From 25 May 2018, the General Data Protection Regulation (GDPR) will replace the UK’s current statutory framework on managing data protection. Its scope is wide and will require organisations to review their practices in relation to handling data in many areas. The information in this section only applies once GDPR is implemented - current rules on data protection are explained in the Data Protection section) although organisations are encouraged to take preparatory steps to ensure compliance when the time comes.
All organisations with professional or commercial activity (whether or not payment is received for that activity) will have to comply with GDPR regardless of their size, provided that they process personal data.
Severe fines will be applied to certain types of data breaches which will have to be reported to the supervisory authority within strict deadlines.
A new Data Protection Act will be introduced by the UK Government to replace the Data Protection Act 1998. This Act is not currently finalised. The new Act will not remove the existing data protection principles, however, the new rules will mean that organisations will need to consider data protection in every aspect of new projects eg “by design and default” and some will need to appoint a specific Data Protection Officer to ensure compliance. Greater significance will be placed on accountability meaning that processes and procedures will need to be put in place to show that data protection is at the forefront of an organisation’s processes.
The UK’s exit from the European Union will have no effect on the application of the GDPR; it will still apply.