As you may or may not be aware the data protection act is coming to an end. The data protection act was implemented two decades ago and the world of business IT has changed significantly in that time. The EU-GDPR (General Data Protection Regulation) is the replacement and in May 2018 this legislation will take effect in the UK (it will take effect irrelevant of Brexit outcomes)
This legislation is fairly significant. The data protection act left a great deal up to individual businesses as to how they went about protecting personal data. For most organisations data protection took a back seat over day-to-day business. The EU-GDPR is significantly more prescriptive and the fines for non-compliance are potentially very high (up to 4% of turnover or €20 million).
Whilst the EU-GDPR has now been formalised there is still some uncertainty about how the legislation will be formalised in UK law. The feeling is therefore that this will very much be an evolving subject with changes coming in as and when these laws are tested in court. The key term here is ‘tested in court’. This legislation gives a great deal of power to ‘data subjects’. These are the people for which you hold personal data. We do not want our clients to become test cases in what will be one of the most wide-reaching changes in IT legislation for decades.
There are several aspects to this. Some are technical – such as IT security provision. Some are policy and procedures – such as incident management. However, the majority of your obligations will come down to data itself. How data is identified, how data is stored, how data is processed and how data is protected. The key provision in the legislation is ‘data protection by design and by default’. For this to happen you will need to understand your data in a way that you’ve probably never had to think about before.
Over the coming weeks we will be putting together info for our clients on what you will need to do, who you will need to speak to, and what you will need to look at to ensure you are compliant. In the short term, we feel that it would be good if clients start thinking about where their data is stored, what applications are used to store personal data, and how are they accessed. If these are big named software houses like Sage and Microsoft then the changes should be possible with limited fuss and expense. If these are custom applications, or older legacy applications, then now may be the time to start a dialogue with your software provider about what they have planned for EU-GDPR compliance. This absolutely should not be left until the last minute!