There are now just 3 weeks to go until the new data protection regulations become law on 25 May 2018. The new provisions known as the General Data Protection Regulation (GDPR) represent a step change in data protection regulation, that will impose much stricter controls over the way that businesses collect, store and manage the personal data of customers, suppliers, staff and other contacts. For many businesses, the new rules are more onerous than the current Data Protection Act (DPA) rules.
New requirements, not in the present Data Protection Act 1998, include:
- Reporting data breaches.
- Cross-border considerations.
- New rights for contacts: need to inform contacts how you are using their personal data and their rights under the GDPR to request that personal data is deleted.
- Need to demonstrate that your firm is mitigating against risks of misuse of clients’ personal data.
The GDPR is an EU-wide initiative and as the UK will continue to be part of the EU when the new rules enter into force, the provisions will apply in the UK as elsewhere in the EU. It is expected that the GDPR will remain UK law after Brexit. However, there may be changes to ensure there are no gaps in the UK’s data protection regime.
If you have not already begun to prepare for the GDPR, we would strongly recommend that you make a start. The Information Commissioner's Office (ICO) has published a number of documents to help businesses prepare for the changes.