It’s official. The General Data Protection Regulation (GDPR) is here to stay; well beyond April 2019 when the UK is likely to finally leave the European Union.
On 24th October 2016, the Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Writing on her blog the Information Commissioner (Elizabeth Denham) welcomed this announcement. However it is technically incorrect for her to say:
“The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR).”
As I have explained in a previous blog post, the Government has no choice but to implement GDPR as the UK will still be a member of the EU on 25th May 2018 when it comes into force.
This announcement does though put an end to months of uncertainty as Data Controllers waited to see what the Government would do after the UK leaves the EU. Although last month’s announcement of the Great Repeal Bill meant that yesterday’s announcement was not a big surprise.
GDPR will replace the Data Protection Act 1998 (DPA) and represents the biggest change to data protection law for 20 years. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).
The ICO’s overview of GDPR is a good place to start. It has also published 12 steps to take towards compliance. We would emphasise:
-
Raising awareness of GDPR at all levels within the organisation (See our GDPR poster).
-
Reviewing compliance with the existing law as well as the six new DP Principles.
-
Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. The ICO’s new privacy notices code is a very useful document for this.
-
Considering who is going to fulfill the mandatory role of Data Protection Officer. What skills do they have and what training will they need? Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.
-
Reviewing information security polices and procedures in the light of the GDPR’s security obligations particularly breach notification.
Look out also for amendments to Section 40 of the Freedom of Information Act 2000, Section 38 of the Freedom of Information (Scotland) Act 2002, Regulation 13 of the Environmental Information Regulations 2004 and Regulation 11 of the Environmental Information (Scotland) Regulations 2004. All contain exemptions from disclosure of personal data by reference to the DPA.
The ICO will be publishing a revised timeline setting out what areas of guidance it will be prioritising over the next six months. Elisabeth Denham ends her blog with these wise words:
“I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.”
Act Now has a series of blog posts as well as a dedicated GDPR section on its website with detailed guidance on different aspects of the Regulation.
We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised workshops as well as to carry out GDPR health checks and audits.
GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.
7 thoughts on “GDPR is here to stay but what happens next?”