If you hold data on individuals, you will be affected when the Data Protection Act is replaced by the General Data Protection Regulation in 2018. This change will bring significant implications to any businesses processing personal data, particularly those with e-commerce, marketing, retail and wholesale business operations.

The EU GDPR directive which comes into force on the 25th May 2018, aims to protect privacy and personal data with clear penalties for those who fail to comply with the legislation.

This will include new measures and procedures for handling all personal data, which covers any data by which an individual may be identified, and for ensuring such data is processed and used in accordance with this new legislation.

What is "Personal data"?

This act covers all data and meta-data held about employees, prospects, customers, suppliers or anyone else, where they are referred to as an individual, opposed to a company. For example this does not apply to a company recorded as "Some Org Ltd", but would apply to "Joe Bloggs, Managing Director at Some Org Ltd". Therefore any company that stores names and addresses is likely to be required to comply with this regulation.

Post-Brexit - does this still matter to me?

When the directive comes into force in 20 months, the UK will still be governed by EU regulations. At a point when the UK leaves the EU, the GDPR directive will be used by the UK as a base for writing a replacement data protection directive. What's more, if UK organisations intend to trade with EU organisations, they will need to adhere to the GDPR, so this matters to most businesses regardless of Brexit.

How does GDPR differ from the current Data Protection Act?

Overall, the scope of GDPR is greater than the DPA, and it is easier to define the point when breach occurs. More responsibility is placed on the holder and processor of data and full control is firmly with the owner of the data.

The key changes include:

  • When data is collected, the purpose of this must be made clear
  • A company must delete data if no longer used for the purpose it was collected
  • The subject has the right to be erased on request
  • Firms handling a large amount of data, or sensitive data, must appoint a data protection officer (DPO)
  • All businesses in the EU must be complaint, as must companies trading with organisations within the EU

Surprisingly, 44% of IT professionals are uninformed of these new rules according to Computer Weekly, and in our experience, very few companies we have talked with have even heard of the impending General Data Protection Regulation.

The changes are significant and compliance will be challenging without data systems that provide key GDPR functionality.

For more information on the technical measures needed to ensure compliance, take a look at part 2 of our GDPR blog here

OpusVL are also supporting a series of informative GDPR events. These are free, but spaces are limited. You can find out more by visiting https://gdprready.co.uk/

To find out how we can help, you can visit our main website or get in touch on 01788 298 450

Posted by Lauren Westley on 13/10/2016