The law on data protection is changing.
The law on data protection is changing, and it’s going to affect every company that handles personal data on EU citizens – especially financial and medical data, and data on under-16s.
The new law, called the General Data Protection Regulation (GDPR), is a lot like the UK’s Data Protection Act (DPA). The difference is, it places significantly more legal liability on processors and controllers of personal data.
Here’s what you need to know about GDPR before it comes into force on 25 May 2018.
What is the GDPR?
The GDPR is a new legal framework that applies to the processing of all data relating to individuals who live in the European Union.
The new law applies wherever the processing is carried out. So it doesn’t matter where your data centre is located, or where your company is headquartered – GDPR applies.
GDPR extends the DPA to include manual filing systems
As we said earlier, GDPR is a lot like the current DPA. This means data must be:
- Processed lawfully, fairly and transparently
- Collected for specified reasons, and not processed for other purposes
- Limited and relevant to the purpose for which it was collected
- Accurate and up to date, with inaccurate information removed without delay
- Only held for the period necessary for processing
- Protected against unlawful processing and accidental loss or damageHowever, under the GDPR, all this is also extended to manual systems. That includes cabinets of dusty old paper files.
What new legal liabilities will companies have?
GDPR also extends the legal liabilities of data processors and data controllers. Specifically, you will have to:
- demonstrate what steps you are taking to ensure compliance
- answer data subjects’ requests for information on the data you hold about them, free of charge
- answer data subjects’ requests to correct data you hold about them, free of charge
As a result, you’ll likely need to update your systems and processes for signing up data subjects and provide extra notifications about automated data gathering.
Won’t brexit cancel all this out?
Wait up, you might be thinking. If this is a new EU law, won’t it be cancelled out when the UK leaves the European Union?
The answer is no. GDPR applies to data on all EU citizens, wherever that data is processed or stored.
Furthermore, the UK was instrumental in creating the new regulation so we can probably expect similar new laws on data on UK citizens even after we leave the EU.
GDPR comes into force on 25 May 2018. If you’d like to know more about how to comply,speak to the Fabric team today.