One of the biggest changes in data protection law in the last 20 years is currently taking place. The existing Data Protection Act 1998 (DPA) will no longer exist as of 25 May 2018. It is being replaced with the General Data Protection Regulation (GDPR). GDPR came into force in May 2016 but doesn’t become directly applicable until 25 May 2018. A 2 year transition from the old to the new is in place so that all businesses can review and update their data protection business processes, security measures and staff training to ensure they became fully compliant with GDPR from day 1.
The government has also confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
It applies to both “controllers” and “processors” of personal data. A controller is someone who determines why and how personal data is used and a processor is someone who acts on the controller’s behalf.
If you gather and use the personal data of EU citizens, i.e. customers, clients, suppliers or staff, then GDPR will apply to you just like the current DPA does now. So even if the UK did not adopt GDPR on 25 May 2018 (which is not the case anyway) if you gather and use personal data of a citizen from a country within the remaining EU countries then you would have to fully comply with GDPR regardless.
GDPR sets out new requirements for processors and places specific legal obligations on them in relation to keeping records of personal data processing activities and data breach handling.
GDPR applies to the processing of personal data that is done by either an automated or manual process. The automated processing can either be in full or partial. The manual processing relates to personal data held in manual filing systems that are structured according to specific criteria. It also includes personal data that is intended to form part of a manual filing system.
The GDPR definition of “personal data” goes wider than the current definition in the DPA. Personal data for GDPR purposes means any information relating to a living individual who can be identified from that information either directly or indirectly. GDPR is very clear that an identifier can include a name, an identification number, location data, an online identifier (for example, an IP address). It also includes identifiers specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual.
Remember not to forget about sensitive personal data. GDPR now refers to this as “special categories of personal data”. Most of these categories are the same as in the DPA, however there is now a new category for the processing of genetic or biometric data to uniquely identify an individual. The category for personal data relating to criminal offences has been removed from the “special categories” list but has not been removed from GDPR and now sits separately in Article 10.
You must take action now and properly plan all the necessary changes you need to make to your business processes and security arrangements to ensure personal data is safeguarded appropriately and processed accordingly to comply with GDPR. Remember GDPR takes over from the DPA as of 25 May 2018, which is now less than 18 months away. It will take time to implement those necessary changes which could have an impact on your resourcing and budgets.
I will be adding new pages to this GDPR section of my website over the next few months which will give you more information about the changes that are taking place in data protection law and how it will affect your business. In the meantime, if you want to know more about GDPR why not attend one of my forthcoming workshops:
GDPR what it means for marketing your business – 22 March 2017 in Easingwold – Full day intensive and interactive workshop
GDPR overview – 11 May 2017 in York – Morning only workshop
And finally, if you need help in getting your business GDPR ready do get in touch with Dunwell Data Protection who are experts in the field of personal data and privacy laws. We’re here to help keep you on the right side of the law. You can contact us by telephone 07534 258800 or email email@example.com