New heights for Accountability Transparency Contracts Response
The quick version
The European Union’s General Data Protection Regulation has a wide reach in terms of its international scope and the obligations it places upon those who wish to process the personal data of people in the EU.
To all intents and purposes, the Data Protection Act is ‘GDPR plus’. It enshrines the GDPR into UK law and ensures that, even after BREXIT, UK companies are required to treat personal data with the same level of care and transparency.
It also includes the UK’s requirements in certain areas such as law enforcement, intelligence and defence and introduces two new criminal offences designed to enforce and protect the rights of UK data subjects into UK law.
There is no getting away from it. If you are a UK business or want to do business in the UK, you will need to comply with both the GDPR and the Data Protection Act 2018.
This is a good thing. Privacy is integral to the modern economy and the reality is most businesses at least want to do the right thing.
The main impacts
For those who have always made an effort to comply with data protection legislation, many of the changes introduced by the GDPR and Data Protection Act are fairly small. There are however, some areas where the requirements of the new legislation are substantial.
This is not intended to be another site where the wording of each article and recital is reproduced with dire warnings of catastrophic fines for each infringement – there are plenty of those around.
The ICO has some great guidance for business on their website if you want detailed information, but here is our summary some of the areas we think have seen the greatest impact and how that impacts on your business operationally.
It is no longer good enough to just comply and ‘do no harm’. Organisations need to be able to prove they comply and demonstrate the systems and controls they have in place. This encapsulates everything from operational policies and procedures to having a clear reporting line responsible for data protection – including where appropriate having appointed a Data Protection Officer. Most importantly you need to be able to demonstrate that Privacy runs through your business culture and is a consideration when important business decisions are made e.g. by conducting a Data Protection Impact Assessment before the introduction of a new product or service.
There are commercial benefits
This video produced by Lloyds Banking Group and featuring the Information Commissioner – Elizabeth Denham – highlights some of the commercial benefits to a Privacy Friendly approach to business and GDPR compliance.