The General Data Protection Regulation
The General Data Protection Regulation (GDPR), which replaced the EU Data Protection Directive, came into force on 25 May 2018 and now, together with the Data Protection Act 2018 (DPA 2018), forms a large part of the data protection regime in the UK.
The GDPR is intended to achieve a high level of security of network and information systems across the EU and give individuals greater control over their own personal data. It applies to all EU member states and will impose significant compliance issues for any organisation which holds 'protected data'. Although it is European legislation, the Government has indicated that the GDPR will remain on the UK statute books after Brexit and, to this end, the DPA 2018 was enacted, replacing the Data Protection Act 1998 and building on existing data protection rights in order to take into account developments in digital technology and the way organisations often collect a wide range of information about people.
The GDPR regulates the processing of protected data by organisations operating within the EU and those outside the EU that offer goods or services to individuals in the EU. It builds on existing data protection principles, but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. The most significant addition is the 'accountability principle', whereby data controllers must keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity.
The penalties for non-compliance with the GDPR can be very substantial – for serious breaches, up to 4 per cent of global turnover or €20 million, whichever is the higher.
The Information Commissioner's Office has comprehensive guidance to help organisations comply with the GDPR. It is designed for those who have day-to-day responsibility for data protection.
The guidance covers the key points that organisations need to know, referring to the DPA 2018 where it is relevant, and includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU's Article 29 Working Party – now the European Data Protection Board.
The ICO intends to continue to develop new guidance and review its resources on an ongoing basis in order to take into account feedback from organisations as to their needs.
In the longer term, the ICO will publish further guidance, under the umbrella of a new Guide to Data Protection, which will cover the GDPR and the DPA 2018, as well as law enforcement, the applied GDPR and other relevant provisions.