The new General Data Protection Regulation – GDPR – will apply in the UK from 25 May 2018 and will affect anyone and everyone who comes in touch with any form of personal data, both here in the UK and across the EU.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR builds on the previous legislation but provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection. The message about GDPR is continuity and change.
There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.
The GDPR is at root a modernisation of the law. Many of you will agree that the reform is long overdue. The world has changed a lot since 1995, not only technology, but business models, people’s attitudes to their data, their demand that their information is properly looked after. The law needed to change too.
The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it.
And they’ll have the brand new right to data portability: to obtain and port their personal data for their own purposes across different services.
The GDPR will include new obligations for organisations. Businesses will have to report data breaches that pose a risk to individuals to us at the ICO, and in some cases to the individuals affected.
They’ll have to ensure that specific protections are in place for transferring data to countries that haven’t been listed by the European Commission as providing adequate protection, like Japan and India.
Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent.