Major changes to data protection are imminent
The EU General Data Protection Regulation (GDPR), which takes effect on 25 May, will supersede our current Data Protection Act 1998 and will directly affect UK businesses and organisations across both the public and private sectors.
The regulations have been the largest development in data protection law in 20 years and will still need to be adhered to regardless of Brexit negotiations.
The government is also implementing GDPR provisions (and national exemptions) into UK law via a new Data Protection Bill, which is still in draft form, and working its way through Parliament.
The legislation is designed to reflect that we now live in an increasingly digital world and places greater emphasis on the rights of individuals and the concept of ‘privacy by design’.
This is the idea that data privacy is a fundamental human right that we must all respect, and data privacy must be built into policies, procedures and technology from the outset.
Any business that holds or deals with property may well collect and handle such data and will need to be aware of how to comply with the regulations and take steps to do so in the most effective ways possible.
Personal data is classified as any data that relates to an identifiable living person. This includes names, addresses, job titles, national insurance numbers, financial details, social media profiles and can even include internet browsing activities and IP addresses.
The data protection principles under GDPR are that:
■ data must be processed lawfully, fairly and in a transparent manner
■ data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
■ any data processed must be adequate, relevant and limited to what is necessary
■ data must be accurate and, where necessary, kept up to date
■ data must not be kept longer than is necessary
■ appropriate technical and organisational measures must be put in place to prevent unauthorised/unlawful processing and loss, damage or destruction of the data.
Under the GDPR, individuals have greater rights in respect of what organisations can and cannot do with personal data and there is an increased emphasis on accountability, including through mandatory reporting.
Data protection is regulated by the Information Commissioners Office and fines for data protection breaches are considerably increased under the GDPR.
Non-compliance can carry a fine of up to 20 million euro or 4 per cent of the total global annual turnover of an organisation, whichever is greater.
This means that data protection breaches must be taken more seriously than ever.
If the financial cost doesn’t cripple an organisation, the reputational damage might!
Read other columns by Penningtons Manches