|Of relevance to:||Any firm processing or controlling personal data, including that of employees|
|Key date:||Applicable from 25 May 2018|
The deadline for compliance with the General Data Protection Regulation (“GDPR”) is drawing nearer.
Firms will need to ensure they have governance controls in place to hold, store and manage data according to the new EU Regulation; BREXIT will not affect the commencement of GDPR requirements.
There are many similarities between GDPR and the existing UK Data Protection Act 1998 (“DPA”), complemented by new and different requirements.
The GDPR applies to ‘controllers’ and ‘processors’, broadly defined the same as under the DPA.
GDPR places specific legal obligations on processors, including maintaining records of personal data and processing activities. Processors will have significantly more legal liability if responsible for a breach; a new requirement under the GDPR.
Greater obligations are placed on controllers to ensure contracts with processors comply with GDPR requirements.
GDPR applies to processing carried out by organisations operating within the EU and also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The Article 29 Working Party of European Data Protection Authorities are due to publish guidelines on consent in 2017 and the latest timetable is for this to be agreed and adopted is December 2017.