ICO update GDPR Guide
Following the enforcement of the GDPR on the 25 May, the ICO have usefully included a "What's new" section within their Guide to the General Data Protection Regulation accessible on their website…
Published 12 July 2018
Data protection law in the UK has been radically overhauled in recent months and further reforms are on the horizon. The EU's General Data Protection Regulation (GDPR) came into force in all Member States on 25 May 2018 and the majority of the provisions in the UK's Data Protection Act 2018 came into force on the same date. Following behind this is the EU's e-Privacy Regulation which is now expected to be approved in late 2018 and implemented in 2019.
The aim of the GDPR is to align the data privacy laws across all EU Member States and protect EU citizens' personal data regardless of where that data is processed (i.e. within the EU or beyond). Businesses that collect, record, use or disclose data relating to an identified or identifiable natural person are now required to comply with the GDPR standards on data processing, record keeping, risk management and data breach reporting, or face fines of up to the higher of €20m or 4% of annual global turnover.
Alongside the GDPR, the UK has enacted the Data Protection Act 2018. This Act replaces the Data Protection Act 1998 with a new, comprehensive data protection framework designed for the digital age. It implements the GDPR standards side by side with UK legislation covering law enforcement data and national security data (areas where the EU does not have competency), and permitted exemptions to the GDPR. It aims to ensure modern data use can continue whilst strengthening the control and protection individuals have over their data.
The new Data Protection Act is a lengthy piece of legislation, running to 339 pages. The key provisions in the Act include:
The new Regulation was intended to come in on 25 May 2018 to coincide with the GDPR, but it proved too ambitious to finalise the Regulation in time. At this stage, the e-Privacy Regulation is scheduled to be approved in late 2018/early 2019 and implemented sometime in 2019 but the date remains unfixed. It is unclear whether the UK will have left the EU by the implementation date but the UK has said it will maintain EU data protection standards after Brexit.
The e-Privacy Regulation will have the same territorial scope as the GDPR and will carry the same penalties for non-compliance.