What is Data Protection Compliance?

Data Compliance

Data Protection Compliance is the need to comply with legal requirements regarding data processes. Prior to the GDPR, the EU followed the requirements of the Data Protection Directive 95/46/EC that protects individuals regarding the processing of personal data and its free movement. The Data Protection Act 1998 was enacted to bring the Directive requirements into British law. The Act concerns personal data, which is any data that can be used to identify a living individual. The legal requirements include the need for personal data to be processed fairly and lawfully, to be accurate and up-to-date, to have measures in place against accidental loss or destruction and for personal data only to be transferred to countries with adequate levels of data protection in place.

The history of Data Compliance

The Data Protection Directive was adopted in 1995 and applies to all EU Member States. Countries had the scope to introduce the requirements into their own laws, which led to some differences between countries. In the UK, the Data Protection Act 1998 replaced earlier legislation such as the Data Protection Act 1984.

In 2012, the European Commission published a draft proposal for a General Data Protection Regulation. Following amendments and discussions between the European Commission, the European Parliament and the Council of the EU, a final version of the General Data Protection Regulation was produced and published in 2016. There was a two-year transition period before it was enforceable. From May 2018, it applies directly to all EU Member States and has an extraterritorial effect.

Who is affected?

The GDPR applies to all companies that offer goods or services to, or monitor the behaviour of EU citizens. It applies to all organisations established in the EU, and also to companies based outside of the EU if they have EU citizens as customers. Although the UK is planning to leave the EU, UK companies will still need to comply with the GDPR because of the cross-over period after the GDPR is in force and before the UK exits the EU. Another reason for UK companies to comply is that many will continue to have EU citizens as customers following Brexit.

What do I need to do?

The GDPR introduces many new obligations on companies and rights for individuals. Fines can be up to €20 million or 4% of global annual turnover (whichever is higher) for non-compliance. It is essential for companies to review their data processes and ensure they are compliant with GDPR. All companies should ensure they can meet the rights for individuals, such as the right to be forgotten and requests for their data, and some companies need a Data Protection Officer. The actions required will be specific to each company and their data processes.