On 25 May 2018 the General Data Protection Regulation (GDPR) will replace the UK’s Data Protection Act 1998 (DPA). On 21 June 2017, the Queen’s Speech confirmed the DPA would be repealed to make way for a new Act of Parliament implementing the GDPR. This will happen even though the UK has given formal notice of its intention to withdraw from the European Union.
The GDPR represents an overhaul of the current data protection regime. Obligations under the GDPR will increase: data processors (as well as data controllers) will have their own obligations for the first time and there will be a massive increase in fines for breaches. As well as this, there will be reduced time limits for compliance with subject access requests and a new accountability principle requiring businesses to demonstrate data protection compliance from the outset.
The information commissioner, Elizabeth Denham, has recently stated that: ‘If your organisation can't demonstrate that good data protection is a cornerstone of your business policy and practices, you're leaving your organisation open to enforcement action... But there's a carrot here as well as a stick: get data protection right, and you can see a real business benefit.’ It is clear that data protection must become, if it is not already, a boardroom issue.
With such big change around the corner, it is clearer now more than ever that data protection compliance will require a proactive approach. The GDPR represents a fundamental shift from data protection being a ‘nice to have’, to an essential part of successful business. Businesses must take steps now to make sure they are in the best position possible on 25 May 2018.