The EU General Data Protection Regulations (GDPR) came into effect on 25 May 2018 and places greater obligations on how organisations handle personal data.
The Information Commissioner recently stated that GDPR is not intended to be another box-ticking exercise but as ‘an opportunity [for organisations] to commit to data protection and embed it in their policies, processes and people’.
GDPR takes a risk-based approach to data protection which enables practices to decide what steps are appropriate and proportionate for them to comply with GDPR.
Practices that already comply with the Data Protection Act 1998 (DPA 1998) and that have effective data governance in place have a good starting point when preparing for GDPR. However, new elements have been introduced by GDPR and there are some significant changes that practices should be aware of.
The Information Commissioner’s Office (ICO) has also produced a Guide to the GDPR which will be regularly updated along with a package of tools to help organisations prepare for GDPR:
Does my practice need to appoint a data protection officer (DPO)?
GDPR sets out criteria when a DPO must be appointed. Most CLC regulated practices are unlikely to come within these criteria although practices may still wish to appoint a DPO.
The ICO has produced guidance on DPOs and when they need to be appointed.
How does GDPR impact file storage?
Under the GDPR, personal data must not be kept for longer than is necessary for the purposes for which it was processed. However personal data stored for legitimate reasons under existing legislation, for example, the Limitation Act 1980 or the Money Laundering Regulations 2017, can be stored and processed under the lawful ground of compliance with a legal obligation.
As stated in the CLC Transaction Files Code, practices should retain the contents of files relating to all matters for a minimum of six years, except those relating to:
Practices should review their file storage policies and the legal and regulatory reasons for retaining personal data for specified periods of time.
What should I do if I discover a personal data breach?
Any personal data breach which could impact an individual or cause harm must be reported to the ICO without undue delay, and no later than 72 hours after detection. If the breach is likely to result in a high risk of adversely affecting individuals’ rights, practices must also inform those individuals without undue delay.
The ICO has produced guidance on personal data breaches.
Do I need to pay a fee?
The Government has announced a new charging structure for data controllers. It is yet to be approved by Parliament but the ICO has produced a Guide to the Data Protection Fee to help explain why there’s a new funding model and what payments are required.
Will Brexit impact the implementation of GDPR?
No. GDPR comes into effect before the UK leaves the EU and the UK government has committed to fully implement it.
What is the Data Protection Act 2018 and how does it relate to GDPR?
The Data Protection Act 2018 (Act) came into effect on 25 May 2018 and replaces the DPA 1998. The Act updates data protection laws in the UK, supplementing GDPR, implementing the EU Law Enforcement Directive and extending data protection laws to areas not covered by GDPR.
More information can be found on the ICO website: Data Protection Act 2018.
Updated May 2018