The General Data Protection Regulation (GDPR) replaces the current statutory framework on managing data protection with effect from 25 May 2018. Its scope is wide and will require organisations to review their practices in relation to handling data in many areas. All organisations with professional or commercial activity (whether or not payment is received for that activity) will have to comply with GDPR regardless of their size, provided that they process personal data.
Severe fines will be applied to certain types of data breaches which will have to be reported to the supervisory authority within strict deadlines.
A new Data Protection Act repeals the previous Act but does not remove the existing data protection principles. The new rules mean that organisations need to consider data protection in every aspect of new projects eg “by design and default” and some will need to appoint a specific Data Protection Officer to ensure compliance. Greater significance will be placed on accountability meaning that processes and procedures will need to be put in place to show that data protection is at the forefront of an organisation’s processes.