Page 14 - Addition Autumn 2017
P. 14

Next year sees the introduction of stringent new rules governing the safeguarding of personal data, with a new emphasis on transparency and accountability.
The new General Data Protection Regulation
On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect, requiring all organisations that deal with individuals living in
an EU member state to fully protect the personal information belonging to those individuals and to have documented proof of such protection. The UK’s decision to leave the EU will not affect the introduction of the legislation in the UK.
The new GDPR
requires a consistent and transparent approach
to data processing. The  nancial penalties for failing to comply are severe – with  nes of up to €20m or
up to 4% of total annual worldwide turnover.
New requirements for businesses
While the principles of the new GDPR are broadly similar to the existing
Data Protection Act (DPA), there are some key changes placing additional obligations on businesses.
The central concepts
of GDPR are justi cation, accountability and consent.
The responsibilities apply to both ‘controllers’ and ‘processors’ of personal data. Processors must ensure that data is legally compliant, that records
of all personal data are kept and that all necessary protections are in place. Controllers are responsible for ensuring their contracts with processors are in
total compliance with the regulations.
As well as new responsibilities regarding personal data, the scope
of what personal data is
has also grown. Re ecting changes in the way people are identi ed, online mechanisms such as IP addresses now count
as personal data, whilst biometric and genetic data will now come under ‘special categories of personal data’.
Preparing for the regulations
Businesses should take steps now to make sure they are ready for the new legislation. Some key areas for action might include:
• Providing ongoing training to staff
• Identifying the lawful basis for your data
processing activity
• Reviewing and classifying
the personal data your
business holds
• Creating an audit trail • Reviewing your
procedures relating to consent – including, where necessary, with regards to existing data
• Updating procedures
to ensure they cover
the enhanced rights for individuals – including the right to be forgotten, extra protection for children’s data and the 30 day deadline for subject access requests
• Adopting a principle of ‘data protection by design’ for all future projects
• Assigning responsibility for data protection
to a key member of staff; appointing a Data Protection Of cer (DPO) will be a legal requirement for some organisations
Further information
and guidance can be
found on the Information
Commissioner’s Of ce
This article is for general guidance only, and you are always advised to consult an expert before taking any action.
14 | addition • autumn 17 • Issue 39
14 | addition • autumn 17 • Issue 39 

   12   13   14   15   16