GDPR – What is it?

What is the GDPR?

The EU General Data Protection Regulation or “GDPR” is the most important change to data protection and privacy law in two decades. It was approved by the EU Parliament in April 2016 and comes into force in the UK on 25th May 2018. The GDPR will replace the Data Protection Act 1998 and, while it is similar to the current regime under the 1998 Act in many ways, it is a great deal more modern, taking into account major advances in science and technology. Most importantly for businesses it is more demanding.

Why is the GDPR Necessary?

The GDPR is designed both to harmonise data protection law throughout Europe and to modernise it. A great deal has changed in the last two decades, not least the ways in which personal data is collected and processed by organisations. In particular, the growth of the internet and the significant increase in the amount of personal data being transferred, stored, and processed online means that legislation that worked 20 years ago is, in many respects, no longer up to the task.

Will the GDPR Affect My Business?

Simply put, if you handle personal data of any kind and you are already subject to the Data Protection Act 1998, yes, it will. The GDPR will apply to all organisations operating within the EU and to organisations outside of the EU that deal with individuals within the EU. The good news is that if you are already complying with the Data Protection Act, you’re off to a strong start. Nonetheless, it is very important to be aware of, and to understand, your obligations (existing and new) under the GDPR.

What does Brexit Mean for the GDPR?

The UK government has made it clear that the provisions of the GDPR will still apply after Brexit.

In September 2017, the Government published a new Data Protection Bill, the main purpose of which is to bring the provisions of the GDPR onto the UK statute book after we leave the EU. There are already some differences between the GDPR and the Data Protection Bill, but it is likely that from the perspective of most businesses, the steps necessary for compliance will be the same. You can find out more about the Data Protection Bill on our blog, here. In short, though, keep preparing for the GDPR.

What are the Key Changes?

Compared to the current data protection framework under the Data Protection Act 1998, the GDPR will bring a number of important changes and enhancements including:

  • Increased accountability and greater responsibilities within organisations to ensure that personal data is
  • protected and processed within the bounds of the law;
  • A wider range of data will now be classed as “personal data”;
  • Data processors (e.g. contractors and service providers) will now also be regulated;
  • The penalties for failure to comply will be much stronger (up to €20m or 4% of total worldwide turnover, whichever is higher);
  • New procedures requiring data controllers to notify the ICO of data breaches within 72 hours of the breach;
  • Enhanced individual rights including greater transparency and “the right to be forgotten”;
  • The requirement for many organisations to appoint a Data Protection Officer where personal data processing is significant; and
  • Stricter rules on consent given by data subjects to the collection and processing of their personal data.

How will this GDPR Data Protection Policy Help Me?

We have designed this Data Protection Policy template to serve as a guide to the GDPR; one that will assist businesses in understanding their obligations and in preparing for compliance. Most importantly, we have designed this as a living document, meaning that as more official guidance and best practice becomes established over the coming months, we may make alterations and enhancements to this template to better reflect them.

Detail in this Data Protection Policy is extensive, aiming to reproduce key parts of the GDPR so as to aid in the establishment of knowledge and understanding throughout your business. Despite this, however, it should be noted that training remains essential and that any and all individuals handling personal data within your business should be fully aware of the Regulation and its principles as well as the procedures in place within your business to comply therewith.

Please note that this document is designed for business use only, and certain provisions of the GDPR relating to public authorities have not been incorporated. Please also note that, as stated above, this is a living document – changes are likely to be made prior to the GDPR coming into force in 2018.

(Source: Simplydocs & CIPD)

If you are unsure on how to do your audit or how to design the policy then get in touch with me on 07789004374 and I will be able to help.