Important changes to data protection legislation which could see non-compliant businesses handed hefty fines will be phased in later this year.
The General Data Protection Regulation (GDPR) will be formally introduced in all European Union (EU) member states from 25 May 2018. This will include the UK regardless of what is agreed during Brexit negotiations in terms of its future relationship with the EU.
The new legislation, which will effectively replace the existing data UK Data Protection Act 1998 (DPA), brings with it a number of important changes to the ways in which businesses are able to collect, handle and store personal data.
Perhaps the most notable change is that companies which currently rely on ‘implied consent’ as a legal basis for processing personal data will no longer be able to do so.
Once the new rules are in force, many small and medium-sized enterprises (SMEs) will need to implement important changes across their organisation in order to ensure they are fully compliant with the GDPR.
These changes could include anything from upgrading their cyber security in order to ensure their business is not subjected to any serious data breaches, to appointing a Data Protection Officer specific to their organisation.
Compliance is very important, as fines under the GDPR are worryingly high. In fact, businesses can be fined anywhere up to four per cent of their global turnover or €20 million (£17.8 million), whichever is higher, for serious data breaches.
The Information Commissioner’s Office (ICO) has published full guidance to the GDPR on its website here.