I’m sure that many of you will have heard of the Data Protection Act (DPA) which is used to help protect an individual’s personal data. You’ll also probably have heard mutterings about GDPR and Brexit, how one is affected by the other, but you may not be too clear what this means in terms if the DPA. I’m going to try to explain it for you here. I apologise in advance because there will be more acronyms than I normally use, but hopefully you’ll see why!
First, let’s start with DPA. This law sets out 8 Principles which dictate how personal data must be treated, and what people can do with that data if they’ve been given permission to use it. A company must tell you how it’s going to handle your data and what it will use it for, and if it wants to change that use it must request your permission: this is all usually held in their Terms and Conditions, which is why you should always read them. The principles are summarised below.
The regulator i.e. the organisation you go to if there’s been a breach is the Information Commissioner’s Office, or ICO.
The General Data Protection Regulation (GDPR) is an EU regulation which sets out the minimum requirements for Data Protection in the EU, and is a bit more stringent than the DPA. The UK has been heavily involved in its development, and it will come into force on 28th May 2018. As an EU Regulation it immediately becomes law in every member country the day it comes out, and every member state will have to comply from that date.
How does this affect Brexit? Well, that will take up to 2 years to implement following invocation of Article 50. That means Brexit is highly unlikely to have occurred by 28th May 2018, which means that GDPR will become a legal requirement in the UK on that date, so companies will have to comply with it. Whatever happens once the UK leaves the EU, it stand as to reason that UK companies wishing to do business with the EU will have to continue to comply, and I’d suggest therefore that the UK will not implement anything weaker than GDPR as a replacement for the DPA.
For further advice and guidance, go to the ICO website and check out these 12 Steps to GDPR which you should be following right now.
Easy Cyber 