increases the level of fines that can be imposed. A fine of up to €20 million or 4% total worldwide turnover, whichever is higher, may be imposed for more serious offences, such as a breach of the basic data protection principles or a breach of international transfer restrictions.
A fine of up to €10 million or 2% total worldwide turnover, whichever is higher, will apply to less serious offences, such as a failure to maintain a data processing register.