Mercia's Compliance Director, Rosie Bhattacharjee, discusses GDPR (the General Data Protection Regulation) as the new legislation is due to come into place in May 2018 and what you can do to ensure compliance.
What is it and what should we all be doing?
The General Data Protection Regulation is EU legislation, passed in April 2016 and coming into force on 25 May 2018. It has far-reaching global impacts on data security and protection and any organisation that does business with EU citizens must comply with the expanded and more stringent data protection rules set out in the Regulation. The principles are similar to the current UK Data Protection Principles as enforced in the UK by the Information Commissioner's Office (ICO). One area of change is in data breach reporting and penalties for data breaches, which are far greater than currently imposed by the ICO.
What is the impact on my company and how should I prepare?
If you hold personal data of any kind, that is data which identifies an individual person, whether it relates to your employees or customers, you are already subject to Data Protection rules and will be subject to the new Regulation. The level of impact on your company will depend upon the type and volume of data that you hold and the arrangements you have in place at the moment. The best place to start is probably by reading the information on the ICO website where you will find guidance on the steps to take now and a checklist to help you prepare.
Will it apply post-Brexit?
The Regulation will have direct effect on all organisations doing business with EU citizens, even when the UK leaves the EU. It is not yet clear whether the UK will adopt it fully for UK-based business with UK citizens. However, it will be in force before the leaving date and any actions that you take in preparation will help you make sure that you are compliant with current Data Protection law.