The General Data Protection Regulation (the GDPR) and the Data Protection Act 2018 (DPA 2018) are now law. They became enforceable on 25 May 2018.
The GPDR applies to how organisations in the EU process personal information. In addition to this, it also applies to how organisations outside the EU process personal information, if they offer goods or services to people in the EU or monitor the behaviour of people in the EU. For example, companies outside the EU that carry out profiling or online tracking of individuals in the EU will need to comply with the GDPR.
The Data Protection Act 2018 needs to be read alongside the GDPR, as it covers matters not covered under GDPR, such as exemptions and enforcement. It came into force at the same time as the GDPR.
The short answer is no. At the end of the transition period, the UK will introduce a UK version of the GDPR which largely mirrors the main provisions of the GDPR. This is to ensure that the strict standards imposed by the GDPR will be maintained.
The Information Commissioner’s Office (ICO) regulates data protection compliance. If they receive a complaint about your organisation, they will carry out an investigation and may direct you to take action to rectify any areas of concern and/or impose a hefty penalty. They may also publish information about your failings on their website which could damage your reputation.
If you are unsure if your organisation is data protection compliant, make use of our free online audit tool. The answers you provide to the questions, will be used to generate a report for you, which will highlight areas needing attention.
The ICO require all staff processing personal data to have data protection training to ensure they are clear about their responsibilities and understand what they can and cannot do when processing personal information. Annual refresher training should also be carried out.
All organisations which process personal data need to register with the ICO and pay a fee, unless they are exempt. An easy way to find out whether or not your organisation is exempt is to visit the ICO website and use their online self–assessment tool https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
Under the GDPR it is a legal requirement for certain organisations to appoint a Data Protection Officer (DPO). This includes public bodies and organisations whose core activities involve the regular and systematic monitoring of individuals on a large scale or processing of personal data relating to criminal convictions and offences or special category data on a large scale. An easy way to find out whether your organisation needs to appoint a DPO is to visit the ICO website and use their online self-assessment tool https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo/
Under the GDPR individuals have numerous rights, one of which is a right of access, also known as a Subject Access Request (SAR). This means that an individual has the right to contact an organisation and request a copy of all the personal data the organisation holds about them. The request must be processed within one month and is free of charge. In some circumstances, responding to SARs can be straight forward but, depending on the volume and type of data, SARs can also be time consuming and complex, as there are strict rules which must be adhered to.
A Data Protection Impact Assessment (DPIA) is a formal procedure which must be followed when an organisation is planning a new project which is likely to result in a high risk to individuals. This includes when an organisation is proposing to change the way in which it processes personal data or introduces new systems for processing personal data. For example, introducing the use of CCTV, profiling or fingerprint recognition.
An individual could be prosecuted and fined under the DPA 2018 if they unlawfully process personal data. For example, if a member of staff unlawfully obtains, discloses, sells or offers to sell personal information they could face criminal charges.
The PECR set out the law in relation to marketing by email, text, telephone and fax. The definition of consent under the PECR is the same as under the GDPR. This is important if your organisation is relying on consent in order to send out marketing material.
Under the GDPR, there is a two-tier system for fines. The maximum penalty under the first tier is €10 million or 2% of global turnover, whichever is the greater. The maximum penalty under the second tier is €20 million or 4% of global turnover, whichever is the greater.
Whether the first tier or the second tier is used, depends on the type of breach. The first tier is used when organisations do not adhere to certain responsibilities under the GDPR, including (amongst other things) failing to implement appropriate security measures to safeguard personal data, failing to introduce data protection policies and procedures, failing to enter into GDPR compliant contracts, failing appoint a Data Protection Officer, (if required), failing to carry out Data Protection Impact Assessments (if required), failing to report a personal data breach (if required).
The second tier is used for more serious breaches such as, not complying with the Data Protection Principles, not having a legal basis for processing personal information, not obtaining valid consent, not responding appropriately when an individual wishes to exercise their rights under the GDPR or transferring personal data outside the EU without adequate safeguards in place.