- Legal Futures - https://www.legalfutures.co.uk -

Get ready for the General Data Protection Regulation

Posted by Sharon Cooper, corporate compliance manager at Legal Futures Associate, the Chartered Institute of Legal Executives [1]

Cooper: Huge potential fines

The EU General Data Protection Regulation (GDPR) comes into effect in May 2018. It takes the existing Data Protection Act 1998 (DPA) principles to the next level and will enforce heavy fines on any non-compliant organisation.

On 13 September 2017, the government introduced the Data Protection Bill. If enacted, the bill will repeal and replace the DPA and supplement the GDPR.

The existing DPA and the new EU regulation are all about data privacy and the rights of the individual. The key changes are:

Here at CILEx, we are checking that our own processes are robust enough to limit breaches occurring. Appropriate policies, procedures and systems considering privacy must be in place for existing systems, and considered at the outset for future product or process development.

The ‘right to be forgotten’, meanwhile, requires controllers completely to remove data if the data subject withdraws their consent, and when data is no longer necessary for the purpose for which it was collected.

Under the existing DPA, the maximum potential fine was set at £500,000, although as yet this has not been enforced. In September 2017, the value of fines issued for DPA-related offences totalled £740,000.

Readers should note that the GDPR will change the amount and way in which fines are issued. There will be a two-tier system, with the highest-tier fines limited, initially, to a maximum of €20m or up to 4% of the total worldwide annual turnover of the preceding year, whichever is higher. It is important, therefore, that all businesses get their compliance right.

What you can do to ensure that you are ready to comply with the GDPR

Here at CILEx, we are asking each team the following questions:

The answers to the above questions will provide the basis for a plan of action. You may wish to adopt this approach in your organisation to ensure that you are well on the way to complying with the GDPR. I wish you good luck!

Although this article gives an overview of some of the changes to the DPA, it is not comprehensive. Readers must seek clarification from the ICO regarding their own organisational requirements.