FREE GDPR Helpline
Call +44 (0) 208 133 2545
Data Protection Compliance is the need to comply with legal requirements regarding data processes. Currently the EU follows the requirements of the Data Protection Directive 95/46/EC that protects individuals regarding the processing of personal data and its free movement. The Data Protection Act 1998 was enacted to bring the Directive requirements into British law. The Act concerns personal data, which is any data that can be used to identify a living individual. The legal requirements include the need for personal data to be processed fairly and lawfully, to be accurate and up-to-date, to have measures in place against accidental loss or destruction and for personal data only to be transferred to countries with adequate levels of data protection in place.
The Data Protection Directive was adopted in 1995 and applies to all EU Member States. Countries had the scope to introduce the requirements into their own laws, which led to some differences between countries. In the UK, the Data Protection Act 1998 replaced earlier legislation such as the Data Protection Act 1984.
In 2012, the European Commission published a draft proposal for a General Data Protection Regulation. Following amendments and discussions between the European Commission, the European Parliament and the Council of the EU, a final version of the General Data Protection Regulation was produced and published in 2016. There is a two-year transition period before it is enforceable. This will apply directly to all EU Member States and has an extraterritorial effect.
The GDPR will apply to all companies that offer goods or services to, or monitor the behaviour of EU citizens. It applies to all organisations established in the EU, and also to companies based outside of the EU if they have EU citizens as customers. Although the UK is planning to leave the EU, UK companies will still need to comply with the GDPR because of the cross-over period after the GDPR is in force and before the UK exits the EU. Another reason for UK companies to comply is that many will continue to have EU citizens as customers following Brexit.
The GDPR introduces many new obligations on companies and rights for individuals. Fines can be up to €20 million or 4% of global annual turnover (whichever is higher) for non-compliance. It is essential for companies to review their current data processes, identify gaps for compliance and plan to implement solutions before the GDPR is enforced. All companies should ensure they can meet the rights for individuals, such as the right to be forgotten and requests for their data, and some companies will also need to designate a Data Protection Officer. The actions required will be specific to each company and their data processes.
We know that the General Data Protection Regulation has an extraterritorial effect, meaning that it will apply to companies based outside of the EU if they hold the data of
Updated ICO statement in response to Equifax cyber attack. Source: ICO.org.uk