Home   Business   Article

Major changes to data protection are imminent

By SPONSORED FEATURE | Sarah Coates and Nabil Asaad, Penningtons Manches

The EU General Data Protection Regulation (GDPR), which takes effect on 25 May, will supersede our current Data Protection Act 1998 and will directly affect UK businesses and organisations across both the public and private sectors.

The regulations have been the largest development in data protection law in 20 years and will still need to be adhered to regardless of Brexit negotiations.

The government is also implementing GDPR provisions (and national exemptions) into UK law via a new Data Protection Bill, which is still in draft form, and working its way through Parliament.

The legislation is designed to reflect that we now live in an increasingly digital world and places greater emphasis on the rights of individuals and the concept of ‘privacy by design’.

This is the idea that data privacy is a fundamental human right that we must all respect, and data privacy must be built into policies, procedures and technology from the outset.

Any business that holds or deals with property may well collect and handle such data and will need to be aware of how to comply with the regulations and take steps to do so in the most effective ways possible.

Personal data is classified as any data that relates to an identifiable living person. This includes names, addresses, job titles, national insurance numbers, financial details, social media profiles and can even include internet browsing activities and IP addresses.

The data protection principles under GDPR are that:

■ data must be processed lawfully, fairly and in a transparent manner

■ data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

■ any data processed must be adequate, relevant and limited to what is necessary

■ data must be accurate and, where necessary, kept up to date

■ data must not be kept longer than is necessary

■ appropriate technical and organisational measures must be put in place to prevent unauthorised/unlawful processing and loss, damage or destruction of the data.

Under the GDPR, individuals have greater rights in respect of what organisations can and cannot do with personal data and there is an increased emphasis on accountability, including through mandatory reporting.

Data protection is regulated by the Information Commissioners Office and fines for data protection breaches are considerably increased under the GDPR.

Non-compliance can carry a fine of up to 20 million euro or 4 per cent of the total global annual turnover of an organisation, whichever is greater.

This means that data protection breaches must be taken more seriously than ever.

If the financial cost doesn’t cripple an organisation, the reputational damage might!

■ Sarah Coates is a partner, and Nabil Asaad is an associate at Penningtons Manches. Contact them at sarah.coates@ penningtons.co.uk and nabil. asaad@penningtons.co.uk

Read other columns by Penningtons Manches

First steps on the path to a low-carbon future

Are Community Land Trusts the answer to city’s housing crisis?

Assets of Community Value – protecting your community


Iliffe Media does not moderate comments. Please click here for our house rules.

People who post abusive comments about other users or those featured in articles will be banned.

Thank you. Your comment has been received and will appear on the site shortly.


Terms of Comments

We do not actively moderate, monitor or edit contributions to the reader comments but we may intervene and take such action as we think necessary, please click here for our house rules.

If you have any concerns over the contents on our site, please either register those concerns using the report abuse button, contact us here.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies - Learn More