A new data protection regime came into force on 25 May 2018. This was D-day for the General Data Protection Regulation (GDPR), and most processing of personal data by organisations must comply with GDPR from that date.
The organisation in charge of enforcing compliance is the Information Commissioner’s Office (ICO). Its message is that GDPR is ‘a huge opportunity for you, as small businesses, to get information handling right.’
GDPR replaces the existing Data Protection Act (DPA), significantly raising the bar on how personal data is handled. Greater protection to individuals is achieved through key changes, such as: an expanded definition of personal data, based on a wider range of personal identifiers: the need to identify a lawful basis for processing personal data: and a range of new rights for the individual, including the ‘right to be forgotten.’
Also new is the fact that GDPR applies both to data controllers (those determining how and why data is processed) and data processors (those responsible for processing data on behalf of a controller). Under the GDPR, data processors will be specifically required to maintain records of personal data and processing activities. They will also have increased legal liability for any breaches. Data controllers will have to ensure that contracts with processors are GDPR-compliant.
Although DPA-compliant businesses will, in the ICO’s words, be ‘well on the way’ to GDPR compliance, they will need evidence to show they are implementing the new rules. Failure to comply could result in significant fines.
Information Commissioner, Elizabeth Denham, said, “We know there are particular challenges for small organisations in preparing for the new law. All organisations are different … whether you’re a micro-brewery with 20 staff, or a tech start-up with 200, you can get it right.”
GDPR compliance will need ongoing monitoring and review.