Current data protection guidelines are based on a Data Protection Act (DPA) introduced in 1998. Nearly 20 years on there have been significant advances in technology resulting in changes to the way individuals and organisations communicate and share information.
The new GDPR, which will be introduced on 25th May 2018, addresses these changes giving a more relevant and consistent legal framework, in addition to a better unified approach for EU member states and will be relevant for any company that has a responsibility for data protection.
It has also been confirmed that the UK’s decision to leave the EU should not have any impact on the implementation of the GDPR, a question that has caused some uncertainty, organisations should continue with their plans to enable compliance.
Extensive and detailed information can be found on the Information Commissioner’s Office (ICO) website. In partnership with ESET we have also put together a useful summary document showing the 12 steps your organisation can take now to prepare, which is available to download from our website along with a more detailed and concise guide.
Organisations are frequently operating internationally now so consistency of data protection, laws and rights, are crucial for both businesses and individuals. With the rapid and continuing growth of the digital economy it is more important than ever to standardise and put in place sufficient safeguards in relation to data protection.
Who does GDPR apply to?
The GDPR will apply to ‘controllers’ and ‘processors’, definitions currently used which will generally remain the same, for example, the controller defines how and why personal data is processed and the processor takes actions on their behalf. If you are currently required to adhere to the DPA then it is likely the GDPR will also apply.
Under the new GDPR specific legal obligations will start to apply if you are a processor and you will be required to maintain records of personal data and processing activities. A new requirement of the GDPR will mean greater legal liability for processors in the event of a breach. From a controller’s perspective the obligation is also increased to ensure that all processor contracts are fully compliant with the GDPR.
The GDPR applies to organisations operating within the EU but also to those outside the EU offering goods or services to those individuals within it.
What information has to comply with GDPR?
The definition of personal data becomes much more detailed under the new regulations and will include, for example, an IP address. This has been introduced to incorporate the advancements in technology and the way in which information about people is now collected. Any organisation currently storing HR records, customer lists or contact details etc. will be affected by GDPR and should ensure compliance.
New guidance was recently issued for the use of encryption software, and whilst it doesn’t state an organisation must encrypt data, there is a responsibility to protect and ensure any personal details you hold or gather are secure. Loss or theft of sensitive information is much more likely to occur if no encryption procedure is in place.