Data protection legislation changes are coming – 12 steps to take now.

Date: 2016-03-23

Talk of changes to the current Data Protection Directive as we know it seem to have been going on for a long time, but after four years in the making, the new reform is now well under way, as is the ICO’s preparation for implementing the new General Data Protection Regulation (GDPR).

The Data Protection Directive is a European Union Directive, which was created to regulate the progression of personal data within the European Union. Officially known as the Directive 95/46/EC the legislation is part of the EU privacy and human rights law.

The Data Protection Act 1998 (DPA) is an Act of Parliament of the United Kingdom of Great Britain and Northern Ireland which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK.

The aim of the new General Data Protection Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for legislation to be passed by governments.

A proposal for the GDPR to supersede the current Data Protection Directive was released on 25 January 2012  and after four years, a final political agreement for the new regulation expected to be finalised around July 2016. A two year transition period will follow, with full implementation to take place in 2018 when the new regulation will be become law.

While 2018 may still feel like a long way off, The Information Commissioner Christopher Graham has called for organisations to begin their preparations for the forthcoming EU data protection reforms.

This month, the ICO have released 12 steps that companies should take now in order to prepare for the legislation reforms and use as a helpful starting point by breaking down the legislation into practical areas for action.

Speaking at the ICO’s annual Data Protection Practitioners’ Conference, Christopher Graham said:

“People have never been so aware of what their personal data is, and never cared so much about how it is used. The law is changing to reflect that.

“The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades. Organisations simply cannot afford to fall behind.”

The good news for companies that are compliant with the current Data Protection Act is that many of the principles in the new legislation will be much the same.  While those who are compliant with the current UK law will have a strong starting point to build from, they will need to be aware of important new elements. Some things will need to be done differently as the new law will place more obligations on organisations to be accountable for their use of personal data.

More information on data protection compliance and the forthcoming legislation changes can be found on the ICO website, or for free confidential advice, contact Russell Richardson on 0800 294 6552.