Send us a message
Fill in our form and we'll get back to you as soon as possible
Contact our offices
Make an enquiry
The General Data Protection Regulation (GDPR) is a comprehensive data protection regime which will start to be enforced in the UK in May 2018. The penalties for non-compliance can be very substantial – for serious breaches, up to 4 per cent of global turnover or €20 million, whichever is the higher – and it imposes significant compliance issues for any organisation which holds protected data. Although it is European legislation, the Government has indicated that it will remain on the UK statute books after Brexit.
What is Protected Data?
The data protected under the GDPR is personal data – that which relates to an identifiable person. Generalised data is not covered unless possession of that data allows a person to be identified. However, organisations hold a great deal of information which is sensitive and confidential (such as turnover by category of goods, for example), so the need to comply with the GDPR also gives management the opportunity to think seriously about data protection and security generally.
Key to the GDPR is the concept of 'data protection by design', so that data protection risks are considered at all steps of data handling and storage.
The minimum necessary amount of personal data must be collected and it must be processed for a specific purpose and for that purpose only. In addition, access to data must be restricted to only those personnel who are necessary for the purpose and data should not be retained for longer than is necessary.
There are substantial rights given to individuals as to how information about them is collected and held.
As a first step, make sure everyone in your organisation who has access to or processes personal data is aware of the GDPR and the need to comply with its requirements. This may involve specialist training and almost certainly will necessitate reviewing procedural manuals and possibly terms and conditions of contracts.
The list below contains the 'bare bones' of compliance – there will be additional issues if you export data abroad, make use of 'bought-in' data or share your data. You may need to appoint a data protection officer to have responsibility for and control over GDPR compliance. Some types of data breach will need to be disclosed to the Information Commissioner's Office (ICO).
There is more information on the GDPR on the ICO website. The section on the rights of the individual warrants special attention by anyone carrying information about individuals.