General Data Protection Regulation (GDPR)
The Data Protection Act 1998 (DPA), enacted under the EU’s Directive 95/46/EC has provided laws, guidance and standards for handling and processing personal data in the UK for nearly 20 years, during which time it has sought to protect and safeguard the rights and personal data of individuals.
However, as technology advances and cross border operating increases, so too must the legislation protecting the information at the heart of the processing activities. The General Data Protection Regulation (GDPR) was approved by the European Commission in April 2016 and will apply to all EU Member States from 25th May 2018. As a ‘Regulation‘ rather than a ‘Directive’, the rules will apply directly to the Member States (including the UK, until we leave the EU).
As the Data Protection Act 1998 (DPA) is UK law, it would still apply in the UK alongside the GDPR and as such, would lead to inconsistency and confusion for individuals and organisations. To confirm and strengthen UK data protection law and prepare for Brexit, the Government introduced the Data Protection Bill to the House of Lords on 13 September 2017, which will update UK data protection laws once passed. The Bill will also enable the UK to exercise some of the available derogations in the GDPR, as well as introduce more specific provisions to adapt the application of some of the rules of the GDPR (i.e. points (c) and (e) of Article 6, lawfulness of processing).
Do You Need Help?
May 2018 is still a long way off, however, it is never too early to prepare and whilst the GDPR does have many similarities to the existing DPA, those obligated under it will need to develop and implement new procedures, processes and controls to meet the broader, stricter requirements, including stronger rights for data subjects, safeguards for data transfers, consent conditions and information disclosures. The forthcoming Data Protection Bill will implement the GDPR into UK law, whilst providing new rights to move or delete personal data and preserving existing tailored exemptions from the Data Protection Act.
Whenever a new regulation or law is proposed, it follows that hundreds (or sometimes thousands) of ‘specialists’ appear out of nowhere offering products and services that claim to do all the work for you. Obviously there are individuals and firms with the knowledge and expertise to genuinely help businesses. But there are also those who see an opportunity!
If a product or service offers to rid you of all effort, work and responsibility – it is too good to be true! The GDPR is one such area with hundreds of new consultants popping up daily, but it is ultimately you who is accountable for compliance and you who will be held responsible for non-compliance.
There are some great documents and consultants available that can greatly assist in the planning and implementation of your GDPR program. But always remember your due diligence, know who you are working with and be prepared to get your hands dirty.
There is no ‘one-size-fits-all’ data protection package that can make you fully compliant by itself, so seek help where needed and use off-the-shelf products if required – but take ownership of your own GDPR planning, development and implementation.
Know Your Compliance has spent many years in the legal and regulatory compliance industry and as always, we have created extensive GDPR policies, procedures, checklists and employee assessment documents for firms to use. All of our documents require some customisation as a ‘one-size-fits-all‘ approach is impossible with regulatory compliance and we never advise that our documents are a complete solution. These documents are intended for firms who are or have reviewed their existing measures and controls and are looking for GDPR document templates to start their implementation program. These documents are not a paper exercise and cannot just be purchased and stuck in a file – compliance with the GDPR is not only a legal requirement, it is essential for maintaining customer trust and your reputation.
We have dissected, understood and used the GDPR legislation, its recitals, Supervisory Authority guidelines and Article 29 Working Party opinions to create our document content to assist firms with foundation GDPR documents. businesses in their GDPR implementation.
We have already launched some of our exclusive GDPR compliance documents to give businesses as much time as possible in the development and implementation of new controls and measures and to review and assess existing processes. We will be adding to our GDPR Document Section over the coming weeks and can be contacted directly regarding bespoke documents.
Our GDPR section includes: –
- GDPR Policy & Procedures
- GDPR Audit Checklist & Corrective Action Plan
- GDPR Employee Assessment Q&A Papers
- Data Protection (Privacy) Impact Assessment Template
- GDPR Complete Document Set
We have written 2 GDPR overview articles aimed at giving an summary of the GDPR itself, the regulations, differences from the DPA, implementation advice and framework tools.
- Beginners Guide to the General Data Protection Regulation (GDPR)
- GDPR Preparation, Conditions and Rights
- GDPR Consent Guidance
If you are on Linkedin, why not join our GDPR Compliance & Planning Group to stay up-to-date with the latest changes, ICO publications, Article 29 Working Party opinions and free tips and advice. Whether you are a GDPR expert who can contribute to the discussions, or are looking for guidance for your firm – we’d love to see you there!