The GDPR is a new regulation intended to strengthen and unify data protection for all individuals within the European Union (EU).
The GDPR takes force in the UK from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the Data Protection Act (DPA), it is likely that you will also be subject to the GDPR.
The GDPR places specific legal obligations on both controllers and processors, for example, requiring you to maintain records of personal dataand processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
If you are a controller, you are not relieved of your obligations where a processor is involved –the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to ‘personal data’ which is more detailed than the current DPA and information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
In summary, you will be required to:-
for further information on the GDPR.
Disclaimer: This overview should not be relied upon as comprehensive guidance but as a reminder of some of the key points of GDPR and users should refer to the Information Commissioner’s Office for more detailed guidance. Please see www.ico.org.uk. If you require further help with your planning, please contact us