The much-anticipated Data Protection Act 2018 has come into force today (25 May 2018), incorporating the European General Data Protection Regulations 2016 (GDPR) into UK law and repealing the Data Protection Act 1998.
The GDPR introduces the most radical overhaul of data protection for a generation, and the Data Protection Act ensures that the UK remains a country which can be trusted to deal with personal data in a secure manner once it leaves the EU next year, by incorporating the Regulations into UK law. Without the Data Protection Act, post-Brexit it would be very difficult for personal data to be shared into and out of the UK, as the UK will need to show it has an adequate level of protection. The fact that the GDPR is translated into UK law should make the process much more straightforward.
Most obligations under the Act will be on the “data controller”, the person or body who determines the purposes and means of the processing of personal data. Changes have been introduced in respect of "special categories of personal data” which include information on a person’s racial or ethnic origins, sexual orientation, trade union membership, among others.
An employer with 250 or more employees must maintain records of how personal data is processed, and the Act lists what must be recorded. There is also a requirement for employers to appoint a data protection officer in certain circumstances. Most importantly, data controllers must document any breaches, and notify the ICO as soon as they become aware of the breach (and in any event within 72 hours of becoming aware of it) if it is likely to result in a risk to the rights and freedoms of individuals.
Despite the new legislation coming into force at midnight, hundreds of companies are still expected not to be compliant with its more onerous requirements. There is no grace period for compliance, but, speaking on Radio 4, the Information Commissioner has advised companies not to panic, especially if they are a smaller company who do not extensively use personal data. This does not mean that such companies should not take steps to become compliant, as breaches will be treated seriously, and could result in monumental fines.
“We have been working very closely with numerous clients of all shapes and sizes, across a broad range of sectors, in order to help them achieve GDPR and Data Protection Act compliance. Achieving compliance is an ongoing obligation and it is important to continually review your internal practices and procedures to ensure you can demonstrate accountability and compliance. If you are worried about the new legislation and would like more information, please contact a member of the team.”